mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
098dd208df
commit
c3e51406e8
1 changed files with 183 additions and 0 deletions
183
VulnHub/Mercy.md
Normal file
183
VulnHub/Mercy.md
Normal file
|
@ -0,0 +1,183 @@
|
|||
# Vulnhub-Mercy
|
||||
|
||||
## Rustscan
|
||||
|
||||
```bash
|
||||
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
53/tcp open domain syn-ack ttl 64 ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
|
||||
| dns-nsid:
|
||||
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
|
||||
110/tcp open pop3? syn-ack ttl 64
|
||||
|_ssl-date: TLS randomness does not represent time
|
||||
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||||
143/tcp open imap syn-ack ttl 64 Dovecot imapd
|
||||
|_ssl-date: TLS randomness does not represent time
|
||||
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
|
||||
993/tcp open ssl/imaps? syn-ack ttl 64
|
||||
|_ssl-date: TLS randomness does not represent time
|
||||
995/tcp open ssl/pop3s? syn-ack ttl 64
|
||||
|_ssl-date: TLS randomness does not represent time
|
||||
8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
|
||||
| http-methods:
|
||||
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|
||||
|_ Potentially risky methods: PUT DELETE
|
||||
|_http-open-proxy: Proxy might be redirecting requests
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/tryharder/tryharder
|
||||
|_http-server-header: Apache-Coyote/1.1
|
||||
|_http-title: Apache Tomcat
|
||||
MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
|
||||
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
|
||||
Device type: general purpose
|
||||
Running: Linux 3.X|4.X
|
||||
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
|
||||
```
|
||||
|
||||
|
||||
## PORT 139/445 (SMB)
|
||||
|
||||
We can check for smb share and see if we have access or not
|
||||
|
||||
<img src="https://imgur.com/HFg47SB.png"/>
|
||||
|
||||
So we cannot access any share , we can try to use `enum4linx` to enumerate for users on the machine
|
||||
|
||||
<img src="https://imgur.com/QmJ0RzM.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/TuMmeOo.png"/>
|
||||
|
||||
## PORT 8080 (HTTP Apache Tomcat 7)
|
||||
|
||||
<img src="https://imgur.com/1h3w3hq.png"/>
|
||||
|
||||
From the nmap scan we can see an entry in `robots.txt`
|
||||
|
||||
<img src="https://imgur.com/TiVbRnz.png"/>
|
||||
|
||||
<img src="https://imgur.com/3ahlQT4.png"/>
|
||||
|
||||
This looks like a base64 encoded text , so let's decode and see what it says
|
||||
|
||||
<img src="https://i.imgur.com/eMwkJQA.png"/>
|
||||
|
||||
```
|
||||
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.
|
||||
|
||||
Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.
|
||||
|
||||
No fluffy bunnies for those who set insecure passwords and endanger the enterprise.
|
||||
```
|
||||
|
||||
This message tells us that user's password is set to `password` so we know there are 4 users and we saw a smb share named `qiu` which is a username so we can try if this password fits for that user
|
||||
|
||||
<img src="https://imgur.com/SMRBhEv.png"/>
|
||||
|
||||
And it is the password for this user so we can read the share
|
||||
|
||||
<img src="https://i.imgur.com/H31WF0u.png"/>
|
||||
|
||||
|
||||
Going to `.private/opensesame` folder we can see a config file
|
||||
|
||||
<img src="https://i.imgur.com/OFv5Vll.png"/>
|
||||
|
||||
This config file is for smb and we can see port knocking configuration in here
|
||||
|
||||
<img src="https://i.imgur.com/gxcXEJ2.png"/>
|
||||
|
||||
So let's do port knocking for http
|
||||
|
||||
<img src="https://i.imgur.com/tbp9cRZ.png"/>
|
||||
|
||||
<img src="https://imgur.com/lFNo9sx.png"/>
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
<img src="https://imgur.com/edl1vJv.png"/>
|
||||
|
||||
We can check `robost.txt` file
|
||||
|
||||
<img src="https://imgur.com/6838D1J.png"/>
|
||||
|
||||
Found nothing here
|
||||
|
||||
<img src="https://imgur.com/KPLIDiL.png"/>
|
||||
|
||||
We found RIPS and we have a version 0.53 so we look for exploits on `exploit-db`
|
||||
|
||||
<img src="https://imgur.com/Vm9eToh.png"/>
|
||||
|
||||
There's a LFI exploit in two files `code.php` and `function.php` , we can look at the source code for these two files since there's a repo on github
|
||||
|
||||
https://github.com/bizonix/rips-scanner
|
||||
|
||||
|
||||
<img src="https://imgur.com/IZv56pM.png"/>
|
||||
|
||||
We confirmed that LFI exists now let's take a step back , we know there's apache tomcat so we could look `tomcat-users.xml` file which includes a username and password to login into `/manager` but we need to the installation path , so I did a little goolge search
|
||||
|
||||
<img src="https://i.imgur.com/56n22dH.png"/>
|
||||
|
||||
|
||||
```
|
||||
http://192.168.1.9/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/1bnAur0.png"/>
|
||||
|
||||
We can login to `/manager` with user `thisisasuperduperlonguser:heartbreakisinevitable` since he as admin role
|
||||
|
||||
<img src="https://imgur.com/7l22fxP.png"/>
|
||||
|
||||
<img src="https://imgur.com/bdaVHYB.png"/>
|
||||
|
||||
Here we can upload a WAR reverse shell payload so let's generate a WAR payload
|
||||
|
||||
<img src="https://imgur.com/BU1VXMk.png"/>
|
||||
|
||||
<img src="https://imgur.com/sD8yAaS.png"/>
|
||||
|
||||
And we got a shell so let's just stabilize it
|
||||
|
||||
<img src="https://imgur.com/yLUB0mQ.png"/>
|
||||
|
||||
We had already found the password for fluffy so let's switch the user
|
||||
|
||||
<img src="https://imgur.com/ovQkt5p.png"/>
|
||||
|
||||
There's a timeclock file
|
||||
|
||||
<img src="https://i.imgur.com/C35XFBr.png"/>
|
||||
|
||||
By reading it's content we can see it just stores time in a file
|
||||
|
||||
<img src="https://imgur.com/4eGFsLT.png"/>
|
||||
|
||||
But we can see it belongs to `root` user so we can check if it's running as a schedule task
|
||||
|
||||
<img src="https://imgur.com/1Qdj3ao.png"/>
|
||||
|
||||
But we cannot see this file to be running as a `system-wide` cronjob so this would be running as root user cron job to verify it we can use `pspy` which is a unprivileged process monitor , since 64 bit version of pspy wasn't I uploaded 32 bit version and ran it
|
||||
|
||||
<img src="https://i.imgur.com/g7MR96S.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/pb8bVbC.png"/>
|
||||
|
||||
We can see that this script runs as root so we could either include a reverse shell in there or make bash as SUID (which is a easy way) so let's modify the bash script
|
||||
|
||||
<img src="https://i.imgur.com/VX4qFpz.png"/>
|
||||
|
||||
`chmod +s /bin/bash` will make bash a SUID means it will be executed as root if we supply `-p` parameter when executing it
|
||||
|
||||
After waiting for some time we can check if it's been made a SUID or not so to verify it run `ls -la` on bash
|
||||
|
||||
<img src="https://i.imgur.com/WRvURAN.png"/>
|
||||
|
||||
And it looks like it's now a SUID
|
||||
|
||||
<img src="https://i.imgur.com/OOTK5nI.png"/>
|
||||
|
||||
We can add a password to get a `root` prompt (not really necessary to do this)
|
||||
|
||||
<img src="https://imgur.com/EEswDyR.png"/>
|
Loading…
Reference in a new issue