diff --git a/VulnHub/Development.md b/VulnHub/Development.md new file mode 100644 index 0000000..12002f3 --- /dev/null +++ b/VulnHub/Development.md @@ -0,0 +1,208 @@ +# Vulnhub-Development + +## NMAP + +```bash + +nmap -sC -sV 192.168.1.6 +Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 11:28 PKT +Nmap scan report for 192.168.1.6 +Host is up (0.041s latency). +Not shown: 995 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA) +|_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519) +113/tcp open ident? +|_auth-owners: oident +139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +|_auth-owners: root +445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) +|_auth-owners: root +8080/tcp open http-proxy IIS 6.0 + + +``` + +## PORT 139/445 (SMB) + + + +We can see a share named `access`, let's see if we can access this as an anonymous user + + + +Access is denied so , I ran `eum4-linux-ng` and it found some users on the machine + + + +## PORT 8080 + + + +On port we see an html giving us a hint to look at `html_pages` + + + +Here we can see a number of pages so let's go through each of these pages one by one + +### About.html + + + +This page tells that they are creating pofile for `David` + +### Config.html + + + +This page has nothing + +### Default.html + + + +This page has something in binary so let's convert and see what it is , I have a feeling it's a rabbit hole : \ + + + +Huh ? + +### Development.html + + + +This page is interesting it says there's a page `hackersecretpage` which contains a link to upload files so let's where that is + + + +And again this has nothing but looking at `development.html` source code there's a comment + + + +### DevelopmentSecretPage + + + +On clicking the link we can get a page where it says to logout + + + + + +Here I tried logging in with random credentials + + + +I got this error , and it mentioned about a file called `slogin_lib.inc.php` , I searched for the file name on google and it straight away told that there's an exploit for it + + + + + +Let's try the RFI exploit + + + +I hosted a file on my machine to see if we can view it from there or not + + + + + +It doesn't look it worked so let's try the Sensitive Infomration disclosure + + + + + +We got some hashses let's try to crack them with `crackstation` + + + +Let's try to ssh into the machine + + + +We are in but something looks odd , it says type `?` for help + + + +If we type commands other than these it wil show error + + + +So this looks like we are in restricted shell but I came across an error when I typed `id` + + + +It seems `lshell.py` is being used so let's do a quick google search on that + + + +This is a python script which restrict some commands to be executed on the shell we can forbid or allow any commands we want + + + +So that's what was happeing , let's search if there are any bypasses related to lshell + +https://www.aldeid.com/wiki/Lshell + + + +Bingo , we can by pass this easily ,let's give this is a try + + + +Reading `work.txt` + +``` +1.Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page. + +2.Patrick's start of the third year in this company! + +3.Attend the meeting to discuss if password policy should be relooked at. + +``` + +This isn't really helpful , so going back to patrick hash I tried to crack it one more time by going to online site + + + + + +So we have switched to patrick and can see we can escalate to root either using `vim` or `nano` , let's visit GTFOBINS to escalate our shell + +### Using Vim + + + +### Using Nano +Launch nano as sudo `sudo /bin/nano` , then press `alt+R` + + + +Then `alt+X` + + + +You'll get the screen to execute commands + + + + + +You got root !!! + +## Unintended way to root + +Recently Ubuntu OverlayFS Local Privesc exploit was found + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493 + +So I used that exploit to get root by getting the PoC + +https://github.com/briskets/CVE-2021-3493/blob/main/exploit.c + +