From ed75d5872003ea02909223667133f6bf8d2ff712 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 15 May 2021 17:25:52 +0500
Subject: [PATCH] Add files via upload
---
VulnHub/Development.md | 208 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 208 insertions(+)
create mode 100644 VulnHub/Development.md
diff --git a/VulnHub/Development.md b/VulnHub/Development.md
new file mode 100644
index 0000000..12002f3
--- /dev/null
+++ b/VulnHub/Development.md
@@ -0,0 +1,208 @@
+# Vulnhub-Development
+
+## NMAP
+
+```bash
+
+nmap -sC -sV 192.168.1.6
+Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 11:28 PKT
+Nmap scan report for 192.168.1.6
+Host is up (0.041s latency).
+Not shown: 995 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
+|_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
+113/tcp open ident?
+|_auth-owners: oident
+139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+|_auth-owners: root
+445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
+|_auth-owners: root
+8080/tcp open http-proxy IIS 6.0
+
+
+```
+
+## PORT 139/445 (SMB)
+
+
+
+We can see a share named `access`, let's see if we can access this as an anonymous user
+
+
+
+Access is denied so , I ran `eum4-linux-ng` and it found some users on the machine
+
+
+
+## PORT 8080
+
+
+
+On port we see an html giving us a hint to look at `html_pages`
+
+
+
+Here we can see a number of pages so let's go through each of these pages one by one
+
+### About.html
+
+
+
+This page tells that they are creating pofile for `David`
+
+### Config.html
+
+
+
+This page has nothing
+
+### Default.html
+
+
+
+This page has something in binary so let's convert and see what it is , I have a feeling it's a rabbit hole : \
+
+
+
+Huh ?
+
+### Development.html
+
+
+
+This page is interesting it says there's a page `hackersecretpage` which contains a link to upload files so let's where that is
+
+
+
+And again this has nothing but looking at `development.html` source code there's a comment
+
+
+
+### DevelopmentSecretPage
+
+
+
+On clicking the link we can get a page where it says to logout
+
+
+
+
+
+Here I tried logging in with random credentials
+
+
+
+I got this error , and it mentioned about a file called `slogin_lib.inc.php` , I searched for the file name on google and it straight away told that there's an exploit for it
+
+
+
+
+
+Let's try the RFI exploit
+
+
+
+I hosted a file on my machine to see if we can view it from there or not
+
+
+
+
+
+It doesn't look it worked so let's try the Sensitive Infomration disclosure
+
+
+
+
+
+We got some hashses let's try to crack them with `crackstation`
+
+
+
+Let's try to ssh into the machine
+
+
+
+We are in but something looks odd , it says type `?` for help
+
+
+
+If we type commands other than these it wil show error
+
+
+
+So this looks like we are in restricted shell but I came across an error when I typed `id`
+
+
+
+It seems `lshell.py` is being used so let's do a quick google search on that
+
+
+
+This is a python script which restrict some commands to be executed on the shell we can forbid or allow any commands we want
+
+
+
+So that's what was happeing , let's search if there are any bypasses related to lshell
+
+https://www.aldeid.com/wiki/Lshell
+
+
+
+Bingo , we can by pass this easily ,let's give this is a try
+
+
+
+Reading `work.txt`
+
+```
+1.Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.
+
+2.Patrick's start of the third year in this company!
+
+3.Attend the meeting to discuss if password policy should be relooked at.
+
+```
+
+This isn't really helpful , so going back to patrick hash I tried to crack it one more time by going to online site
+
+
+
+
+
+So we have switched to patrick and can see we can escalate to root either using `vim` or `nano` , let's visit GTFOBINS to escalate our shell
+
+### Using Vim
+
+
+
+### Using Nano
+Launch nano as sudo `sudo /bin/nano` , then press `alt+R`
+
+
+
+Then `alt+X`
+
+
+
+You'll get the screen to execute commands
+
+
+
+
+
+You got root !!!
+
+## Unintended way to root
+
+Recently Ubuntu OverlayFS Local Privesc exploit was found
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493
+
+So I used that exploit to get root by getting the PoC
+
+https://github.com/briskets/CVE-2021-3493/blob/main/exploit.c
+
+