rustscan -a -- -A -sC -sV
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079
| 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
I went to login
page and tried basic sqli
Tried admin:admin
And got this error so we know that admin
user exists
Then I decide to register an account
After registering an account I tried to to do some stuff with HTML but saw couldn't do anything
On running dirsearch
I didn't found anything
So I decided to intercept the request with burp suite
and found a base64 encoded cookie
Which I then took it to cyberchef
Alternatively it is best to vist https://jwt.io
Now we want to create our own key and host it on port 7070
Notice we have two keys public and private we want the public to be hosted and rename it to privKey.key
Notice we have added admin_cap =true
and changed the kid
to our machine
now copy the whole encoded text and replace it with the cookie
Notice we will see admin panel
I decide to upload phpbash.php
which give us a nice sessions on the web browser
Running linpeas we can see that there's docker installed on the box
We can also see IPTABLES have docker rules configured
I tried connecting to docker with docker -H
but was doing it wrong maybe
Going back to the website as admin I saw some notes which I was able to view
Here Noah says that he has some files in backups
We can see home.tar.gz
I started a python server on target machine and transfer that gz archive
So we have ssh keys for user noah
This *
will accept any argument so let's see if we can run commands on the container
Appearently there's a CVE for docker exec
Download the golang
file and compile it on your machine
Set SUID on bash in payload
Then compile the golang source code with go build docker.go
transfer that binary to docker container execute it and in the same time execute sh
on docker
Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID