search

Page 1

hashtag
Sense

chevron-rightEnumeration , Open-source exploithashtag

  1. Directory enumeration leads to credentials , through which able to login to website

  2. Open exploit leads to command-injection , giving direct access to root

hashtag
Solidstate

chevron-rightInitial β‡’ rsip , pop3 || Privesc β‡’ pspy32 , script-modificationhashtag

  1. Exploiting rsip (4555) with default credentials leads to user enumeration and password change.

  2. Using those username with changed password on pop3 (110) leaks SSH creds in user mindy mail.

  3. Getting shell as mindy & running pspy32 gives a script /opt/tmp.py running as root

  4. Modifing the script and putting reverse shell in it gives us the shell as root.

hashtag
Haircut

chevron-rightRFI (curl) β‡’ PHP shell β‡’ RCE || Privesc β‡’ Find command , Screen-4.5.0 , pwnkithashtag

  1. On website , able to perform RFI on Local/Remote Host (as curl running in background).

  2. Used RFI to upload php webshell , which can be triggered from site/uploads.

  3. Got shell as www-data , for privesc used pwnkit leads to root

  4. Alternate privesc β‡’ screen-4.5.0

hashtag
Keeper

chevron-rightDefault Creds || Privesc β‡’ Keepass (CVE-2023-32784arrow-up-right) | Putty-Key β‡’ openssh converthashtag

  1. On website request ticketer is running of Best practical with login form.

    Default creds gives access , inside that under /user directory i am able to find password for user Lisa

  2. After SSH , inside home directory able to find file.zip , which on extract gives Keepass dump &kdbx file.

  3. For dumping password/key i used https://github.com/vdohney/keepass-password-dumperarrow-up-right exploit , later use the master-key on file.kdbx using kpcli

  4. The above part done with dotnet version 7.0

  5. Enumeration gives PUTTY-key for user root , Convert Puttykey to ssh and got the shell as root

hashtag
Ready

chevron-rightInitial β‡’ SSRF -> redis RCE (open-exploit) || Privesc β‡’ Backup file in /opthashtag

  1. On port 5080 website is running the gitlab , enumeration gives us the outdated version (11.4.7)

  2. Open Exploit available , for explanation of the vulnerability refer

    1. https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/arrow-up-right

  3. For privesc, found password : wW59U!ZKMbG9+*#h in gitlab.rb file located in /opt/backup

hashtag
Popcorn

chevron-rightInitial β‡’ PHPinfo , File-Upload || Privesc β‡’ Kernel Exploit , Full-Nelson.c DIrty-Cowhashtag

  1. Website and SSH is open , directory enum gives 2 interesting dirs :- /test & /torrent

    1. /test β‡’ Shows phpinfo page ( file upload is enabled)

    2. /torrent β‡’ Login & Sign-Up page is running

  2. After creating user and sign-in i got a upload form , which accepts only torrent file nothing else. (php webshell not allowed)

  3. After uploading .torrent file , we get another upload functionality for screenshot

    1. uploading php-webshell gives success & response disclose upload path /torrent/upload/

    2. Navigating to path , we see our webshell , triggring it gives reverse shell

  4. uname -a / uname -r , gives the vulnerable linux version 2.6.37, upload and execute any exploit gives us root.

    1. Full-Nelson.c β‡’ https://www.exploit-db.com/exploits/15704arrow-up-right

    2. DirtyCow

hashtag
Passage

hashtag
Monitored

hashtag
Delievery

\

hashtag
Node

  1. Viewing website (3000) gives some usernames and checking app.js using Dev-Tools leaks the usernames & hashes.

  2. Using these creds on the same website leads to get authenticate as user admin account from where i can download the backup file.

  3. Decoding file.backup with base64 β‡’ file.zip , unzipping it gives hash β‡’ cracking the hash gives β‡’ SSH creds for user mark

  4. ps -auxx gives 2 file running as user tom

hashtag
Admirer

chevron-righthashtag

  1. Nmap gives 21,22,80 port open with disallow entry : admin-dir in robots.txt

  2. Recon on http://$ip/admin-dir gives 2 .txt files

    1. contacts.txt β‡’ Holds email-address & username (NO USE)

    2. credentials.txt β‡’ Holds FTP username & password

  3. Loggin-in & enumerating it gives us files :

    1. dump.sql β‡’ (Nothing interesting except Database Name : admirerdb )

    2. html.tar.gz β‡’ extracting it gives some directories and files , intereseting one :

      1. /utility-scripts

      2. /utility-scripts/dbadmin.php (Holds username waldo , password & database)

  4. Emumerating http://$ip/utility-scripts gives adminer.php , which has mysql connect running on it , {tried the creds i found , but didn't work}

  5. Using server field , we can also connect to remote server , i set up the mysql on my attacking machine and set user/pass , logging in to it , gives access

  6. After getting inside , i loaded the local file and viewing it gives me another creds for waldo which work for SSH

  7. Inside SSH session , doing sudo -l gives a file : /opt/scripts/admin_task.sh for which SETENV is available , reading it gives on function 6 it runs a script /opt/scripts/backup.py

  8. backup.py is importing make_archive from shutil library

  9. Creating a shutil.py file/library inside /tmp directory and injecting reverse shell in it.

  1. Exploiting using sudo right on path-variable (SETENV) and also on /opt/scripts/admin_task.sh

PreviousJeeves

Last updated