Team

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.255.197

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.255.197

Enumeration

Lets visit the site.

Its the default Apache2 page, lets at the source code.

It is telling us to add team.thm to our hosts, lets do that.

Now lets visit the page.

Its a well made website, lets run gobuster to find hidden directories

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://team.thm/

Looks like we found few directories, lets run another gobuster scan on the scripts directory as it looks like it contains more content

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://team.thm/scripts -x txt,html,js,css,php 

Lets also look at the robots.txt page as we sometimes find some interesting information there.

Looks like a username.

Lets now explore the assets directory

We are not allowed.

Lets check the script directory

We are not allowed again.

We are allowed to access the images directory but there is nothing interesting there. We got our gobuster results back

Lets visit this page.

The note in the end tells that the extension of the old script has been changed, so lets go find it.

Lets download the file and read it

Now we have the username and the password, lets login through ftp

We are logged in, lets look at the files

We have quite a few directories, lets first go to workshare and get the contents in it.

Now lets go to the .ssh folder and get its contents

I looked at the directories and there was either nothing or was a dead end.

Now lets read the files that we transferred to our machine

Looks like there is another website on the web server, and we should be able to access using dev in the URL so lets add it to our hosts file and visit the site.

There is nothing in the source code so lets click the link

It takes us to a different URL. And this to me screams LFI, so lets try testing some LFI payloads against it.

Exploitation

First lets capture the request with Burp Suite and send it to repeater so that we can try different payloads without having to request again and again.

Now that we have the request lets experiment. Lets first look for the /etc/passwd file and see if we can read it.

Oh, we can , looking back at the note we found in the ftp server, there should be a id_rsa file in a config file, to find this lets do some LFI Fuzzing. First we need to send the request to Intruder. (Ctrl + i) Now go to the Positions tab and leave it as it is.

Now go to the Payloads tab and lets load in a wordlists to find files. The wordlists I am going to use is this.

This can be found here on your machine

/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

Click on the load option and look for the file and then hit load, it should look like this.

Now hit start attack on the top, looking at the results, one file looks very interesting.

Lets visit this page.

Looks like we have ssh private key, lets copy this and ssh into the machine, we also have the username so its perfect. I'm calling the file id_rsa

Now we have to remove all the # symbols in the file and then change the permissions of the file

Now lets login.

We are logged in , lets read the user.txt

Privilege Escalation

Lets use sudo -l to see what we can run as other users.

Lets look at this file

Looking at the script, there are few places where we can inject system commands on the script. Lets inject the error variable as the variable is directly passed to a system called.

We are now the user gyles. Lets look at gyles directory.

The .bash_history is a interesting file, lets read it.

It looks like they were changing the contents of this file, lets look at this file

The file is also owned by root so lets change the content of the file using nano

Now save and exit with Ctrl + O and Ctrl + R. Lets now start a netcat listener

And after a while, we get a shell as root

Last updated