0day Writeup

 0day link


Enumeration



Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have.





Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back.


Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect.


Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/ directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use.

Next step would be to look for exploits, usually with /cgi-bin/ exposed we'd be hoping for an exploit with that.
A quick search for apache 2.4.7 and apache 2.4 on exploit-db doesn't really reveal overly much as most of the exploits seem to be centered around 2.4.49 and 2.4.50, so lets try running nikto and see if that can point us in the right direction.


Exploitation



Looks like nikto has managed to find the webserver is vulnerable to the shellshock vulnerability via the cgi test.cgi. Lets do a quick test to see if we can access /etc/passwd with the vulnerability.


And sure enough we have just got back what we were hoping for.
Now to exploit the vulnerability, we could load up metasploit and use the exploit that has but we might as well just do it using curl as it's pretty quick and easy to gain a reverse shell via that.



And sure enough, we have a reverse shell! 

We seem to have access to ryans' home directory and can read the user.txt so that's an easy win.


PrivEsc


Now lets try escalate our privilages to root!


A quick check of ryans' home directory and no .ssh folder, so we'll need to upload socat to gain a stable shell so that we can further enumerate and exploit the machine.




Now that we have socat on the machine and have a reverse shell established with that, we can now upload linpeas and enumerate the machine.


Straight away we can see that we're on quit an outdated version of linux so that's most likely going to be our privesc vector, let's take a look and see if we can find an exploit for it.



Looking through exploit-db we have this exploit here, it requires us to compile the exploit and compiling anything requires that the correct versions of libc are on the machine so it's always best to compile on the machine you want to run the application on, unless you have an identical build environment to the machine you want to exploit, thankfully as we can see in the linpeas output, gcc version 4.8.2 is already on the machine so that'll make things nice and easy for us.


That's a little odd, it seems gcc can't find the cc1 dependency which is responsible for allowing gcc to compile in the C language which our exploit is coded in.


A quick look at our path and everything looks fine at first until you get to the very end, there's an extra :. that shouldn't be there, lets fix our path and see if that maybe resolves our issues.


The command has cut itself off at the top but I ran export and then set the path to the exact same as what the machine already had minus the :. at the end and as you can see, gcc was able to compile the exploit, an interesting issue I haven't seen before but one always worth watching out for.

Now onto getting root.


And we're done, we can now go grab the root flag!

Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more