Zino
Pg Practice Zino writeup
Nmap
FTP
Initial check on FTP with anonymous login results in a login denied message.
SMB
We can check null authentication on the target with smbmap
.
Looks like we have access to the 'zino' share. I will create a directory on my attacking machine and then use smbclient
to download available files.
We have a few files to go through here so I will simply highlight the interesting infromation found per file.
Looks like we have a local user flag we can submit.
We now know the target has a user account by the name of 'peter'.
For an unknown verification we have the credentials admin: adminadmin
.
For the moment we are finished with SMB. We should next jump into Port 80.
HTTP
Going to the root page of http://192.168.249.64:8003 takes us to the following:
Following the directory we come to the page below.
I entered the credentials we found earlier of admin:adminadmin
and was able to log in to the application.
Exploitation
A quick search for Booked exploits turns up two results. A Metasploit
exploit and a manual exploit for directory traversal. I will concentrate on not using the Metasploit
module for this write-up.
Using the above information we can read the passwd file with the following URL.
I tried reading possible sensitive files and even for SSH keys in the root and user home directories and was unable to gain any interesting information. I decided to stop with this route now and explore the Metasploit
module to see if I can replicate manually.
From reading the description we should be able to browse to the 'Look and feel' section of the site and upload our own file in place of the favicon.ico.
Web Shell
I have uploaded a simple web shell to the favicon.ico upload section. I did try a standard PHP reverse shell but was unable to get it to talk back. After the file has been uploaded browse to the following to execute.
For the next part I tried hosting a Python SimpleHTTPServer
and getting the target machine to download a proper reverse shell but could not get it to talk back even on port 80 which was a bit weird. I ended up hosting my attacking machine on port 21 since FTP is running.
Attacking machine:
Web Shell:
I then stopped the Python SimpleHTTPServer
and started a netcat
listener for the phpshell to talk back to.
Attacking machine:
I then executed the PHP shell on the web shell and received a shell back on my machine.
Privilege Escalation
Likely we will need the help of linpeas.sh
to help us with privilege escalation so I once again hosted a Python SimpleHTTPServer
on my attacking machine and downloaded linpeas
.
After running linpeas
and looking through the output we have a cron job that is set to run every 3 minutes that stands out.
Looking at the directory where the cleanup.py
file resides we can see that as www-data we can edit the file.
Knowing that this file is executed in the context of root every 3 minutes as a cron job mean we can replace the contents of the file with something that will give us a root shell back.
First clear the content of the cleanup.py
file with the echo command. Using an extra space in the syntax to wipe the contents of the file.
Then echo the following into the file.
Set a listener on the attacking machine again. I will be using port 21.
Wait around 3 minutes for the cron job to execute and you should receive a root shell back.
Last updated