Site=THM
Diff= 🍕* 1.5
Creator= Ki11switch
Basic Summary:
So the machine is fairly simple. Theres 3 ports open, 22,80,8080.80 has some info , 8080 is a blog runnin on joomla. We get admin credentials for blog, and get a revshell through php templates the site uses. In the revshell we’re in lxd group. And using lxd we get a root privileges.B00M
##RECON
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ad201ff4331b0070b385cb8700c4f4f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL89x6yGLD8uQ9HgFK1nvBGpjT6KJXIwZZ56/pjgdRK/dOSpvl0ckMaa68V9bLHvn0Oerh2oa4Q5yCnwddrQnm7JHJ4gNAM+lg+ML7+cIULAHqXFKPpPAjvEWJ7T6+NRrLc9q8EixBsbEPuNer4tGGyUJXg6GpjWL5jZ79TwZ80ANcYPVGPZbrcCfx5yR/1KBTcpEdUsounHjpnpDS/i+2rJ3ua8IPUrqcY3GzlDcvF7d/+oO9GxQ0wjpy1po6lDJ/LytU6IPFZ1Gn/xpRsOxw0N35S7fDuhn69XlXj8xiDDbTlOhD4sNxckX0veXKpo6ynQh5t3yM5CxAQdqRKgFF
| 256 1bf9a8ecfd35ecfb04d5ee2aa17a4f78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOzF9YUxQxzgUVsmwq9ZtROK9XiPOB0quHBIwbMQPScfnLbF3/Fws+Ffm/l0NV7aIua0W7FLGP3U4cxZEDFIzfQ=
| 256 dcd7dd6ef6711f8c2c2ca1346d299920 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLWfYB8/GSsvhS7b9c6hpXJCO6p1RvLsv4RJMvN4B3r
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: HA: Joker
8080/tcp open http syn-ack Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Please enter the password.
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel/img (Status: 301) [Size: 308] [--> http://10.10.64.91/img/]
/.html (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 5954]
/.php (Status: 403) [Size: 276]
/css (Status: 301) [Size: 308] [--> http://10.10.64.91/css/]
/secret.txt (Status: 200) [Size: 320]
/phpinfo.php##WEB
Runnin gobuster, it gives us these directories.
/img
/.html
/index.html
/.php
/css
/secret.txt
/phpinfo.phpSecret.txt:user:pass
Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"
Port 8080 uses basic authentication.
We do have joker as a potential user of the page on 8080, Lets try to bruteforce it using burp!.
When we a try some credentials it goes in user:pass format just base64 encoded.
Just gonna select custom iterator and encode it in base64, using rockyou.txt wordlist.
Lets run it!
And boom we are in, lets decode it.
joker:hannahLets log in.
We dont have admin credentials lets run nikto on it, it gives us various directories including backup.zip. So lets download it.and unzip it.
It is password protected trying the password from above hannah it unlocks it. Unzipin it gives us two directories site and db.
Lets take a look at the Database file.hannah
hannahIt has a hash,lets john it.
Boom lets login as admin.
We’re in, as we’re at it lets also get a revshell cz whynot! 😉
Lets change the index.php to our revshell, am using the pentestmonkey one
and when we hit index.php we get a revshell.And running id on the revshell reveals that we’re in lxd group.(lxd is used for running container’d linux)
##PRIVESC
Lets try to get root privs, looking on HACKBOOKTRICKS.
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalationLets go and get our self some rootshell.
I uploaded a alpine image from github
And boom we have every root privs lol, not really but we do have read!
And DONE!
