Scenarios – taken from CTF challenges
========================================================================================================================================================== ===========================================================================================================================================================
#### Deleted file by admin
.bash_history - reveals a file which has now been deleted (sudo -u sysadmin /home/syadmin/luvit privesc.ua)
sudo -l - reveals we can run root for certain software which execute lua code
echo "require('os');" > priv.lua
echo "os.execute('/bin/bash');" >> priv.lua
#### uploading tool to server
sudo mv pspy64 /var/www/html
sudo service apache2 start
#### backgrounding a shell
you can create a shell code and use & to background during SSH. Prevents other users been blocked
#### Magic bytes
you attempt to upload a file abc.php.jpg
- gets flagged up immediately
way around it:
get the magic bytes from a .jpg image (xxd image.jpg | head)
add these to start of our abc.php.jpg
echo 'FFD8FFDB' | xxd -r -p > webshell.php.jpg
then upload
### SQL Truncation
- a website states a username or email cannot be more than xyz size
-from burp sending a username more than what is permitted
- so we enter loads of spaces around admin and then url encode
- this works as according to MySQL documentation, trailing spaces are ingnored
- so register account using admin@test.abc then catch request
- so now if we have an email of admin: admin@abc.abc add in many spaces after (admin@abc.abc++++++++++++++test)
#### Email changing to admin for priv
CTF where by the standard user could change password of the admin by catching in burpsuite and editing from user email to admin (which is found easily).
- Then when you go to profile of admin, source code view and you find
and images upload directory.
- So you go bk to profile, upload a reverse php shell (no indicator if uploaded or not)
then back to browser, type in /directory of image uploads followed by reverse shell
(ensure listener is on) – may need to use CURL
- Then using the priv /sbin/reboot we reboot using that .sh file
even on directories found - lookat source code!! and run curl on them all
website - directory fuzz only gave one link (sec config clue)
use curl -L , look at source
tried to extract using steghide extract -sf filename.jpg - would not work
however when I write to another file it worked!
steghide extract -sf filename.jpg -xf hash.txt
if you come across authorized keys from a userA but in the key file it shows UserB at the end
you can log in as userA using private key of UserB
we take the private key of userB and put onto our attacking machine, then we use that to log in as userA
ssh userA@xx.xx.xx.xx -i .ssh/id_rsa_userB
copy to system:
scp USERB@192.168.124.230:~/.ssh/id_rsa .
do directory scan with extension set ie . -x .php
(use dirsearch) - /web-content/big.txt -e .php
when doing a box if you find a user and still need to do lateral movement
go to /etc/phpmyadmin and look for the config file
if you find db passwords, php passwords - create a user list (from home) and run that single password with user list in hydra
you have management.log - which shows a cron job
eg: chmod 777 /home/dawn/ITDEPT/product-control
you have upload access to smb share
create a NC one liner reverse shell and insert into product-control and upload
when we unshadowed pass shadow: the password is displayed, use this to crack further
type export in cmd
is /bin writeable?
ls -la /usr/bin (or /bin)
look for writeable by all
method 2:
ssh in using: -t "bash --noprofile"
then need to use absolute paths - cat = /usr/bin/cat <file>
method 3:
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
just echo a shell into it.
may need to use full path for nc (if used)
this is what enabled me to run chmod finally:
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
command injection found, cannot view /etc/passwd
used burp suite
BUT reverse shells would not work,
command injection using | gives a cleaner output
enter the reverse shell as found (no url encoding or anything) after the |
- another thing is the website is on port 80 u need to get a reverse connection to port 80
easyboxfun
kept concentrating on /gym instead of doing a scan on the main URL
we trying to run a reverse shell using command pre<system> ' ' </pre> the python reverse obviously contianed
"" and '' so it double the amount of '' in use, using \ before the '' enabled the reverse shell to connect