five86: 1 Walkthrough

five86: 1 Walkthrough

Netdiscover-


Nmap-

Running OpenNetAdmin Service on Port 80-

Found Command Injection Exploit of Exploit-DB-
https://www.exploit-db.com/download/47772

Downloaded the file using wget and changed the file name to .rb file. Next copied to Metasploit exploits directory as-
cp 47772.rb /usr/share/metasploit-framework/modules/exploits/

Using msfconsole with the above module as-


Setting up LHOST and RHOST-


Running the Exploit-(Found Low Privilege shell)-


Enumerating the Directory-


Accessing .htpasswd file-


Found Douglas hash in the .htpasswd file-

So, I found that the password is a 10-character “aefhrt” string, so you’ll need to prepare a 10-character long password dictionary. Here we use crunch to create the dictionary and execute the following command to follow the pattern of the password as the author has said.

Used Crunch-

Usage: crunch <min> <max> [options]


Getting Hash File-

With the help of the above command, we generated a dictionary and used the john ripper to crack the hash value. Here I saved the hash value described above in a text file called “hash” and used dict.txt wordlist to crack the hash value and run the following command.
john --wordlist=/root/dict.txt hash

douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1


douglas : fatherrrrr


Privilege Escalation-


Check with sudo -l


Then we can use jen's permissions to add our authorized_keys to ./ssh in his directory, and we can connect to his account.

Since the author has given sudo right on copy program which could be executed as jen hence we can copy the ssh public rsa_key of douglas inside /home/jen/.ssh so that we can be logged as jen. Thus, we executed the following commands as given below.


Now copy id_rsa in the /tmp directory and change the permission then try to access ssh shell on localhost as jen.


Hmmm! As we connected to the ssh shell as jen we found another hint “you have a new mail” on the ssh banner as shown in the given image.
Next-

So, we find a text file “jen” in / var/mails that shows a jen email. As per this message, jen knows the password for the Moss account, so we can use the Moss credential for a further move.



So, switched from Jen’s account to Moss and identified for SUID enabled directories, luckily here we found that the sticky bit is enabled for “upyourgame” as shown in the image.
find / -perm -u=s -type f 2>/dev/null
cd .game
./upyourgame


So we navigate to /home/Moss/.game/ and run the “upyourgame” program, the program launches questionnaires that are only answerable in the YES / NO format, and finally, we get the root shell and find the final flag in the /root directory as shown below.

Thanks!!! 

Comments

Post a Comment

Popular posts from this blog

Polaris’ Intellect Core Banking Software Version 9.7.1- Open Redirect [CVE-2018-14931]

Image
[+] Credits: Neeraj Kumar, Hai Dang Long [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== http://www.polarisft.com Product: =================== Polaris’ Intellect Core Banking, Core and Portal Module Version: =================== Affected Version: 9.7.1 Vulnerability Type: ==================== Open Redirect CVE Reference: ============== CVE-2018-14931 Vulnerability Details: ====================== Polaris’ Intellect Core Banking Software, In the Core module is vulnerable to open redirect vulnerability. Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the co
Read more

Stored XSS Vulnerability in Hot Scripts Clone:Script Classified Version 3.1-[CVE-2018-7650]

Image
[+] Credits:  Neeraj Kumar [+] Email:  neeraj.iiita2009@gmail.com Vendor: ==================== https://www.phpscriptsmall.com/ Product: =================== Hot Scripts Clone:Script Classified Version 3.1 Link to access the Product: ===================== https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/ Vulnerability Type: ========================== Cross site scripting - Stored XSS CVE Reference: ============== CVE-2018-7650 Vulnerability Details: ====================== Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS with the "Add New" function in Management User. Within the "Add New" section the application does not sanitize user supplied input and renders injected javascript code to the users browsers. This is different from CVE-2018-6878. An attackers use this vulnerability to inject malicious javascript code such as hijack user sessions, malicious redirect, deface web
Read more

Incorrect Access Control- Smart Vista SVFE-2 Module [CVE-2018-15207]

Image
[+] Credits: Neeraj Kumar, Raj Kumar Yadav [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== https://www.bpcbt.com/ Product: =================== Smart Vista Version: =================== Smartvista Front-End (SVFE)- Version 2 Vulnerability Type: ========================== Broken Access Control CVE Reference: ============== CVE-2018-15207 Vulnerability Details: ====================== Smartvista is a suite of payment infrastructure and management systems created by BPC Group. It is vulnerable to Improper Access Control in SVFE module where it fails to appropriately restrict access as normal user is able to access the functionality which is only accessible through admin. POC Code- ====================== Below module is only accessible in admin module- http://<Target IP:Port>/SVFE2/pages/finadmin/currconvrate/currconvrate.jsf But changing the admin session id with normal user session id it allows to acce
Read more