Silence
Nmap Scan Result
Notice SSH is runnig on port 1055
We have SMB running on port 445 so we can use emun4linux for enumeratiom (enum4linux -a 10.150.150.55 )
As seen below we are able to found user accounts on the system
Now checking the web service, notice index.php discovered by nikto
directory bruteforcing with gobuster found trick.php, seems like an intresting file and since there isn't much attack vectors, I decided to test for LFI using PHP filter, more details here.
PHP filter exploit worked on the trick file which means we can now view the content of the php script which I did for trick and index.php as seen.
curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > trick.php
From the index.php source code, notice a "path" parameter is set to the root location "\" which displays the linux filesyem when visited in the browser.
Enumerating and browsing all files, you'll come across an SSH archive file in "Sally's" home which I downloaded with Curl. using the filter exploit once again:
curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
Extracted, the archive contains 100 private keys which would take time trying out one after the other but with the simple bash command below, it was run effortlessly
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" sally@10.150.150.55 -i key; done
...and key 70 was successful.
Enumerating for Privielege Escalation (PE), I notice Sally is a menmber of group "netAdmin" and the ssh Authorized_keys of john is writeable by netAdmin members.
This indicates that we can add our own ssh key to john's and login as john.
Create ssh key with ssh-keygen and add the Public key (.pub) to the Authorized_keys file.
Priv Esc
John can run nano as sudoer without password which there is an exploit for:
