Joker - 10.10.10.21
Ports / Services / Software Versions Running
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1
3128/tcp open http-proxy Squid http proxy 3.5.12
Replicating the exploit:
Result from firefox 3128
Configure squid in foxyproxy and browse to the port
Tried default creds no luck
Login via tftp from UDP and search for config files
File is downloaded to our system
Remove all lines with a #
cat squid.conf | grep -v ^\#
Filter for lines with content
cat squid.conf | grep -v ^\# | grep .
Grab password file via tftp
Passwords stored in MD5.
Crack with john.
Now you get no prompt for a username
Go to 127.0.0.1
Server side request forgery attack
Add a upstream proxy
Configure new proxy listener as the app is not vulnerable
And send to localhost on port 80 (you dont need invisible proxy) but you may need to add it just to make it work.
Browse to 127.0.0.1 URL and you have the same. Now use dirsearch.py to find the directory you need.
Git clone https://github.com/maurosoria/dirsearch
Python3 dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://127.0.0.1 -e php -t 20
Eventually you get /console
Run some system commands and try to get a reverse shell
Does not work. Suggests a firewall issue
Ping our machine with TCPdump listening
Find firewall rules
Check local firewall rules and base64 encode them without wrapping.
Copy and decode by putting string into a file
UDP is allowed so now do a reverse shell with nc -uStart up a listener in UDP mode
Send udp shell
Now you have a shell
Get a better shell
Check sudo -l
Searchsploit sudo version
Checking this file:
Generate SSH key on kali
Create a symlink to alekos ssh keys
Edit file with sudoedit
Generate a ssh key so you can login to the system and edit files with a proper terminal.
Copy key to clipboard and paste into the layout.html with sudoedit
Another way is to sudoedit -u alekos /var/www/ .ssh/authorized_keys /layout.html which edits 3 files at oncels
Exit and save the file
SSH into box with new key
Navigate to the /home/alekos/backups dir and list it and you will see all files are being backed up every 5 minutes
Mkdir extracted & cd extracted
Tar -xvf ../dev-1511680202.tar.gz
Shows the development folder being backed up every 5 mins
To get the root flag
Create a symlink
Wait 5 minutes and copy and extract the latest dev* and unzip it and you will get the root flag.
Make the file executable:
Set up a nc listener and wait to get root on port 8082