WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Pelican (Intermediate, linux, 2020)-- [PE]gcore #29

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

Keypoints:

WDavid404 commented 4 months ago
PORT      STATE    SERVICE         REASON         VERSION
22/tcp    open     ssh             syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
139/tcp   open     netbios-ssn     syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn     syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)

631/tcp   open     ipp             syn-ack ttl 61 CUPS 2.2
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Forbidden - CUPS v2.2.10

2181/tcp  open     zookeeper       syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp  open     ssh             syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

8080/tcp  open     http            syn-ack ttl 61 Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found

8081/tcp  open     http            syn-ack ttl 61 nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://192.168.203.98:8080/exhibitor/v1/ui/index.html
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

34631/tcp open     java-rmi        syn-ack ttl 61 Java RMI

search exploit info for Samba smbd, ipp CUPS 2.2.10, zookeeper 3.4, Jetty 1.0, nginx 1.14.2, java-rmi --> Samba 3.5.0 - Remote Code Execution (https://www.exploit-db.com/exploits/42060) Jetty Web Server - Directory Traversal (https://www.exploit-db.com/exploits/36318)

SMB image

http://192.168.203.98:8080/exhibitor/v1/ui/index.html image --》 find Exhibitor Web UI 1.7.1 - Remote Code Execution (https://www.exploit-db.com/exploits/48654

image --》 image

We got a reverse shell from the target host image

sudo -l image image

According to https://gtfobins.github.io/gtfobins/gcore/ we need to find a useful PID in the target host so we can abuse gcore

pspy64: image run sudo /usr/bin/gcore $PID image

cat core.496 --> image so, root's password is "UClogKingpinInning731UР"?

Oh...we even can run strings command on the target host.... strings core.496 --> image password should be "ClogKingpinInning731"

then, su root image