Ew_Skuzzy: 1

Categories:Vulnhub

https://www.vulnhub.com/entry/ew_skuzzy-1,184/

Welcome to EW_Skuzzy.

 

First run Zenmap and see what ports are open

we have 3 ports open SSH 22, HTTP 80 and go figure ISCSI running 3260

Looking at the HTTP site does not show much

Since this is call Skuzzy lets see what we can find

First make sure you have the right tools installed

apt install open-iscsi

Then lets see what it can find.

Run a scan

Great now login

Now lets see where it put it

sdb it is now lets mount it,

and see what we have

There we go flag 1. Looks like it is part of a base64 but we are missing the rest lets keep looking.

That dsk file looks interesting,  probably some type of image file.  Lets cat it and see what we find.

Well there is flag 2 and 3  but there is more here. Lets try to mount that dsk file

 

Well there we go. Lets see what is in the Email:

hmm there is that flag again. Now lets see about decrypting that enc file

Pluck

Categories:Vulnhub

https://www.vulnhub.com/entry/pluck-1,178/

This is my first so be gentle.

After boot up I ran Zenmap

Browsing around the website we see that the URL looks interesting:

index.php?page=about.php

I tried SQL map as the port 3306 was opened during the scan but that did not work. I then tried to read files since it showed the .php in the url.

That resulted in some interesting info:

index.php?page=../../../../etc/passwd

I tried the etc/shadow file but that did not show as I am sure permissions were denied. Looking through the passwd file I noticed:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

in viewing that script:

index.php?page=../../../../usr/local/scripts/backup.sh

Interesting : /backups/backup.tar

A little: curl  index.php?page=../../../..//backups/backup.tar  > backup.tar

it errors out at the 6 gig mark (GULP)  and the file is corrupt but with some luck we can get something

cpio -ivd -H tar <  backup.tar

This gave me some nice home directories. In the Paul home directory there is a folder called keys:

 

I started trying them all and hit pay-dirt with id_key4

ssh -i id_key4 paul@192.xxx.xxx.xxx

What is this???

I started messing around and looking at files. Looking at the admin.php file resulted in that whole vector not really doing anything. It is just a way to waste time:

Now to try to get a reverse shell so I can get a console. Using this Pdmenu I tried creating files as it use VIM. Looks like Paul does not have write access to /var/www/html.  But he does to /home/paul/

lets use this Pdmenu to create a test file in his home directory then see if our site can view it. I create /home/paul/test.php that contained

<?php

phpinfo();

?>

Saved it and tried to reach it and:

index.php?page=../../../../home/paul/test.php

After messing around and learning about Pdmenu I found the config file in /home/paul/.pdmenurc

Using the menu I was able to edit the file and add my own bash shell

Now exit VIM and Pdmenu and reconnect to SSH

and pick bash

After playing around a bit I could not find anything.  So I ran   http://pentestmonkey.net/tools/unix-privesc-check

This gave a tone of info, but right at the top:

WARNING: /etc/cron.weekly/man-db is run by cron as root. /etc/cron.weekly/man-db contains the string /proc/self/status. The user paul can write to /proc/self/status

 

This sounds like something I have worked with before….  a quick google search “proc self status linux exploit” and there it was Dirty Cow.

https://www.exploit-db.com/exploits/40616/

download, compile, run…

 

 

This was fun. Thank you

 

 

PIAWARE

Categories:raspberry pi

raspberry

 

Playing with Raspberry PI is a lot of fun.  If you do not know what a Raspberry PI  is Click the logo above!

Currently I am using my PI to track Planes flying over my house and plotting it on a Google Map.

You can see my stats here 

For more info:

http://flightaware.com/adsb/piaware/