Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 04:29 EDT Nmap scan report for 192.168.227.166 Host is up (0.00068s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5b 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 4 disallowed entries | /login.php /dev_shell.php /lat_memo.html |_/passwords.html |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) | ssh-hostkey: | 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA) | 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA) |_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519) MAC Address: 00:0C:29:90:AF:5E (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.68 ms 192.168.227.166
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.27 seconds
check its http service(port 80), there is an interesting entry in robots.txt /dev_shell.php
ok, rce. after trying some commands, I found that some commands are filtered, like “ls”, and commands must not contain “;”
but “dir” is not filtered
seems like there is a backup file for the webshell, download and audit.
www-data@Milburg-High:/home/elliot$ cat theadminisdumb.txt cat theadminisdumb.txt The admin is dumb, In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to
I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.
I have few credentials now:
but none of these account can do anything special. checked for suid file also got nothing. debian distribution is quite new, no exploit available.
found proftp 1.3.3c installation file in /home/bob/Downloads, it has a backdoor, but from nmap result, proftp is of version 1.3.5b, tried backdoor also failed.
www-data@Milburg-High:/home/bob/Documents$ ls ls Secret login.txt.gpg staff.txt www-data@Milburg-High:/home/bob/Documents$ cat staff.txt cat staff.txt Seb:
Seems to like Elliot Wants to do well at his job Gave me a backdoored FTP to instal that apparently Elliot gave him
Does nothing Pretty Lazy Doesn't give a shit about his job
Keeps to himself Always needs to challenge everything I do Keep an eye on him Try and get him fired www-data@Milburg-High:/home/bob/Documents$ file login.txt.gpg file login.txt.gpg login.txt.gpg: GPG symmetrically encrypted data (AES cipher) www-data@Milburg-High:/home/bob/Documents$ cd Secret cd Secret www-data@Milburg-High:/home/bob/Documents/Secret$ ls ls Keep_Out www-data@Milburg-High:/home/bob/Documents/Secret$ cd K* cd K* www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ ls ls Not_Porn Porn www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cd No* cd No* www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ ls ls No_Lookie_In_Here www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd N* cd N* <uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ls ls notes.sh <uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh cat notes.sh #!/bin/bash clear echo "-= Notes =-" echo "Harry Potter is my faviorite" echo "Are you the real me?" echo "Right, I'm ordering pizza this is going nowhere" echo "People just don't get me" echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>" echo "Cucumber" echo "Rest now your eyes are sleepy" echo "Are you gonna stop reading this yet?" echo "Time to fix the server" echo "Everyone is annoying" echo "Sticky notes gotta buy em" <uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cd .. cd .. www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd .. cd .. www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ ls ls Not_Porn Porn www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cd P* cd P* www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$ ls ls no_porn_4_u www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$ cat n* cat n* www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$
notes.sh does not make any sense to me.
login.txt.gpg seems to contain login credential, but encrypted, try to decrypt, but failed after several tries of passphrase.
googled for walkthrough and found out that this is the passphrase: