3/27/2023 0 Comments Abyss web server reverse shell![]() We come across multiple scenarios where we need full command prompt like access for further exploitation of the server. Looking forward to reading other writeups to know how these could be exploited and what I missed.Getting Reverse Shell From Web Shell | RCE | SQL - OS Shell | Command Injection I was not quite familiar with XXE, this machine helped me learn more about those. ![]() Also in the first approach docker socket could be used to get to the host machine. I used the first approach to get all the other flags. I was not able to escalate users in two of the containers and was not able to get a shell in one of the containers. But I could not get root user so, could not exploit that. rw-r-r- 1 root root 38 Feb 22 16:42 container4_flag.txtĮven though this container had sys_admin capabilities but it needed root to execute. Let’s have a look at it.ĭrwxr-xr-x 1 root root 4096 Feb 22 16:42. Messagebus:x:104:105::/nonexistent:/usr/sbin/nologin Systemd-resolve:x:103:104:systemd Resolver,:/run/systemd:/usr/sbin/nologin Systemd-network:x:102:103:systemd Network Management,:/run/systemd:/usr/sbin/nologin Systemd-timesync:x:101:101:systemd Time Synchronization,:/run/systemd:/usr/sbin/nologin Gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin List:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin Uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin News:x:9:9:news:/var/spool/news:/usr/sbin/nologin Mail:x:8:8:mail:/var/mail:/usr/sbin/nologin Lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin Man:x:6:12:man:/var/cache/man:/usr/sbin/nologin Games:x:5:60:games:/usr/games:/usr/sbin/nologin You do not have access to view user id: root:x:0:0:root:/root:/bin/bashĭaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin It showed many entries and with 52 Ch as output, then I used grep to filter out them ![]() Different IP’s has been used here as I broke some machines and had to terminate them.If you know the service / version, please submit the following fingerprint at https :// nmap. 9999 / tcp open abyss ? | fingerprint - strings : | FourOhFourRequest, GetRequest, HTTPOptions : | HTTP / 1.0 200 OK | Date : Fri, 09 : 55 : 44 GMT | Content - Length : 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq : | HTTP / 1.1 400 Bad Request | Content - Type : text / plain charset = utf - 8 | Connection : close | _ Request 1 service unrecognized despite returning data. 1 ( Ubuntu Linux protocol 2.0 ) 8888 / tcp open http Werkzeug httpd 0.16.0 ( Python 3.8.5 ) | _http - title : Site doesn ' t have a title ( text / html charset = utf - 8 ). 1 ( Ubuntu Linux protocol 2.0 ) 80 / tcp open http Apache httpd 2.4.41 (( Ubuntu )) | _http - server - header : Apache / 2.4.41 ( Ubuntu ) | http - title : Server Manager Login | _Requested resource was / login 81 / tcp open http nginx 1.18.0 ( Ubuntu ) | _http - server - header : nginx / 1.18.0 ( Ubuntu ) | _http - title : Home / tcp open http Apache httpd 2.4.41 (( Ubuntu )) | _http - server - header : Apache / 2.4.41 ( Ubuntu ) | _http - title : I Love Hills - Home 2222 / tcp open ssh OpenSSH 8.2 p1 Ubuntu 4 ubuntu0. ![]() Not shown : 65528 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 8.2 p1 Ubuntu 4 ubuntu0. ![]() Nmap scan report for 10.10.172.104 Host is up ( 0.17 s latency ). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |