boot2root

These are sort of machines that you get on HackThebox/TryHackMe/Vulnhub. You get an IP and then you just start with Nmap and find your way to become a root user. These actually helped me get my OSCP.

Making boot2root

Making boot2root

General notes

Misc

$ cp nuseradd /usr/local/man/man8/nuseradd.8
$ gzip /usr/local/man/man8/nuseradd.8
$ man nuseradd

Python script to binary

Fixing interface name

Add a new user:

sudo adduser <username>

Setting up FTP server

Edit /etc/issue

To be able to display the IP of the machine right when it starts you can edit /etc/issue

IP: \4{eth0}

This only display the IP and if you want something else you can add that too like the name of the machine or something else.

Setup Wordpress

The best thing is to follow this article

https://www.tecmint.com/install-wordpress-on-ubuntu-16-04-with-lamp/

Make sure to verify which is the latest version for PHP and wordpress.

Setting up virtual hosts on apache2

ServerAdmin webmaster@localhost
ServerName mehtab.zafar.tech
DocumentRoot /var/www/sites     

here when someone try to visit mehtab.zafar.tech then the apache will use files from /var/www/sites else for other domain/IP it will use the default configuration.

a2ensite <name-of-the-conf-without-extension>

Ex: a2ensite mehtab - where configuration file name was mehtab.conf

Setting up Postgres

To install postgres on ubuntu you can run:

sudo apt install postgresql

After that you can login as postgres user and create DB or add users.

create database <DB_NAME>;
create user <USERNAME> with password encrypted password '<your-password>';
grant all privileges on database <DB_NAME> to <USERNAME>;

Extra commands in psql

User privilege exploitation idea

This is something that came up when I was talking with @DCAU about making VM etc


If you remove a user, but leave their sudo privileges in place, can a user be created with that same name and exploit the sudo privileges?

How?

sudo apt-get changelog apt !/bin/sh


#includedir /etc/sudoers.d test1 ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser


#includedir /etc/sudoers.d %helpdesk ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser


Add group helpdesk groupadd helpdesk

Create user and add to helpdesk group sudo adduser test2 sudo adduser test2 helpdesk

#includedir /etc/sudoers.d %helpdesk ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser


Problem with last version, is that user can add themselves to the helpdesk group and then log off and back on with sudo privs of helpdesk.


sudo adduser test2 sudo adduser test2 helpde

Making boot2root

Do's and Don'ts

These are the must do's and don'ts of making the boot2root machine.

Making boot2root

Running Services

In my experience it's better to use systemd rather then putting your head under this supervisor setup

Supervisor

https://gist.github.com/mozillazg/6cbdcccbf46fe96a4edd

[program:name]
directory=/opt/1337
command=flask run --port 1337
autostart=true
autorestart=true
stopsignal=INT
stopasgroup=true
killasgroup=true

Then restart the supervisor service

sudo systemctl restart supervisor.service

And then you can check if the service is running by executing

supervisorctl status

You should see the new app.

Sometime we end up getting error like

unix:\\\var\run\supervisor.sock no such file

or

error: <class socket.sock>..........

So the fix that seemed to work for me was to run echo_supervisord_conf > /etc/supervisor/supervisord.conf

and then reread the config with

supervisorctl -c /etc/supervisord/supervisord.conf reread

and then we should see all the services running.

Systemd service file

In my experience it's better to just make a <name>.service file in /etc/systemd/system to setup a service rather than trying to mess with supervisor.

Xinetd

If you want something to do with shells or a service accesible via nc/telnet then it's better to setup a xinetd service.

game        1337/tcp        #this is a game

Here game is the name of the service and 1337 is the port on which it is running. Text after # is just a comment.

Other application with Systemd

This is just an example of flask application but in the similar manner you can run any other service as well. Ex: apache2

Basically make a file named whatevernameyouwant.service in /etc/systemd/system and write this:

[Unit]
Description=web application
After=network.target

[Service]
User=www-data
WorkingDirectory=/opt/webapp
ExecStart=/bin/bash -c "/usr/local/bin/flask run --host 0.0.0.0 --port 80 "
Restart=always

[Install]
WantedBy=multi-user.target
Making boot2root

fail2ban

To setup fail2ban on ubuntu for the SSH port we do the following:

Installation

Configuration

Hacking boot2root

Service Enumeration

SMB

SQLi

RDP

General

Windows

whoami /all
whoami /priv

Linux