Narco<TAC>TICS — WebAppSec
Tor is an anonymous network similar to internet. Websites hosted & activities done upon this network are hence difficult to be traced back to actual users. It thus acts as a breeding ground for various crime networks. The websites hosted upon this has a .onion domain extension.
Websites being applications with new features being introduced dynamically, vulnerabilities often creep in during its design & development. The exploitation could lead into access to the webserver thus compromising the users data.
The sheer variety of illicit drugs this syndicate is able to distribute by itself is concern worthy enough.
It’s difficult to trace the perpetrators over deepweb plus the provided contact details won’t help in tracing the actual perpetrators.
Fortunately their presence wasn’t limited to deepweb alone.
& we come across their dedicated online e-commerce shopping cart of theirs.
While hosting an e-commerce shopping platform seems fancy & convenient, it comes with its own set of vulnerabilities.
https://www.exploit-db.com/exploits/48890
Let’s test one of these and see if we can read /etc/passwd.
We have confirmed LFI and have read the passwd file. We take note of the user ‘patrick’ which is the last entry on the file.
The users patrick did not appear to have any SSH keys in /home/patrick/.ssh/
SSH Bruteforce:
With a known users on the system we can try bruteforcing pop3 / imap over telnet and we can try SSH
. I first set up crackmapexec
to brute force SSH.
crackmapexec ssh IP Address -u patrick -p /usr/share/wordlists/rockyou.txt
We soon find a valid set of credentials. patrick:patrick
Low Privilege Access:
We now attempt to login with SSH
.
ssh patrick@IPaddress
Privilege Escalation:
Privilege escalation proved to be exceptionally easy on this machine. Before uploading any enumeration scripts I always perform a quick check on what we can run as sudo with sudo -l
.
Here we can see patrick can run sudo as any user on any command. This is a quick win as we can run sudo as root on /bin/bash to spawn a root shell.
Details of all customers with their locations hence become accessible like below.