This is rated as a beginner level box and offers a nice learning curve while demonstrating many different techniques, so let’s start with some basic enumeration of the box using Nmap.
Nmap -sV -sC -oA 10.10.223.129
So, we have a FTP server open on Port 21 which allows anonymous login Open SSH is running on Port 22 and we have an Apache web server running on Port 80.
Port 80 — Web Server:
OK, so we have our standard Apache welcome page, checking the page source code did not reveal any hidden information. We can try brute forcing for hidden directories using Gobuster and a suitable wordlist.
We have a robots.txt file listed on the server, let’s see what information this holds:
It looks like we have a possible username ‘d4rckh’, we can also see a disallowed directory ‘/admin-dir and a cryptic message ‘I told d4rckh we should hide our things deep’.
Let’s access the /admin-dir directory:
Very interesting, let’s take a look at credentials.txt
This appears to be a list of passwords, I will copy and store in a file called pass.txt using Vim.
Looking at the userid file, we have a list of usernames, again I will copy this list to a user.txt file using Vim.
First I tried the credentials to brute force the FTP server, but did not get any hits, so I moved on to brute force the SSH server on Port 22 using Hydra, again no luck. So I decided to visit the FTP Server.
Port 21 — FTP Server
Let’s see what is on the FTP server, as we can log in as an anonymous user, for the password you can enter anything and press return.
We have a file call test.txt, which only reveals the FTP version.
In the robots.txt file there was a clue, ‘I told d4rckh we should hide our things deep’. So I decided to see whether there were any other directories on the FTP server. There is a strange directory format …, so cd … and see what happens.
Bingo, going back in the file system, we find a file ‘yougotgoodeyes.txt’. Downloading this file we can see it is a path to a secret directory on the web server.
This makes more sense, we now have a user login, which I assume we can use the previously captured username and password lists we downloaded from the website. We can use hydra to brute force the credentials, but first we need to capture the response when we enter credentials.
I will use Burp Suit to do this.
For more information using Hydra to brute force post requests, visit the below
In burp suit we can see the Post request and the format of the username and password used in the post request. Using Hydra we can brute force the login page to identify the username and password.
hydra -L user.txt -P pass.txt 10.10.223.129 http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^&Login=Login:F=Incorrect*”
We can log in with the username and password which takes us to an image upload page.
I uploaded a test .php file to see whether it was sanitising files. It appeared to work, so I will see if it has been uploaded.
Running a quick Gobuster on the secret directory we found the /images directory.
Excellent, I am now going to upload a php reverse shell.
There are a number of options for a php reverse shell, you can create it on msfvenom or use a pre-made reverse shell. I tend to use the Pentestmonkeys reverse shell that can be downloaded from:
Once the reverse shell is uploaded to the website, setup a listener on the attack machine, such as netcat. I prefer to use the excellent Pwncat which is very similar, but has a host of additional features. For more information, visit the link below:
For more information on this excellent tool also visit the Youtube video at https://www.youtube.com/watch?v=CISzI9klRkw.
Start the listener and navigate to the reverse shell file on the website and left click on it.
We get a shell as www-data. Moving to the /home directory we see user d4rckh and we also have read access to it.
From here we can get the User flag.
Privesc
The first thing I do is sudo -l -l to see what sudo privileges www.data has.
So we can run command /var/www/gdb as user thirtytwo. We can see that this file is actually owned by user thirtytwo and has the SUID bit set. If we can find a way to get a shell from this command, we will escalate to user thirtytwo.
The go to place for information on Linux binary exploitation is GTFOBins.
A quick search for exploits associated with the gdb binary gives us the following to run a shell.
We have escalated our privilege to user thirtytwo. Let’s see what sudo rights this user has:
So we can run /usr/bin/git as user d4rckh, again if we can execute a shell from this command, we should escalate our privilege to user d4rckh.
Again, checking out GTFOBins for the binary git we find the following:
Using Option b we run the following command:
sudo -u d4rckh /usr/bin/git help config
Running this command opens up the Git Manual, from here we can simply enter !/bin/sh and press ‘Enter’
We have now escalated our privilege to user d4rckh. Unfortunately sudo -l -l requires a password which we unfortunately do not have, so we will need to find another privesc to escalate further. Let’s look in the users home directory:
There is a file in here called cleanup.py which was created by root, but has full read/write access. This looks like it maybe run as a cron job. Checking cat /etc/crontab confirms this:
We can see that a cron job has been setup by root which calls cleanup.py. If we modify the cleanup.py script to include a reverse shell, we should be able to get root.
Using Vim I will edit the cleanup.py file and add a simple python reverse shell.
Next setup a listener to catch the reverse shell, I am using port 8080, but you can use what you like. When the cron job activates, we should get our shell.
Checking that we are root, we then navigate to /root and cat the root flag
Loved this box as it demonstrates a nice workflow to achieve escalation while covering many different techniques which were not too obscure and ideal for a beginner like me. Thank you to csenox for creating this box.
My apology if I have made any errors, as these walkthroughs are more for my benefit as I tend to learn better making notes such as these.
