Difficulty: Easy
Alright let’s dig in with our nmap:
Okay so we only have a web server here showing the default Apache2 page, Now I’d usually use OWASP ZAP (Zed Attack Proxy) or Burpsuite here but.
This time I will do this without those and just use dirbuster or gobuster:
Well after visiting the link we found here that looks interesting, we get a Basic HTTP Authentication pop up:
Now theres only 1 problem here, there is nothing additional in the comments of the page to indicate any type of username or password. So we head over to trusty google and search for the default credentials. After a little trying default credentials I found one that works:
Okay so as we can see this is called passwd so let’s get this file using curl and view whats inside:
Well this is most definitely credentials, luckily we can use hashcat examples to find out just what type of password uses $apr1$:
Awesome, so we now know the type and the number to use for hashcat to crack this password so let’s try and crack this!
Well that took a while a did not find anything so I will put a pin in this and come back to it.
Being we already have credentials to login to the page we need to get a reverse shell on here, now we can do this 2 ways.
1: Using cadaver
2: Using Curl
If you’ve read my other write-ups you’ll know I love using curl so here I am going to use just that to try and upload a php reverse shell:
Okay awesome, so our reverse shell uploaded:
Now we can setup our listener and execute the payload for an initial foothold on the system:
And we have our foothold! Now is time for my little enumeration.
First a TTY Shell:
Second, check for other users:
Third check system-wide crontab:
Nothing interesting here.
Forth check sudo -l permissions for current user:
Okay well here this is interesting, we have the ability to run cat without a password as root. With this in mind we can find the flags and cat them including the root flag, but first I want to check out merlins home directory:
Awesome, now we can get the user flag:
Now we can try to get the root flag which is usually located in /root/root.txt. So let’s try and cat that location to start with:
And we also now have the root flag!
Additional Notes: Usually I would in a instance like this cat the shadow file and attempt to crack the passwords of the root users with hashcat, however here it wasn’t needed to be able to get our tasks done.
This is helpful to know though as the /etc/shadow is where the encryped password (hashes) are stored, and so cracking just one users password with sudo permissions allows us to manipulate that shadow file and create a new root user account to use for persistence.
It also seems that the hash we found earlier was also a rabbit hole. So you might not want to follow that.
With that said we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e