Difficulty: Easy
Without further ado, let’s head over to nmap:
So here we have a HTTP server and a SSH server, being we have no credentials yet we will investigate the web side of things:
So here all we get is a page saying “Welcome to Smag!” and that’s it. I checked the comments and also found nothing, so now I want to gobuster this:
Okay so this found an interesting directory which I want to further look at, so let’s see what it’s all about:
Upon visiting the other directory we get here what looks like a .pcap file, so let’s get this and analyse this in wireshark:
Now to take a look at this with wireshark:
Okay so upon “Following” the TCP stream we can notice 3 things here.
1: (The Obvious) Credentials
2: The “Host” has an alias which can be specified instead of an IP address in /etc/hosts on our own machine
3: The POST Request URL
We can see that there is a login page but if we try to visit this we get a 404 error:
This is where number 2 comes in, our /etc/hosts file, if we edit this and put the box IP and hostname/alias in our etc/hosts file we can define a name rather than an IP
NOTE: You can run other commands to such as nmap and instead of specifying a IP we can simply put the alias in as the host and it will read the machine IP from our /etc/hosts file.
So let’s edit our /etc/hosts to reflect the changes here:
Now we have put that instead of visiting http://IP/ we can now instead specify a hostname instead of an IP address. So now let’s try and look at the website again:
And as you can see we now are able to view the login page! Now we can try to enter the credentials we found earlier in the .pcap file:
Aha! We now get a command page, well I tried a few reverse shells here like bash and python and they did not work. So let’s try a php reverse shell instead from PayloadsAllTheThings:
Now before we send this over we want to catch this with a nc listener, let’s get that running and then send the command over.
At which point we should get an initial foothold in:
Lovely, we now have our reverse shell. Now to my usual things.
Upgrade the shell:
So python wasn’t found, however here we are going to find out what version is install that we can use, now there’s 2 ways of doing this.
1: Using the command “which” until we find a location so we know it’s installed like so.
which python
which python2
which python3
2: We can simply try calling the help menu of different python version until we see a help page which indicates it is installed.
After doing the second option I was able to find out it is python3 which is installed, let’s use that to upgrade our shell:
Awesome, now to continue with my enumeration.
Check for other users:
Check sudo -l:
This one won’t work because we don’t know the password for the www-data account, with that in mind let’s continue.
C/heck system-wide crontab:
Interesting, so here we have a scheduled task that is running as root to use cat to read SSH .pub file and outputting that to the users authorized_keys file.
So let’s check if we can edit the file:
As we can see its readable and writable by all!
So let’s generate our own SSH key with ssh-keygen and replace the contents of the file to have it copy our SSH id_rsa.pub to jakes authorized_keys thus allowing us to login as jake via SSH with our own password (none in my case):
Now we have generated our id_rsa.pub and id_rsa file let’s cat our newly created id_rsa.pub and echo the contents into the file we found in the crontab.
Also, at the end we have to change the username and hostname to reflect that of the machine and user, the format is USER@HOST:
Now we wait a few minutes and we should be able to SSH in as jake with our id_rsa key.
After remembering to give it chmod 600 permissions ;)
And we are now logged in as jake! Now to get the user flag:
Awesome! Now to fruther enumerate this user, first let’s try sudo -l again:
We have here apt-get that is able to run without a password as root, so the first thing I want to do here is check GTFOBins for a possible exploit.
Here they have a few for sudo but the one that worked for me was this:
So let’s escalate our privileges to root:
Now we have root we can get the root flag:
And we are now done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e
