Cat Pictures

Scanning

Lets run some nmap scans to see what ports and services are open on the machine

Enumeration

Lets visit the website on port 8080

Lets look at the first forum

Looks like this message is hinting Port Knocking. To do this we can use a tool called knockd. Lets install it.

Now lets use the knock command (a few times) and also run the nmap scan again.

We can see that port 21 is now open, and anonymous login is allowed, lets check it out and get any files on the server to our machine.

Ok, so lets connect to port 4420 on the machine using Netcat

Exploitation

Lets try to get a reverse shell on the machine, lets first start a netcat listener

Now lets run the reverse shell command, you can find it here

We have a reverse shell on the machine, lets check what files there are on the machine.

Lets download this file to our machine using netcat.

First we start a netcat listener

Then we send the file to our machine using netcat

And now we should have the runme file on our machine

Lets check the file type of the runme file

Its a binary file, lets run the strings command to get more information about the file

The highlighted lines are interesting , lets run the binary on the machine and supply the password that we see here and check what happens. We also have to run the command from the /tmp directory as they moved into the temp directory after entering the password. Lets run the command and then check the content of the catlover directory to see what changed

Looks like we have a id_rsa file, lets copy the content of this file to a file on our machine and then login through ssh.

Now lets login, we first have to give permissions and the username that we are going to be logging in as was found when we used to strings command on the binary file , the username: catlover

We are now a user called root

We have the first flag, but we do not have the root flag, so lets explore the machine a bit more.

Privilege Escalation

Looking through the system, there is an interesting file, lets read it

Looks like they are adding a reverse shell to the file, lets do the same so that we can get a reverse shell as a higher privileged user which is root.

Once we change the content of the file, lets save it and start a netcat listener on our machine

After a while, you should get a reverse shell on the machine

You can read the root flag

Last updated