Cat Pictures
Scanning
Lets run some nmap scans to see what ports and services are open on the machine
Enumeration
Lets visit the website on port 8080
Lets look at the first forum
Looks like this message is hinting Port Knocking
. To do this we can use a tool called knockd
. Lets install it.
Now lets use the knock command (a few times) and also run the nmap scan again.
We can see that port 21 is now open, and anonymous login is allowed, lets check it out and get any files on the server to our machine.
Ok, so lets connect to port 4420 on the machine using Netcat
Exploitation
Lets try to get a reverse shell on the machine, lets first start a netcat listener
Now lets run the reverse shell command, you can find it here
We have a reverse shell on the machine, lets check what files there are on the machine.
Lets download this file to our machine using netcat.
First we start a netcat listener
Then we send the file to our machine using netcat
And now we should have the runme file on our machine
Lets check the file type of the runme
file
Its a binary file, lets run the strings
command to get more information about the file
The highlighted lines are interesting , lets run the binary on the machine and supply the password that we see here and check what happens. We also have to run the command from the /tmp
directory as they moved into the temp directory after entering the password. Lets run the command and then check the content of the catlover
directory to see what changed
Looks like we have a id_rsa
file, lets copy the content of this file to a file on our machine and then login through ssh.
Now lets login, we first have to give permissions and the username that we are going to be logging in as was found when we used to strings command on the binary file , the username: catlover
We are now a user called root
We have the first flag, but we do not have the root flag, so lets explore the machine a bit more.
Privilege Escalation
Looking through the system, there is an interesting file, lets read it
Looks like they are adding a reverse shell to the file, lets do the same so that we can get a reverse shell as a higher privileged user which is root.
Once we change the content of the file, lets save it and start a netcat listener on our machine
After a while, you should get a reverse shell on the machine
You can read the root flag
Last updated