Startup
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 21: FTP
From the nmap scan we can see that we are allowed to login as Anonymous, so lets login and see what we can find.
Username: anonymous
Password: anonymous
Lets list what files there are in the server
There is a directory and 3 files, lets get both the files and then see what is in the directory.
Now lets cd into the ftp directory and check the files
Looks like there is nothing in the directory. Now lets get back to our machine and read the files.
We now have a possible username which is Maya
, so lets add that to our notes.
The image does not have interesting but it does have something that we should think about :)
There is nothing in .test.log
Looks like that is all we get from FTP.
Port 80: HTTP
Lets visit the website
Lets look at the source code
Nothing of interest, lets use gobuster to find hidden directories
We found a directory called /files
, lets go visit it
Looks like the same files we found in the FTP server.
Exploitation
Looking at the ftp directory in the FTP server, we had permission to write in the directory, which means we could add a webshell to the directory and access it on the web page.
We can use this webshell for that. Once you copy it to your directory, lets login through ftp and cd into the ftp directory. Lets move the index.php (which I renamed as web.php
) to the /Startup
directory and then login.
Now time to put the file into the directory using the put command
Now that we added the web.php
to the directory, lets visit it on the website
Now we can run commands on the shell. Lets get a reverse shell , we can get the command from here.
We also have to start a netcat listener
Now we run the command
Once you do, you get a reverse shell.
Once in the box, use these commands to stabilize the shell
Looking through the directories, there was one directory that was unusual which is /incidents
It has a pcapng file , so lets try to get information from it, but first we need to copy it to the ftp directory so that we can download it from the website.
Once we do this , we can download the file from the website
Once downloaded, you can open it with Wireshark
using this command
After you use this command, Wireshark opens the packet.
Following a TCP stream we come across some interesting stuff, which is a password
Lets try to use this password c4ntg3t3n0ughsp1c3
to switch users to Lennie
on the machine
Looks like we are now Lennie. We can read the user.txt
now
Also looking at the starting directory, we find another interesting file called /recipe.txt
, lets read that.
This is the answer to the first question of the room
Privilege Escalation
We see a file called planner.sh in the /scripts
directory in Lennie's home directory. Lets read it.
It executes a file called /etc/print.sh
, lets read that file
It is a bash script that prints Done!
. What if we echo a reverse shell and listen on our machine, would that give us root? Lets try it out.
We can use the reverse shell we did before and echo it into the file
Also make sure you started a netcat listener and after a while, you get a reverse shell and as root
You can now read the root.txt flag
Last updated