Year of the Rabbit

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.165.1

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.165.1

Enumeration

Lets visit the webserver

It an apache2 default page, lets run gobuster to find hidden directories and pages.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.165.1 

We found a directory called /assets lets go visit it.

There are two files, lets check the first one which is a mp4 file , a video file. First we get a message telling us to turn off Javascript, followed by a redirection to a Rick Astley video . RICK ROLLED!

Lets go turn off Javascript, Navigate to about:config in the browser and then search for Javascript, change the javascript.enabled parameter to false.

Also looking at the other file, we need something interesting

Lets visit this page.

Listening through the audio, at second 56 we get the hint: "I'll put you out of your misery burp you're looking in the wrong place. Looking at this they are probably hinting to use Burpsuite so lets do that.

Lets capture the request of visiting this page. After capturing the request and forwarding it once, you get something interesting

Its a directory, lets go visit it.

There is one file, lets check it out

Its a picture. Lets use our steganography skills to see if there is anything hidden in the picture. First we need to download the file, so lets do that.

wget http://10.10.165.1/WExYY2Cv-qU/Hot_Babe.png

Now lets use steghide and binwalk to see if we can find anything in this image. There was nothing, so l just used strings on the image.

strings Hot_Babe.png

Once I did this, I got some output and scrolling up a bit I got something interest

So we have a username and a password list, lets copy the password list to a file and use hydra to bruteforce ftp with the username and password list we have. I saved the password into a list called passwords.lst

Exploitation

hydra -l ftpuser -P password.lst 10.10.165.1 ftp

We found the password, lets login through ftp

ftp 10.10.165.1

We are logged in, lets list the files.

Looks like there is a text file, lets transfer this to our machine

get Eli's_Creds.txt

Lets read the file

I don't understand this code, so lets put it in a tool that does understand it.

Now we have a password, lets use this to login through ssh with the username we found too.

ssh eli@10.10.165.1 

We are logged in, we can see a message for us. We can find the user flag here but we are not allowed to read it. So we have to escalate privileges.

When we logged in, we see a message for us, there seems to be a leet s3cr3t hiding place, and there is a hidden message there waiting for us. Lets find it using this command.

find / -name s3cr3t 2>/dev/null

Its a directory so lets change directories into it.

cd /usr/games/s3cr3t

Lets list the files in the directory.

Lets read the this file

Looks like we have the password to the user Gwendoline , so lets switch users.

su gwendoline

We can now read the user.txt file

Privilege Escalation

Lets run sudo -l to see what this user can run as root

sudo -l

Looks like we can run /usr/bin/vi /home/gwendoline/user.txt as root, I found this article that explains very well on what to do. First we use the command

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

And then we use this command

:!/bin/bash

And you are now root.

We can read the root flag.

Last updated