DEV Community

Laach_
Laach_

Posted on • Edited on

IDE - THM

Machine Info

Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux

Description: An easy box to polish your enumeration skills!

Recon

Casually nmap scan

sudo nmap 10.113.154.9 -Pn -p- -sV -sC -T4 -n -oN scan.txt
Enter fullscreen mode Exit fullscreen mode

nmap

Scan reveals:

  • 21/tcp - FTP
  • 22/tcp - SSH
  • 80/tcp - HTTP
  • 62337/tcp - HTTP

Shell as www-data

Nmap revealed that FTP allows anonymous login. At first look it seems empty.

ftp

In Linux only . means this directory and .. means one directory back but ... doesn't mean anything here. It's just a directory. Inside it there is a file named -.

ftp file

After downloading the file, name was changed to avoid issues with tools such as cat. Renamed using:

mv '-' ftp.txt
Enter fullscreen mode Exit fullscreen mode

This allows cat to read the file properly.

file

This tells John password was set to default. Later, going to the website on port 80 and running Feroxbuster there wasn't anything. Next was HTTP on port 62337. There was a login page by default. Knowing that there is a user John with a default password, Turbo Intruder was run in Burp with rockyou.txt on the login endpoint. There was only one response with an enormous Anomaly rank.

intruder

After logging in, there was Codiad. It's a lightweight web IDE. Each new project is stored in workspace/[NAME].

INFO: After logging in there was one project called 'CloudCall'. It was stored in a different folder. Only new projects are stored in workspace/[NAME]

After creating a new project, p0wny-shell was uploaded. It was accessible at workspace/[NAME]/p0wny-shell.php. To get a stable shell, penelope was used. It's an awesome Linux shell handler.

Shell as drac

After gaining access as www-data, linpeas was transferred and run. It revealed a MySQL password in drac user bash history.

history

Linpeas output showed that MySQL was not running on any port. The password was tried to log in as the user , it worked.

Flag located at: /home/drac/user.txt

Shell as root

Knowing the password, the following was run:

sudo -l
Enter fullscreen mode Exit fullscreen mode

It revealed:

sudo

This doesn't allow doing anything except restarting vsftpd. Linpeas was run again. It showed write permission on /lib/systemd/system/vsftpd.service. This file defines what gets executed on actions such as reload, start, and more. It looks like this:

[Unit]
Description=vsftpd FTP daemon
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

When restarting, the service gets turned off and on. The service manager executes the value of ExecStart. Changing it to:

ExecStart=chmod +s /bin/bash
Enter fullscreen mode Exit fullscreen mode

will trigger this command on restart. However, trying to restart vsftpd immediately results in this error:

Warning: The unit file, source configuration file or drop-ins of vsftpd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Enter fullscreen mode Exit fullscreen mode

This means systemd doesn't recognize the new file. It uses the one in RAM with the old value. Reloading is required:

systemctl daemon-reload
sudo /usr/sbin/service vsftpd restart
Enter fullscreen mode Exit fullscreen mode

This reloads systemd and restarts vsftpd, executing the command.

INFO: Don't paste both at once because the first one gives a password prompt. Pasting both may interrupt it.

Flag located at: /root/root.txt

Bonus

1. Vulnerable Codiad

Codiad 2.8.4 is vulnerable to authenticated RCE. The exploit was tried but didn't work properly, so a shell file was uploaded instead.

Info about CVE: CVE-2018-19423
Exploit on ExploitDB: Exploit

Top comments (0)