Machine Info
Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux
Description: An easy box to polish your enumeration skills!
Recon
Casually nmap scan
sudo nmap 10.113.154.9 -Pn -p- -sV -sC -T4 -n -oN scan.txt
Scan reveals:
- 21/tcp - FTP
- 22/tcp - SSH
- 80/tcp - HTTP
- 62337/tcp - HTTP
Shell as www-data
Nmap revealed that FTP allows anonymous login. At first look it seems empty.
In Linux only . means this directory and .. means one directory back but ... doesn't mean anything here. It's just a directory. Inside it there is a file named -.
After downloading the file, name was changed to avoid issues with tools such as cat. Renamed using:
mv '-' ftp.txt
This allows cat to read the file properly.
This tells John password was set to default. Later, going to the website on port 80 and running Feroxbuster there wasn't anything. Next was HTTP on port 62337. There was a login page by default. Knowing that there is a user John with a default password, Turbo Intruder was run in Burp with rockyou.txt on the login endpoint. There was only one response with an enormous Anomaly rank.
After logging in, there was Codiad. It's a lightweight web IDE. Each new project is stored in workspace/[NAME].
INFO: After logging in there was one project called 'CloudCall'. It was stored in a different folder. Only new projects are stored in
workspace/[NAME]
After creating a new project, p0wny-shell was uploaded. It was accessible at workspace/[NAME]/p0wny-shell.php. To get a stable shell, penelope was used. It's an awesome Linux shell handler.
Shell as drac
After gaining access as www-data, linpeas was transferred and run. It revealed a MySQL password in drac user bash history.
Linpeas output showed that MySQL was not running on any port. The password was tried to log in as the user , it worked.
Flag located at: /home/drac/user.txt
Shell as root
Knowing the password, the following was run:
sudo -l
It revealed:
This doesn't allow doing anything except restarting vsftpd. Linpeas was run again. It showed write permission on /lib/systemd/system/vsftpd.service. This file defines what gets executed on actions such as reload, start, and more. It looks like this:
[Unit]
Description=vsftpd FTP daemon
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
When restarting, the service gets turned off and on. The service manager executes the value of ExecStart. Changing it to:
ExecStart=chmod +s /bin/bash
will trigger this command on restart. However, trying to restart vsftpd immediately results in this error:
Warning: The unit file, source configuration file or drop-ins of vsftpd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
This means systemd doesn't recognize the new file. It uses the one in RAM with the old value. Reloading is required:
systemctl daemon-reload
sudo /usr/sbin/service vsftpd restart
This reloads systemd and restarts vsftpd, executing the command.
INFO: Don't paste both at once because the first one gives a password prompt. Pasting both may interrupt it.
Flag located at: /root/root.txt
Bonus
1. Vulnerable Codiad
Codiad 2.8.4 is vulnerable to authenticated RCE. The exploit was tried but didn't work properly, so a shell file was uploaded instead.
Info about CVE: CVE-2018-19423
Exploit on ExploitDB: Exploit







Top comments (0)