Machine IP →
Nmap scan →
nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.14
OS Detection →
OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|21||FTP||vsftpd 3.0.3 → Anonymous FTP allowed|
|22||SSH||OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)|
|80||HTTP||Apache httpd 2.4.38 ((Debian))|
GoBuster scan →
gobuster dir -u http://192.168.80.14 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
Looking at the robots.txt, it says only search engines are allowed to access it. Therefore, changing the User-Agent to
GoogleBot in burp allows bypassing this restriction. This gives the directory
/secret_information/ directory consists of an introduction to DNS Zone transfer attacks and links to display it in English or Spanish. The links are of the form
..?lang=language.php. Therefore, attempting LFI here allows to print contents of the
/etc/passwd file. This gives enumeration of the users →
The anonymous ftp login shows that the
pub directory of the FTP service is world writeable. Therefore, it is a good place for landing payloads. To get the exact path of the location, the configuration file must be read. From the service enumeration, the version is known to be vsftpd 3.0.3. The default config for this is at
Using LFI to print this shows the following →
1 2 anon_root=/var/ftp/ write_enable=YES
Using the FTP to upload a reverse shell in PHP and then using LFI to navigate to the payload using the path found in the config file grants the shell as user
www-data. The payload used is pentest monkey’s PHP reverse shell.
Enumerating the setuid binaries, an interesting find was the presence of
/home/tom/rootshell, which indicates getting privilege of user
tom is the step required to get root on the machine.
The home directory of the user
tom is readable by
www-data. Therefore, visiting it grants access to the code of the rootshell binary found above. This also gives the user flag.
The code of the rootshell binary uses
FILE* f = popen("whoami", "r");. This does not use an exact path, therefore, the PATH variable can be abused to trick the program into evaluating the username as
tom. Therefore, creating a new directory in
/tmp and an executable
whoami under it that prints tom allows adding this to the current PATH.
1 2 3 4 echo '#!/bin/bash' > whoami echo 'echo tom' >> whoami chmod +x whoami export PATH=/tmp/testdirectory
This allows for execution of the rootshell binary, which evaluates all checks to true and grants the root shell, thereby the root flag.