Page cover

[Linux] Lian_Yu

Reconnaissance

sudo nmap 10.10.155.75
sudo nmap -A -p 21,22,80,111 10.10.155.75

Enumeration

HTTP

We use Gobuster to get more information on the website.

gobuster dir -u http://10.10.155.75-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We got a code: vigilante

gobuster dir -u http://10.10.155.75/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We have a specific message indicating that we can access a .ticket file. Let’s look for the .ticket file on the website.

 ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .ticket -u http://10.10.155.75/island/2100/FUZZ

We found something that looks like a password: RTy8yhBQdscX.

FTP

We tried using the credentials vigilante:RTy8yhBQdscX on the FTP server, but they didn't work. So, I attempted to decode the string RTy8yhBQdscX in various bases. It turns out that it’s in Base58.

After decoding, we got the actual password: !#th3h00d. Now, we can use the credentials vigilante:!#th3h00d to connect to the FTP server.

We retrieved three files and also found a username (slade). However, we couldn’t use the current credentials to connect to the SSH service.

Steganography

We tried different technics of steganography on files we got.

Queen's_Gambit.png

Nothing special with this file.

aa.png

Steegseek gives us crucial informations.

stegseek -wl /usr/share/wordlists/rockyou.txt aa.jpg

We obtained two files: passwd.txt and shado. On Unix systems, the shadow file (not shado) is typically used to store passwords securely. It’s possible that the shado file contains the password for the user slade.

Leave_me_alone.png

We can't display the image.

The magic number of this file doesn’t match its file extension, indicating it might be misidentified. We can use hexedit to modify the magic number to match the correct file type. Specifically, we’ll copy the magic number from the Queen's_Gambit.png file.

The password we find from this file (password) is actually used to extract information from aa.jpg, so it might have been helpful to analyze this file earlier.

Initial access

We used the credentials slade:M3tahuman to successfully connect to the target. We can the user flag this way.

ssh slade@10.10.156.134

Privilege escalation

We are able to run pkexec with root privilege. So we can run /bin/bash to get a root shell.

sudo -l

Remediation

  • Avoid publicly exposing critical information.

  • Use a password manager to securely store passwords, ensuring they are strong and unique.

  • Carefully review sudo rights to ensure regular users cannot execute critical commands like pkexec.

Previous[Linux] Start UpNext[Linux] Vulnversity

Last updated