[Linux] Start Up

Reconnaissance

sudo nmap 10.10.130.157
sudo nmap -A -p 21,22,80 10.10.130.157

Enumeration

FTP

We are able to log onto the FTP server anonymously. We dowload all the files, we notice the folder ftp is writable.

HTTP

Gobuster assisted us during web enumeration.

gobuster dir -u http://10.10.130.157/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

On the /file webpage, we find the same files that we found on the FTP server.

Exploitation

Since we can write files on the FTP server and access them on the web server, we could upload PHP reverse shell code to the FTP server and run it on the website.

locate webshell
nano php-reverse-shell.php
ftp 10.10.130.157

We can open a netcat listener and execute the file on the webserver.

nc -nlvp 1234

We then established a stable shell. We found a suspicious PCAP file on the machine, downloaded it locally, and accessed its content.

We retrieved a password from the Wireshark file lennie:c4ntg3t3n0ughsp1c3

This worked for the user lennie, and we obtained the user flag this way.

Privilege Escalation

lennie has a script that simply echoes "Done!".

We can check if the script is being run on the system using pspy.

A CRON job is running the script.

Since we have write access to /etc/print.sh, we can insert a reverse shell script inside. We gained a root shell when the CRON job executed it.

Remediation

Disable FTP and use SCP or SFTP instead.
Control CRON jobs carefully.

Previous[Linux] The Cod Caper Next[Linux] Lian_Yu

Last updated 8 months ago