# Potato

## Nmap

```
sudo nmap 192.168.211.101 -p- -sS -sV

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
2112/tcp open  ftp     ProFTPD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Going for the low hanging fruit I will dive straight into FTP on port 2112. On connection with anonymous login we see two files. I grab the index.php.bak and welcome.msg. I also tried file upload and was unsuccessful.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0d04281c7d769ba7b90ad841d267328aec48d213%2Fimage.png?alt=media)

The contents of welcome.msg is shown below:

```
Welcome, archive user %U@%R !

The local time is: %T
```

Not too sure what to do with this just yet but looks like some variables to me. Index.php.bak is more interesting however.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-882bce2e54a1bc6fa2dc4e9ac3447445b18e71af%2Fimage.png?alt=media)

Reading through this the string 'strcmp' was interesting and it was a string I was not familier with or recognized as seeing before. After Googling the string for exploits I came across an interesting post relating to a CTF challenge where someone came across the same string.

{% embed url="<https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016>" %}

Take mind of the following snippet from the blog post.

![https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a4bb9e529a6c100b2f5dddd3a50094684494e8ef%2Fimage.png?alt=media)

Running `dirsearch.py` against the target on port 80 reveals the /admin/ directory.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-23d0060882bd73258642363e70eaf990063d561e%2Fimage.png?alt=media)

Checking out the page source we see some familiarity with the form action and the index.php.bak we came across earlier.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-606ec3161be6b892cfe9a8dccf020d926b6dff7f%2Fimage.png?alt=media)

Looking back at just the PHP code from the index.php.bak we can see where the *strcmp* string comes into play.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fee827c1d07f078ad2bba96ce4a0885596d1aa1c%2Fimage.png?alt=media)

We know that from the code the admin name exists and that the password is changed regularly base don the comment. Going by this we can try the *strcmp* bypass on the password value.

I caught a login request with Burp and set the password value to `[]==""`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2f61eb8391d812e53d8f60d9de27622ea4634217%2Fimage.png?alt=media)

After sending the request we get confirmation of login.

Once logged in we can follow the link on the dashboard to the admin area.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-adcb986947a324cdf7df54f4c764ff5d051caded%2Fimage.png?alt=media)

Heading over to logs we are given the option to pick from a subset of lots to retrieve from the webserver.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-17c15f9d5ac7dc5bcb4d23f8ec509c83ef0de21d%2Fimage.png?alt=media)

Retrieving a log and catching the request in `Burpsuite` shows an interesting parameter.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-681ec7a370a2cd5095789b55f7f2340e923740e9%2Fimage.png?alt=media)

Changing the file request to match `../../../../../../etc/passwd` allows for us to perform LFI and read the contents of `/etc/passwd`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-78cbc672b8deaa9627371d5b2ed00b9ce04ac6eb%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a88dc91859ca8e0e2b89fa6d1a3f62111230cdff%2Fimage.png?alt=media)

Looking at the results we can see a hash for the user webadmin. Checking this hash against the `hashcat` [examples page](https://hashcat.net/wiki/doku.php?id=example_hashes) shows this is a MD5crypt hash. I was then able to crack the hash on my Windows machine with `hashcat`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-519348018413737290619d345624b78f7dada36c%2Fimage.png?alt=media)

We now have the credentials `webadmin:dragon`. I was then able to use these to login to SSH with.

```
ssh webadmin@192.168.211.101
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ddb53d2f1135a6d17f5a56810015ac63b356fc5d%2Fimage.png?alt=media)

Checking `sudo -l` shows we can run the binary `/bin/nice` on any file inside `/notes/*` due to the wildcard.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-82bc0887306fe210d6a006cab39403895d9e5923%2Fimage.png?alt=media)

Inside the notes directory we have two files. One that clears the screen and the other runs the `id` command. With no writeable permissions on this folder we are unable to edit or replace the files and unable to use them for privilege escalation.

As the sudoers directory. has a wildcard in /notes/\* we can abuse this to run a file with sudo permissions outside of the notes directory.

See below for more information:

{% embed url="<https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-4-wildcards/>" %}

We can create a shell.sh file in our home directory and execute with sudo.

```
touch shell.sh
echo '/bin/sh' > shell.sh
chmod 777 shell.sh
```

Once completed then run the following command to gain a root shell.

```
sudo /bin/nice /notes/../../../../home/webadmin/shell.sh
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c6dd9277dc2f241345701ce2595f801fcf9ac061%2Fimage.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/potato.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.