Pwned1
Pg Practice Pwned1 writeup
Last updated
Was this helpful?
Pg Practice Pwned1 writeup
Last updated
Was this helpful?
We have FTP open running vsftpd 3.0.3. As of the time of writing this version does not have any public exploits. I check the anonymous login and we get '530 Permission denied.'
We have HTTP open on port 80. I start by running Feroxbuster and nikto to enumerate directories and scan for vulnerabilities.
After a short while nikto finishes with the results below.
We can take note of the following interesting information:
/nothing/
/hidden_text/
/robots.txt
Before we look at these we can take a quick look at the root page for http://192.168.218.95
The directory /nothing/ contains the following:
The Directory /hidden_text/ contains a file secret.dic. We can extract this information and load it into feroxbuster.
We get the following results from running the secret.dic file against feroxbuster.
the directory /pwned.vuln takes us to the following page:
Viewing the page source produces the following information:
We have the following credentials:
I tried these against the /pwned.vuln page and these credentials are not valid. FTP is a hint due to the username so we can check this next.
Once inside FTP we can move into the 'share' directory and download the contents inside.
When reading the contents of note.txt we see e have a potential username of 'ariana'.
The other file we have is a possible SSH key. We can take proper owner of this file with the chmod command and then attempt to use this against SSH with the username ariana.
We can then attempt to use this to login to SSH with.
We now have access as ariana. We can grab the user flag in our current directory before moving onto privilege escalation.
In the directory we have the file 'ariana-personal.diary' which contains the information below:
Currently I am not sure how this information could be useful right now as we have already found this directory on the server.
I next upload linpeas to get the server using a python server on my attacking machine.
After running linpeas.sh we see the following information that stands out:
We can run the following file /home/messenger.sh with sudo without a password requirement as the user selena.
The file messenger.sh is made up of the following:
Lets run the file and see what happens.
I tried running a whoami command to see if anything interesting would happen and nothing did.
We can check GTFObins to see if we can perform an escape on the script.
I run the script again using bash as the value and was then able to perform the id command as the user selena.
I then upgraded the shell to something a little more usable.
We also have a diary in selene's directory which at this point does not provide any new information.
Again we can run linpeas.sh to check for any possible privilege escalation routes.
linpeas.sh shows that we are part of the 'docker' group.
If we search docker on GTFObins we see we may be able to spawn a root shell.
I executed the command above and was able to spawn a root shell.
