search
GitHubPsMapExec

Startup

hashtag
Nmap

sudo nmap 10.10.85.9 -p- -sS -sV     

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Anonymous login is allowed on FTP. We have two files a jpg and a txt document. I downloaded both. I also checked for file upload on the ftp directory within and was able to upload a test document.

Contents of notice.jpg:

Important.jpg:

Looking through the directories in '/' we have the incidents folders and within with have a pcapng file of interest. We can host a Python SimpleHTTPServer on the target machine in this directory.

Then use wget on our attacking machine to download the pcapng file.

Going through Wireshark manually for each packet we find an interesting string on packet #178.

Right clicking the packet and following the TCP Stream reveals more information and shows a command history log from a web shell. Likely due to previous compromise.

We cant take the password value and SSH in as the other user on the box who is Lennie.

We can see from Lennie's home directory a scripts folder. planner.sh is of interest but looks like we are unable to manipulate the file.

However, the file print.sh which is executed as part of planner.sh is owned by us.

First we need to check if the scripts are executed as part of a timed process. I downloaded pspy64 onto the attacking machine and executed.

After a short while we see the following is executed on regular intervals:

As such we can replace the contents of /etc/print.sh with that of a reverse shell and wait for a root shell to spawn.

As soon receive a shell as root.

Last updated