Cybersecurity, Misconfigured permissions, Hacking

Offsec — FunboxRookie Walkthrough

A walkthrough with my tactics, techniques, and procedures.

Reconnaissance/Scanning:

Let’s start things off with a network scan to see which ports are open and the services running on each.

$ nmap -A -O -sC -sV -p- <machine_IP>

Nmap scan results

Vulnerability assessment:

Got some nice results; an FTP server with anonymous login enabled, numerous files to check and the robots.txt file with a directory to check/enumerate.

Notice how the zip file tom.zip only has read permissions, I wonder why only that file has those specific permissions.

Once in the FTP server I found some hidden files.

Hidden file on FTP server

Second hidden file on FTP server

Since those were hidden, I wanted to check those out first.

.@admins had jumbled text that looked like base64, so I decoded that to find:

$ base64 -d .@admins

Content of .@admins file

The .@users file wasn’t much different.

Content of .@users file

That made me think that maybe Tom was an admin..

The next file I checked was the welcome.msg file.

Contents of welcome.msg file

Initial foothold:

Now to try to unzip tom’s file.

Passphrase protected id_rsa file

Could the passwords be in the disallowed /logs directory? I tried to access that directory but got the dreaded 404 error.

No problem, I’ll try to crack that zip file with john.

# using the tool zip2john to turn the file into a hash to further crack
$ zip2john tom.zip > tomhash.txt

# now using john to crack the hash
$ john tomhash.txt -w=/usr/share/wordlists/rockyou.txt

Success!

Cracked passphrase for id_rsa file

Now I can try to SSH into the machine as Tom.

NOTE: Be sure to change the permissions of the rsa file to read only before trying to get a shell.

$ chmod 400 <filename>

Proof of user flag

The user flag is located in the user’s home directory so I’ll go ahead and snag that.

I wanted to see how I could escalate my privileges so I ran a find command to locate any SUID files, only to find out I’m in a restricted shell.

Restricted shell message

Well, before moving on I checked for any hidden files/directories.

Hidden file in home directory of Tom

Let’s see what’s in that file and if there is any information I can use.

Contents of .mysql_history

Looks like tom entered his credentials! Time to see if I can log into the mysql server.

Proof of mysql access

I’m in, awesome!

After looking through a lot of the tables and not finding anything I went back to the shell I had and found that I went down a rabbit hole.

Privilege escalation:

All I needed to do, instead of enumerating the sql db, was try the basic way of escalating privileges since I now had tom’s password.

$ sudo su

Just like that I escalated to root access!

Proof of root access

Now to grab the root flag.

Proof of root flag

Reporting:

It’s highly advised to disable anonymous login on the FTP server.

Check permissions of users/groups to make sure they’re configured properly.

Make sure files containing sensitive information are accessible by the proper people only and password protected with a strong password.

Note from Publication: This story was uploaded at the permission of user “xocybersec” on 1/19/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower

© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.