Cybersecurity, Misconfigured permissions, Hacking
Offsec — FunboxRookie Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
Let’s start things off with a network scan to see which ports are open and the services running on each.
$ nmap -A -O -sC -sV -p- <machine_IP>
Vulnerability assessment:
Got some nice results; an FTP server with anonymous login enabled, numerous files to check and the robots.txt file with a directory to check/enumerate.
Notice how the zip file tom.zip only has read permissions, I wonder why only that file has those specific permissions.
Once in the FTP server I found some hidden files.
Since those were hidden, I wanted to check those out first.
.@admins had jumbled text that looked like base64, so I decoded that to find:
$ base64 -d .@admins
The .@users file wasn’t much different.
That made me think that maybe Tom was an admin..
The next file I checked was the welcome.msg file.
Initial foothold:
Now to try to unzip tom’s file.
Could the passwords be in the disallowed /logs directory? I tried to access that directory but got the dreaded 404 error.
No problem, I’ll try to crack that zip file with john.
# using the tool zip2john to turn the file into a hash to further crack
$ zip2john tom.zip > tomhash.txt
# now using john to crack the hash
$ john tomhash.txt -w=/usr/share/wordlists/rockyou.txt
Success!
Now I can try to SSH into the machine as Tom.
NOTE: Be sure to change the permissions of the rsa file to read only before trying to get a shell.
$ chmod 400 <filename>
The user flag is located in the user’s home directory so I’ll go ahead and snag that.
I wanted to see how I could escalate my privileges so I ran a find command to locate any SUID files, only to find out I’m in a restricted shell.
Well, before moving on I checked for any hidden files/directories.
Let’s see what’s in that file and if there is any information I can use.
Looks like tom entered his credentials! Time to see if I can log into the mysql server.
I’m in, awesome!
After looking through a lot of the tables and not finding anything I went back to the shell I had and found that I went down a rabbit hole.
Privilege escalation:
All I needed to do, instead of enumerating the sql db, was try the basic way of escalating privileges since I now had tom’s password.
$ sudo su
Just like that I escalated to root access!
Now to grab the root flag.
Reporting:
It’s highly advised to disable anonymous login on the FTP server.
Check permissions of users/groups to make sure they’re configured properly.
Make sure files containing sensitive information are accessible by the proper people only and password protected with a strong password.
Note from Publication: This story was uploaded at the permission of user “xocybersec” on 1/19/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.