Today we are
going to solve another boot2root challenge called "Pwned: 1". It's
available at Vulnhub for penetration testing. This is an easy level lab.
The credit for
making this lab goes to Ajs Walker.
Let's get started and learn how to successfully break it down.
Level: Easy
Since these labs
are available on the Vulnhub website so we will download the lab file from here.
Penetration Testing Methodology
Recognition
§ Netdiscover
§ Nmap
Enumeration
§ Gobuster
Exploiting
- Obtaining SSH private key backup
Privilege Escalation
§ Abuse of
sysadmin script.
§ Abuse of
Docker Group privileges
§ Capture the
flag
Walkthrough
Recognition
As always, we identify the host's IP with the "Netdiscover"
tool:
netdiscover
Now start by listing all the TCP ports with the help of Nmap.
nmap –sV -sC -P-192.168.10.192
To work more comfortably, I'll put the IP address in /etc/hosts.
Enumeration
Now, we have entered the web service and found
information about the hacker "Annlynn"
in the body and commented lines of the source code.
We have used Gobuster
with a medium directory dictionary, indicating the typical extensions.
We will access the directory "/hidden_text" and will find a file named as "secret.dic", this contains a
directory listing.
After checking with
Gobuster, we saw that only the directory "/pwned.vuln" is available.
Exploiting
(user “Ariana”)
We found an administration panel exposed, after trying
the typical passwords to try to access and not succeed, we went to check the
source code and found that there is condition in PHP with some credentials. The
user already gave us the clue for which service to use (FTP).
We connect to the
FTP service with the obtained credentials, we find an SSH private key
for the user "Ariana" and
a note.
Now we have changed the permissions to the file "id_rsa" and connect through SSH
with the user "Ariana".
Once inside, we can read the first flag.
Privilege Escalation (user “Selena”)
We execute the command "sudo -l", evidencing that we are able to execute a script
called "messenger.sh" as
the user "selena". If we check the code, we can verify that it
executes the information in "$msg
2> /dev/null". Given this, we could insert a "/bin/bash" so that it raises a
shell with the user we have previously indicated in the script.
We start the script...
We indicate the user "selena", type “/bin/bash”...
That's right! We have obtained a shell with this user, we read the 2nd flag.
Privilege Escalation (root)
We type "id"
and list that we belong to the group "Docker",
then we check the docker images that we have available and execute the command
that will allow us to escalate privileges with a shell as root.
Finally, we will read the flag.
docker run -v /:/mnt --rm -it privesc chroot /mnt sh
Author: David Utón
is Penetration Tester and security auditor for Web applications, perimeter
networks, internal and industrial corporate infrastructures, and wireless
networks
0 comments:
Post a Comment