RECONNAISSANCE

1. Start by running the machine and obtaining the IP address.

SCANNING & ENUMERATION

2. Scan the given IP with nmap. The command I’ve used is nmap -n -Pn -T5 -A <IP_address> where
a) -n is used to turn off DNS lookup of the given IP
b) -Pn is used to treat the host as online
c) -T5 is used to increase the speed of the scan to maximum
d) -A is used to perform an aggressive scan which is the combination of OS fingerprinting, service version detection and running the default scripts.

3. Another scan that I always go with is the vulnerability scan using Nmap Scripting Engine (NSE). The command is nmap -n -Pn -T5 –script=vuln <IP_address>
a) –script=vuln is used to invoke several scripts which belong to the vuln category

4. These scans will provide the following information along with the answer to task 1
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache
111/tcp open rpcbind 2-4
139/tcp open netbios Samba smbd
445/tcp open netbios Samba smbd
2049/tcp open nsf_acl nfs

Additional information would be that a disallowed entry exists in the robots.txt file on port 80

SAMBA ENUMERATION

5. The next step is to enumerate the samba shares residing on port 139 and 445. For this we can use several tools such as smbclient, smbmap, etc. The command for smbmap is: smbmap -H <IP_address>

and the one for smbclient is: smbclient –list <IP_address>

6. In order to enumerate a particular share we can use smbclient with the command: smbclient \\\\<IP_address>\\anonymous. If you’re wondering whether all of these backspaces are essential, then yes they are. So we’ll enumerate the anonymous share and look for the files under it.

7. In order to download this file we can use the mget command.

8. This file contains the configuration info of the FTP server running on the machine. However it doesn’t provide any other useful info. It claims to allow anonymous login into the FTP server but sadly hasn’t implemented that as well leaving us with no further trail to follow.

NFS ENUMERATION

9. The next step is the enumeration of NFS running on port 2049. For this we’ll use showmount to take a look at the shared files and folders. The command for it is: showmount -e <IP_address>

10. This provides us with a folder that is shared on the target machine and can be mounted by us with the following command: sudo mount <IP_Address>:<Folder_Name> <Folder_Name_on_Local_Machine>

Task 2 has been completed. You can try to enumerate the HTTP server running on port 80 however the result could be unsatisfactory.

FTP ENUMERATION
11. Now this folder in its current state doesn’t hold any valuable data. Therefore our next step is the enumeration of FTP server running on port 21. A quick search on exploit-db provides us with the following results.

We can try to use the mod_copy vulnerability with the help of Metasploit but the exploit would fail upon it. So our next step is to use the File Copy vulnerability. I won’t go into much detail about this vulnerability but provide you with its basic explanation. This vulnerability allows the attacker to copy a file and paste it into some other location within that system. But we haven’t penetrated into the machine so how are we gonna get access to a file if we copy it to some other place. Think again on this, have we not penetrated into the system. What about NFS?.


12. In order to use this exploit we’ll first connect to the system via port 21. For this we’ll use telnet

At this point we cannot list the files in any folder and can only copy files which doesn’t require root permissions to interact with. You can try to access /etc/passwd but it won’t provide us with any valuable information. Take a look at the ports open on the system. Is there a port left that we haven’t enumerated yet.

13. We will copy the private key of the SSH server which will help us in logging into the machine without a password. For this we will use the site cpfr and site cpto commands as shown below.

14. Change the permissions of this file with the following command: chmod 600 id_rsa.

EXPLOITATION

15. Use it with the ssh command along with parameter -i and gain access to the machine.

16. Obtain the user.txt file and cat it. Task 3 has been completed

PRIVILEGE ESCALATION

17. In this part we’ll take a look at the whole filesystem and try to obtain those files which have the SUID bit set. This can be done with the find commands as follows: find / -perm -u=s 2>/dev/null

18. At this point we’re supposed to find the odd file out of this but I’ve never been able to do that by looking at it and neither do you have to. Just run the same command on your local system and compare the results with this. You’ll notice that /usr/bin/menu is the only file that doesn’t compare with your local system’s.

19. Try running this file. You’ll be presented with three options which will provide an output based on your choice. You can try to cat this file and you’ll notice the commands running behind these options as shown in the last line of the image below.

20. While designing such a script the best practice is to make use of absolute URL’s (such as /home/foobar/example.txt) instead of relative URL’s (such as example.txt). In this case curl, uname and ifconfig have been programmed into the script with relative URL’s which can be exploited with a technique called Path Variable Manipulation. What this technique does is add an entry to the PATH variable. Now when the command ifconfig is executed it will look into the current folder for the file and then use the entries in the PATH variable to find the file. Here we’ll make sure that the system looks and executes our file before it moves on and find the original ifconfig script.


21. To do this.
a) Go to /tmp directory.
b) Create a new file called ifconfig
c) Add the following line into it: /bin/bash
d) Change its permission to 777
e) Add it to PATH

22. Try running the menu file now.

23. You have been escalated to the privileges of root.

24. Now you can access the root folder which houses root.txt marking the end of task 4.