search

Breakout

Difficulty: Easy

hashtag
Enumeration

hashtag
nmap

We start scanning with nmap with the following command line. This line scans all open ports, tries to detect the services running on the ports, determine the versions and run detection scripts.

sudo nmap -p- -sC -sV --min-rate 5000 --open -vvv -n -Pn 192.168.1.46
PORT      STATE SERVICE     REASON         VERSION
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
10000/tcp open  http        syn-ack ttl 64 MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-favicon: Unknown favicon MD5: 75C5BD2E2D20D547F33BCB04ADB20CD0
|_http-title: 200 — Document follows
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
20000/tcp open  http        syn-ack ttl 64 MiniServ 1.830 (Webmin httpd)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 79B65889866572A8F43F8DDE9150D647
|_http-title: 200 — Document follows
|_http-server-header: MiniServ/1.830

hashtag
whatweb

We then use whatweb to identify technologies and platforms used by this website.

hashtag
View Page Source

We go to the web browser and check that Apache2 is running.

Let's check the source code and find a pleasant surprise.

This appears to be a program written in a specific programming language called Brainfuck. Brainfuck is a minimalist programming language designed to be extremely simple with a minimal set of instructions.

We interpret this line on a web site and we get the following result:

hashtag
enum4linux

With enum4linux we will collect information about the users and shared resources on a system.

We have found a local user.

hashtag
Exploitation

Now that we have these possible credentials, let's try to access them on port 20000.

User: cyber => Pass: .2uqPEfj3D<P'a-3

And to a positive result, we have agreed. After navigating through the different sections, we access the Command Shell and check that it returns the commands.

We start the common procedure to generate a reverse shell with netcat.

We find the file user.txt and with the cat command we can read it.

To search for vulnerabilities we use the command line getcap -r / 2>/dev/null which is used to search and display Linux capabilities in executable files on the system.

The cap_dac_read_search=ep capability associated with the tar binary in the /home/cyber directory indicates that the tar binary has the right to read and search directories even if it does not have standard read permissions.

hashtag
Privilege Escalation

Doing a little bit of enumeration on the machine, we can see that there is a old_pass.bak file located in /var/backups but we don’t have the required permissions to view the file contents.

The following command line is using the tar command to create a backup file named pass.tar containing the contents of the file /var/backups/.old_pass.bak and thus exploiting the vulnerability found in this binary.

We extract the data with the following line and get root.

hashtag
Flags

hashtag
user.txt

hashtag
root.txt

With this we have successfully completed this machine.

Last updated