My Attempt

User.txt

Enumeration

There were only 2 ports open. Since SSH is not really vulnerable in most cases, the vulnerability is most likely on port 80. By using gobuster the following directories were discovered.

By visiting the website, a page for testing .php scripts is shown.

I tried to submit "info.php" and it returned the information of the server's OS. I also noticed that the URL included the file as parameter. This suggests that the webpage might be vulnerable to LFI or RFI.

By trying other sites listed on the index page, the "listfiles.php" site have some interesting results.

This site seems to be listing the files within the current directory. Besides the PHP files listed on the index page, there is a "pwdbackup.txt" file which seems to be a backup file for passwords. I tried to use the index page's function and submit this file name and it returned the content of "pwdbackup.txt".

Judging by the ending "=" symbol of the string, it seems to be a base64 encoded string. The first line tells me that the string is encoded at least 13 times. Therefore I used the CyberChef website (https://cyberchef.org/) to decode the string. As a result, I got the password "Charix!2#4%6&8(0".

User Shell

From the password text I assumed that the user is "charix". By using the credential "charix:Charix!2#4%6&8(0" I can login to the server through SSH.

The user.txt file can be found on the home directory of "charix".

Root.txt

My Attempt

The sudo command is not found on server. Using the find command I did found some interesting files with the SUID flag set. I tried to look up the commands in GTFObins (https://gtfobins.github.io/#) to see if there is any related exploit, but unfortunately all of them does not seem to be exploitable.

I also ran Linpeas to see if there is any obvious exploits. But I did not manage to find anything useful from it.

On the home directory of "charix", there is a secret.zip file. By downloading the file and unzipping it using the password "Charix!2#4%6&8(0" I got the following file.

I actually don't know what this file was supposed to be and I started to read the write-up.

Following Writeup

The write-up uses the following command to read the file content in hex format.

cat secret | hexdump -C

But even with that the content still doesn't seem to make sense.

Continue reading the writeup, it is suggested that this file will be used for VNC connection.

VNC

The writeup shows that the server is listening on port 5801 and 5901 locally, which are typical ports for VNC connection. Revisiting my Linpeas output, it does show that there is a process listening on port 5901 and is running by root.

To connect to port 5901, I used SSH tunneling to forward the traffic from 127.0.0.1:5901 to the server's port 5901.

Then using vncviewer, I was able to connect to the server as root using the "secret" file as a password file.

PreviousPoison NextLessons Learned

Last updated 3 years ago