Seppuku | OffSec Writeup

Seppuku | OffSec Writeup


Network scanning

We used Nmap for port scanning.

nmap  -A -sC -sV <your IP>        

We used Nmap for port enumeration and discovered the following open ports: port 21 for FTP, port 22 for SSH, port 80 for HTTP, ports 139 and 445 for NetBIOS-SSH, port 7080 for SSL/HTTP, port 7601 for HTTP, and port 8088 for HTTP.

Then visited hhtp://192.168.217.90:8088

Then I ran gobuster and found many hidden directories and used all of them but did not find anything. Then I ran gobuster on port 7061 and found many important directories such as secret key, keys, production

gobuster dir -u https://IP:7061 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt        

When we navigated the URL enumerated above, i.e. keys we found some files, here private was useful for us.

https://IP:7601/keys

This link leads us to a page called private. This is a private key for some users which we have not found yet.

Further, we will explore the 'secret' directory that we discovered during our Gobuster scan.

https://IP:7601/secret

As a result, it gives some very important files such as password.lst and hostname

Here found a file named hostname which gave us a username i.e. seppuku.

I went into all the folders one by one and found a hostname.

open passwd.bk

After downloading passwd.bk and opening it, I found a password.lst file. I copied and saved it on my Linux system to further brute-force the password.

nano passwordlisst.txt        

Exploiting

We have obtained the username 'seppuku'. Our next task is to find the password for the user 'seppuku' using Hydra for SSH login brute force.


hydra -l seppuku -p passwordlisst.txt 192.168.217.90 ssh        

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

ssh seppuku@192.168.217.90        

After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it

ls 
cat  locat.txt 
cd /home        
User flag:

I noticed that the cd command is not working. Then I ran this command

python3 -c  'import  pty; pty.spawn("/bin/bash")'
cd /home         

Then work cd command:

cd /home

ls

I found here there are many users like tanto, samurai, seppuku.

ls -la         

After logging in, let's proceed with further investigation to find hidden files. We discovered a hidden file called .passwd, which provided us with a password, though its purpose is currently unknown.

Here I found a password.

I tried to do tanto login ssh. But I didn't succeed. Then I remembered that I had found a private file which had rsa key.


again we see rbash restrict error again we bypass the rbash shell our previous python command for checking privilege escalation we run the sudo -l command and here we found script entry without the password .

python -c 'import os; os.system("/bin/bash");'
sudo -l        

I logged in SSH with samurai user.

Privilege Escalation

Now that we have read-write permissions in the user's home directory, we first create a .cgi_bin directory. Then, we move to the cgi directory and use the cat command to create a simple bash file, adding full permissions for everyone to read, write, and execute the file.

After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it.

mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la        

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag.

sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat proof.txt        

Root flag



Santosh Kumar

Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||

8 个月

Wishing you the best

赞
回复

要查看或添加评论,请登录

Vrijanandan Kumar的更多文章

  • Red - TryHackMe Walkthrough

    Red - TryHackMe Walkthrough

    https://tryhackme.com/room/redisl33t Initial Information Gathering We begin our reconnaissance phase with a Nmap scan.

  • Vulnversity — Walkthrough Tryhackme

    Vulnversity — Walkthrough Tryhackme

    Introduction "Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing…

    1 条评论
  • Library Tryhackme

    Library Tryhackme

    Start the VPN you have downloaded and deploy the TryHackMe machine first. Then, ping and check the machine's…

    1 条评论
  • TryHackMe: Mr. Robot CTF

    TryHackMe: Mr. Robot CTF

    Difficulty: Medium Room URL: https://tryhackme.com/room/mrrobot Scanning It was known that port 80, 443 and 22 were…

  • Tryhackme-GmingServer Walkthrough

    Tryhackme-GmingServer Walkthrough

    Network Enumeration I started the network enumeration by running a port scan using rustscan looking for open ports and…

  • Lazy Admin TryhackMe

    Lazy Admin TryhackMe

    Easy Linux machine to practice your skills Enumeration I started a Rustscan scan and found both an SSH service and a…

  • SQLMAP -TryhackMe Writeup

    SQLMAP -TryhackMe Writeup

    Task 1: Introduction What is Sqlmap ? Sqlmap is an open-source penetration testing tool designed to automate the…

    1 条评论
  • Katana Walkthrough (offsec_lab)

    Katana Walkthrough (offsec_lab)

    https://portal.offsec.

  • MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough) Today I’m going to solve challenge MoneyBox Vulnhub WalkThrough. Offensive Security Edit…

  • Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough) 01.) Target Discovery with Nmap 02.

社区洞察

其他会员也浏览了