It’s been a while since I have done a write-up and I am happy to say I’m back with one! This is the 5th machine I’ve done for my OSCP preparation so let’s get started! Also, I have a few more write-ups in the bank so I’ll get to it ASAP uwu.
The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.
sudo nmap -sn -oN nmap_discovery 192.168.110.0/24
Knowing 192.168.110.133
is our attacker machine’s IP address, we can identify that 192.168.110.139
is our target. Once our target has been identified, we can now perform port scanning on our target with the following:
sudo nmap -sC -sV -Pn -p- 192.168.110.139 -oN nmap_port_scan
-sC
: Load default nmap scripts-sV
: Version scan-Pn
: Assume all hosts are up-p-
: Scans for all 65535 ports-oN
: Outputs file in normal format
The results of the port scan reveal that these services are being hosted on the target:
- FTP
- SSH
- SMB
- a Web Server
- STMP
With FTP, let’s try to see whether it allows anonymous logins
And it does! Listing the file directory we can see a download folder and an upload folder.
The download folder does not contain anything useful. However, the upload directory has a file which contains the directory listing of a user.
Okay, breaking the fourth wall a bit, I actually have done this box before and this is the second time I’m doing it so I kinda know where to proceed.
At this point, I was stuck so I gave up on the FTP server route for initial foothold and took a look at the web server.
With a web server available, directory brute forcing would be our next step. I used gobuster
to get the directories on the web server
gobuster dir -u http://192.168.110.139 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brute
dir
: Uses gobuster
for directory brute forcing
-u
: The target’s URL
-w
: The wordlist used to enumerate the web server’s directories
-x
: Extensions added to the end of every word within the wordlist
-t
: Threads used
-o
: The output file
But I found nothing.
However, having the version of OSSEC
, let’s check for any available exploits on ExploitDB with the searchsploit
command.
Note:
-x
: Examines the exploit file
-m
: Copies the exploit file into the current directory
Also, again I found nothing.
So, now the last resort was to do brute-forcing. Knowing that there is a user named patrick
let’s brute-force the pop3
service. However, again, that was not possible.
Remember how I said I did this box before? Well, a bit of Google searching eventually got me the answer on the second try lol
In our nmap
scan, we have the version of the FTP server being hosted. Doing some Google searching on how to exploit FTP servers, I found a very unique capability on ProFTPD 1.3.5.
If the vulnerability is present on 1.3.5, it could be present on 1.2.10. So let’s try going that route.
Looking at the directory listing earlier, the version_control file looks interesting. Using nc
to connect to the FTP server, we can use the following commands.
SITE CPFR
: Allows us to target a file on the target system to be copied
SITE CPTO
: Allows us to select a destination for the selected file
Note: The default directory for FTP files are in
/home/ftp
Doing that allows us to read the contents of version_control
Reading the file tells us the version of the services being hosted on the target as well as the root directory for the web server is /var/www/tryharderisjoy
Having the actual version of ProFTPd
, let’s check for any available exploits on ExploitDB with the searchsploit
command.
And there are available exploits available for initial foothold!
From here on out, I was tinkering with the 2 exploits that do not require Metasploit. It took a long time but I managed to get it running, thanks to t0kx’s exploit. (Which was not present in searchsploit
)
However, reading the scripts available over and over. I think I have the responsibility to explain what all the scripts do.
Basically, as we are able to copy files across the system with ProFTPd, we can also create a web shell and copy it to the root of the web directory. That is the reason why the root directory of the web server is given.
With that, we are able to create a web shell!
Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port 4444
nc -lvnp 4444
This python
reverse shell seems to work!
Let’s upgrade our shell to make it more interactive with python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
Enumerating through the web server’s directory, the credentials for patrick
was found.
With that, we can switch to the user patrick
With our current user, let’s see whether we have sudo
capabilities with:
sudo -l
We can see that patrick
can run the script test
The script basically allows users to change the permissions of files and directories within the current directory. However, using directory traversal, we can change the root
folder to have read and write permissions
Doing so gives us the flag!
So with that said, I really liked this box because it introduced me to a new vulnerability within ProFTPd servers. Even though I kinda knew how to get into the box, doing the box the second time taught me that enumeration is key through Uncle Google (Yes imma call Google that).