My File Server: 3 (CK 03) Walkthrough infosecwarrior : Vulnhub CTF
Download: My File Server: 3 CTF
This CTF machine is Designed by CyberKnight . I would call this box on the easy side …
Penetration Testing Methodologies
Network Scan
• Netdicover
• Nmap
Enumeration
• Nikto
• Injecting authorized_keys via smb
• ProFTPd 1.3.5 — File Copy
Privilege Escalation
• Capture the Flag.
•password
• sudo
Network Scanning
netdiscover -i vboxnet0
So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.56.104
Let’s proceed with network scan using Nmap aggressive scan as given below.
nmap 192.168.56.104 -p- -A
Enumeration
It was very interesting as I noticed that there were so many services running on the host network …
So, I ran the following command for SMB enumeration and identify a username as “smbuser”. and a “smbdata” folder which have “READ , WRITE” permission..
I explore the IP host in the web browser as port 80 has been opened for the HTTP service..
I choose to run nikto for HTTP weak config listing, and found an entry for “.ssh”
when i test “.ssh” on web browser .. i got ssh files
when i open authorized_keys . it’s confirm that “smbuser” is present in host machine or network.. and this both files is for smbuser ….
i download both the files “id_rsa” & “authorized_keys” in my local pc ..
then i gave 600 permission to id_rsa file
here i cracked the id_rsa file for getting password .. and hurray its successfully done password is “ password ”
we know that “smbdata” has read and write permission . so put the authorized_keys in it.. which i downloaded from port 80 “.ssh” folder…
and its successfully done..
we know that port 2121 ProFTPD 1.3.5 has “FILE COPY” vulnerability.. so i login in ftp 2121 without username and password just press enter and enter..
and copy authorized_keys from smbdata to smbuser’s .ssh directory.. (because authorized_keys will connect id_rsa file when we use ssh for login of smbuser)
now i tried to take ssh form id_rsa file which we downloded from port 80.. and enter passphrase which we cracked “password” and yeahh we got a smbuser shell…
here we got 2 folders in home directory ..but “bla” directory has no read and write permission for smbuser..
now i start searching something but i did’t get anything and we have no find and locate command for searching suid files…
so i start searching manually and i got a file “esclate” from “/usr/bin” directory which have suid bit of bla ..
so from this file we can try to take “bla” user shell.. when execute esclate . I feeded lots of number and alphabet ..sometimes it gives “why are you here ?!” and sometimes “Segmentation fault”.. so i understand whats happening ..
“ i gave a value (number) which comes in between both the errors..and yeahh “i got a bla user group” ( i think this vulnerability is known as buffer errors or bufferoverflow not confirmed but may be)
and yesss .. finally i got a “bla” user groups..
then i tried to go in bla user directory .. and yeah finally i am in.
yeahh i got bla user flag : 0aab4a2c6d75db7ca2542e0dacc3a30f
after reading the flag .. here is a hint that “you can crack this hash, because it is also my pasword”
so after cracking the hash i got bla user password
0aab4a2c6d75db7ca2542e0dacc3a30f:itiseasy
password is “itiseasy”
bla:itiseasy
after getting bla shell its time to root the box.. so i checked sudo permissions and writes ..
and i got two things which can be run by sudo “capsh” and “setcap”
so i see the help of capsh command and finally i got what to do for root..
and i tried
“sudo -u root /usr/sbin/capsh — ”
and finally we got a root shell…..
