BOOK THIS SPACE FOR AD
ARTICLE ADToday we are going to solve another boot2root challenge called “Pwned: 1”. It’s available at Vulnhub for penetration testing. This is an easy level lab. The credit for making this lab goes to Ajs Walker. Let’s get started and learn how to successfully break it down.
Level: Easy
Since these labs are available on the Vulnhub website so we will download the lab file from here.
Penetration Testing Methodology
Recognition
Netdiscover NmapEnumeration
GobusterExploiting
Obtaining SSH private key backupPrivilege Escalation
Abuse of sysadmin script. Abuse of Docker Group privileges Capture the flagWalkthrough
Recognition
As always, we identify the host’s IP with the “Netdiscover” tool:
Now start by listing all the TCP ports with the help of Nmap.
nmap –sV -sC -P- 192.168.10.192 |
To work more comfortably, I’ll put the IP address in /etc/hosts.
Enumeration
Now, we have entered the web service and found information about the hacker “Annlynn” in the body and commented lines of the source code.
We have used Gobuster with a medium directory dictionary, indicating the typical extensions.
We will access the directory “/hidden_text” and will find a file named as “secret.dic“, this contains a directory listing.
After checking with Gobuster, we saw that only the directory “/pwned.vuln” is available.
Exploiting (user “Ariana”)
We found an administration panel exposed, after trying the typical passwords to try to access and not succeed, we went to check the source code and found that there is a condition in PHP with some credentials. The user already gave us the clue for which service to use (FTP).
We connect to the FTP service with the obtained credentials, we find an SSH private key for the user “Ariana” and a note.
Now we have changed the permissions to the file “id_rsa” and connect through SSH with the user “Ariana“. Once inside, we can read the first flag.
Privilege Escalation (user “Selena”)
We execute the command “sudo -l“, evidencing that we are able to execute a script called “messenger.sh” as the user “selena”. If we check the code, we can verify that it executes the information in “$msg 2> /dev/null“. Given this, we could insert a “/bin/bash” so that it raises a shell with the user we have previously indicated in the script.
We start the script…
We indicate the user “selena“, type “/bin/bash”… That’s right! We have obtained a shell with this user, we read the 2nd flag.
Privilege Escalation (root)
We type “id” and list that we belong to the group “Docker“, then we check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root.
Finally, we will read the flag.
docker run -v /:/mnt --rm -it privesc chroot /mnt sh |
Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.