Last updated on July 4, 2021
Level : Easy
- cracking zip file
- irb shell
- Privilege Escalation
- getcap to check file capabilities
Using Rustscan we perform reconnaissance , but as in lab descrption they said check port 1337 so we look into it and there is a hint which tells there something in first 100 ports so scan 100 ports with the help of rustscan.
netcat 10.10.50.215 1337 rustscan --ulimit 5001 -r 1-110 10.10.50.215 -- -sC -sV -oN nmap
While checking all the 100 ports our eyes get caught this string on port 21 which by default for FTP Service but here in banner it specify check 12345 .
when we check out the port 12345 with the help of netcat, where we found the another hint which leads to NFS . From the hint we found /home/nfs directory can by mount .
After mounting the file system we get the some backup zip which is password protected .
netcat 10.10.50.215 12345 showmount -e 10.10.50.215 mkdir /tmp/serverfromhell sudo mount -t nfs 10.10.50.215:/home/nfs /tmp/serverfromhell
Now it time to crack the zip password and there are different ways to do that weather you can use frackzip or you can use the john the ripper .
zip2john backup.zip >backup.hash john --wordlist=../../rockyou.txt backup.hash
Now we have the credentials to unzip the backup.zip and after doing we find out that we have key which help us to login into the remote server using ssh pass wordless login but on default port 22 we get the bad request but there is a hint which tells that something is between 2500-4500 so we again load our rustscan to enumerate more and we found that port 3333 have openssh service running .
rustscan --ulimit 5001 -r 2500-4500 10.10.50.215 -- -sC -sV -oN hint_nmap
Now let’s login to the server with the help of id_rsa key and after login we found that we land on a ruby interactive shell and to get the bash we have to use system function .
chmod 0600 id_rsa ssh -i id_rsa [email protected] -p 3333
Now it’s time to get the root power for that let enumerate more and we found hint about getcap and with help of GTFOBIN we exploit it.
getcap -r / 2>/dev/null tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'