This box was a straightforward beginner box, good way to practice password cracking. There's plenty of rabbit holes to watch out for!
We start with the new and improved nmap scan: nmap -sT -A -v -n <ip>/24 -p -. The biggest change we've made is we now scan all ports (-p -) because I've been screwed over more times than I'd like to admit when a vital port isn't in nmap's default 1000. Nmap returns ports [21, 22, 80].
FTP was running ProFTPD v1.3.5e, which has a critical vulnerability. It also allows anonymous login.
The web server has a default "Apache 2 It Works!" page. We can immediately check robots.txt, which reveals a /logs/ directory. Navigating to it shows that it doesn't even exist.
Checking out FTP:
First and foremost, we login anonymously and see that the root is filled with zip files following the naming convention: <user's name>.zip. Being overwhelmed by the thought of having to check every zip, we check for vulns in this server's version and come back to this later.
Exploit-DB reveals a critical vulnerability that can potentially allow code execution ! After a couple of attempts, I wasn't able to successfully execute this exploit. The commands were not agreeing with me and I wasn't able to escape the FTP's root.
Circling back to the zip files, we can download them all, but notice that only one has different permissions than the others: tom.zip. This could've been unintentional and we're just experiencing apophenia, but I digress. Grabbing all files with mget *.zip, we can try to unzip any but are met with a password request for the id_rsa file within. Very promising indeed...
Cracking the Zips & Getting User:
We can extract the zip's hashes using zip2john:
Now that we have the hashes (pkzip2) in a file, we can crack them with hashcat: hashcat -a 0 -m 17220 hashes.txt <wordlist>. We get 2 hits: catwoman and iubire. Unfortunately, we don't have any easy way to match these to their respectful zips without a little janky scripting:
Hashcat completed session. Note the "Recovered" line is 2/3
Matching Hashcat's results with out hashes
This shows us that:
An alternative to hashcat is John the Ripper, which is slightly easier to use in this case. We will use the "wholehashes.txt" file generated in the first command: john --wordlist=<wordlist> wholehashes.txt. To print our results: john --show wholehashes.txt. The string after the first colon is the password.
John's somewhat discrete results
Finally, we can unzip Cathrine and Tom's respective private keys and SSH into the box! I added each person's name as extension to distinguish each user's key. Cathrine doesn't even exist, so it turns out our theory about Tom's zip permissions might have been valid! Logging in using ssh tom@<ip> -i id_rsa.tom yields us access to the box and one bug closer to the goal!
The first thing to check are sudo permissions. The issue we face is that we don't have tom's password to allow us to run sudo. Looking around his home directory, we see ".bash_history" and ".mysql_history". Neither are redirected to "/dev/null", and both have content. Bash history has nothing useful, but MySQL has captured some credentials. Specifically, it's captured Tom adding his login credentials into the database! We can try looking around the db which is running on local port 3306, but there is nothing of interest in it.
Exposing Tom's insecure history (Last line)
A sad, empty SQL table
Thanks to recycled credentials, we can check Tom's sudo permissions and what do you know? We have permissions for all commands! A simple sudo bash gives us a root shell and a pretty sleek root flag at "/root/flag.txt"!
Going straight to root's flag!
ProFTPD 1.3.5 Exploit [EXTERNAL]
Last edit: 2021.09.30