June 26, 2021•552 words
After the initial scan there are two open ports. With nothing to try on SSH, let's start with the web browser. Launch a directory bust and start looking around while it runs. There are a couple of comments on the front page, the default Apache initial page. The first one is base64+brainfuck and tells something about knocking on ports, suggesting to try ports 1, 3 and 5. The second one tells us a password, which is base58 encoded.
Following the first hint, connect simultaneously to the three ports. Once your connections are closed, try a new scan and you will see some more ports are now open.
We can try to use the credentials we found (the username is IN the comment leading to the second hint) to log in to the FTP service. There is one image we can download, its purpose isn't immediately clear.
There are also two new web servers running on higher ports, the first one (in port number order) gives us a new pair of credentials (same username actually), some directory busting on the second will lead us to a /blog page that redirects to a login form.
We can use the new credentials to extract data out of the image we retrieved from the ftp server. This gives us some new pieces of informations: a combination of username and password AND a directory name. Trying the directory name on the first of the new web servers gives us a new hint, a message.
Plus, some more directory busting gives us a directory on the first new web server that contains a private OpenSSH key.
Quick recap, at this point we have:
- A username:password combination
- a username or a password at the end of the message we found
- a key
After quite a struggle, turns out the username:password combination is ciphered using Vigenere Cipher, and that the word at the end of the message was the key to decipher it. This gives us the password to log into the blog.
We can submit a message, that is very kindly interpreted if you insert an instruction for the underlying OS. With this in our hands gain a reverse shell.
We are now user www-data, and a kind message every once in a while challenges us to root the box.
There is a suid file that we can use to move to another non-root user. Move it to the attacking machine and disassemble it (Ghidra is a good option) to see if there is the opportunity to exploit it somehow. It seems it will spawn a shell if you can resist its loop by supplying the correct order of parameters. It starts comparing from value 6 (7-1) and runs all the way to 1, so supply these values and enjoy your shell as a new user.
Now let's find where this annoying message is coming from: pspy will help us identify running processes.
There is a C file being compiled and run in our new home folder, let's modify it to make it a little more interesting. As the file is being run as root, this would mean game over. Search for a reverse shell in C or just insert a system command in the code to launch a reverse shell and go grab both flags, your job is done. Merry hacking!