Linux machine easy level

Table of Contents

1. Enumeration
2. Privilege Escalation

Enumeration:

Nmap

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack gunicorn

Ports:

• 21 FTP
• 22 SSH
• 80 HTTP

We found a web environment somewhat focused on network things

Browsing the web we find a route that shows information about network packets. where we can download the file called “1.pcap”.

http://10.129.106.157/data/1

We realize that are network packets and can opened on wireshark. When we open it we will see that it doesn´t contain any packet. And looking in the “data” path we can find that there is another file in:

http://10.129.106.157/data/0

When we analyze the “0.pcap” file on wireshark we will find many packets, but there is one that draws more attention than the others.

It´s a FTP Password!!

Password: Buck3tH4TF0RM3!

Using the password, we already have a password… Testing the password in the different services that are active on the server (SSH, FTP) works in both with the user natham that we find on the web.

We log into ssh with the acquired password.

Privilege Escalation:

User flag

Search for user configuration errors, by throwing a “linpeas” or manually testing the basic privilege escalation methodology we find that we can take advantage of the capabilities to get root.

I have based on the following page:

• Linux Privilege Escalation

When testing with the python shell we get root permissions, abusing the capabilities

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Root Flag

Machine completed