Linux machine medium level

Table of Contents

1. Enumeration
2. Exploitation
3. Escalation of Privileges

Enumeration:

Nmap:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

Ports:

• 22 SSH
• 80 HTTP

The web shows several php file names and a function that inspects them.

One of the 4 files that the web shows for testing catches our attention because it is called “listfiles.php”. We run it in the web function to see what it contains.

We see that the path of the listfiles.php script ends in a file called “pwdbackup.txt”.

• It contains base64 encoded text and mentions to us that it is 13 times encoded.

We decode the base64 13 times, I will do it this way:

 echo "Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo="|base64 -d |base64 -d|base64 -d |base64 -d|base64 -d |base64 -d|base64 -d |base64 -d|base64 -d |base64 -d|base64 -d |base64 -d|base64 -d

The result of the encoded text appears to be a password.

Password: Charix!2#4%6&8(0

Exploitation:

We remember that the web function could read files… Let’s try displaying /etc/passwd to see if we can find a user to use the password found.

We found a user named Charix.

We know that the server runs SSH, we try to connect with the collected data.

User: charix
Password: Charix!2#4%6&8(0

Privilege escalation:

• Found a zip file called secret.zip

We bring it to our machine and unzip it.

It is password protected, we will use the user’s password:

unzip secret.zip
Archive:  secret.zip
	[secret.zip] secret password: Charix!2#4%6&8(0

With this command:

ps aux

We can check if the root user is running a service…

• Is running a VNC server on port 5901

Now we know how to perform the privilege escalation. We will perform a log forwarding redirecting the port to the ssh to be able to have direct connection to the VNC service.

Redirect the connection to SSH to access the VNC later on.

ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

It can be seen in the netstat that we have connection to port 5901 (VNC).

We will use the zip file found above to login to the VNC. We are in.

vncviewer 127.0.0.1:5901 -passwd secret 

We are already root

• Root Flag

Completed Machine