First nmap scan

Description of image

All we have is an open web port and an ssh port.

Visited the page

Description of image

We have an idea of what is running based on what we see at the bottom of the page

Description of image

Did a quick search on searchor and found this version was out of date! There is an exploit available that actually fits perfectly with this box. It was made by Crypt0Ninja and is available on github! I had to modify the path to my python binary a little but after that…

Description of image

I used this remote code execution to send me back a shell

Description of image

Description of image

Foot hold complete!

Post-Foothold

I start by checking general environmental variables and find I can write to the $PATH folders

Description of image

Description of image

Didn’t get much from here but I did discover a hidden file in my home directory for git

Description of image

the .git directory has a config file in it. A quick check shows…

Description of image

That looks like it could be a password. I admittedly don’t understand much about github or git to know for sure, but that looks like it could be a password.

I flounder for a bit, visit the link and get not much but a username. I decide to try it on sudo for the svc accoutn I have and…

Description of image

There is a script I can run as root

Since I have a password and ssh port is open I am going to try to login there to get a better shell. IT WORKS

Description of image

List of available commands from that script

Description of image

I mess around with the containers with no luck. Eventually I get to full-checkup and something interesting happens

Description of image

It looks like it’s trying to establish a connection! Even better, the file is writeable

Description of image

Modified the script to send me back a shell and… Description of image

pwned :)