Vault
Gaining Access:
Nmap scan:
Sparklays Directories
Port 80 shows this page here.
The hint here is to check the /sparklays
directory, which returns a 403 error.
Since we know this directory exists, what we can do is to use gobuster
on the /sparklays
directory to find others. Doing this reveals the /design
directory.
I also ran a feroxbuster
scan to leverage on its recursive scans, and found some more directories.
These directories returned nothing, so I did another gobuster
scan with the -x
flag to indicate file extensions like .html or .php.
I found the design.html
page:
Logo Changing
On the design.html
page, all we see is this:
This brings us to changelogo.php
, which allows us to upload a file. Only image file are allowed. Obviously, we have to upload a PHP webshell somehow and bypass the file type check. I tried with multiple PHP extensions, and found that .php5
works.
Now, we have RCE on the machine and can get a reverse shell. We can use this command here:
Privilege Escalation
Dave Credentials
There are a few users on this machine:
Within the /home/dave/Desktop
directory ,we can find a ssh
file that has credentials for dave
within it.
Port Forwarding
There were other files within that directory that had other information. One hinted towards another machine being present on the machine. There was also another key to be used somewhere.
Understanding that we have SSH credentials, we can do some port forwarding with this.
Then, we can begin to scan both of these machines with nmap
. Scanning the first 1000 ports, I found that there was indeed a service running on it.
We can take a look at this using a browser with proxychains configured.
DNS Server
The page reveals a DNS server:
The first link doesn't work, but the second brings us to this page where .ovpn files can be uploaded and tested.
Googling around for possible exploits reveals that it is possible for us to gain a reverse shell using .ovpn files. First we need to find the local IP Address of the machine, which is 192.168.122.1 when inspecting ip addr
output.
Then, we can input the following file and run Test VPN.
Take note that we have to use the IP address of the machine and not our own. With the SSH access we have, we can open a listener port and catch a root shell:
Here, we can grab the user flag from /home/dave
. Then we can find more credentials for dave
on this machine:
We can then SSH in as dave
on the DNS server. This helps to upgrade our shell.
We are allowed to run sudo
on everything as dave
within the DNS server, so regaining root permissions is easy.
Vault
There was nothing else to be done with the DNS server or other IP addresses. Then, I remembered that there was a Vault entry that did not have an IP address. I wanted to find this IP address, so I read the /etc/hosts
file.
However, I could not even ping this machine from any host. I decided to read the /var/log
files to see if I could find anything of use. That's when I noticed these few lines within the auth.log
file that raised eyebrows:
There were some ncat
and nmap
commands ran on the machine, and it seems that dave
was able to access port 4444 on the Vault IP using SSH.
I repeated the nmap
command on the DNS server, and found some interesting results:
Overall it seems that we can only access this port if our source port is configured as 4444. I proceeded to scan 192.168.5.2, and found some more ports that were open.
Interesting that port 4444 was open. So we can only detect port 987 should our source port be 4444.
The solution in this case is to open a random port via ncat
that would listen to the connection between port 4444 and 987.
The logs revealed that this could potentially be an SSH service for dave
, so I tried just that and it worked! The same credentials for dave
on the DNS server were used.
Decrypt Flag
Here, we find an encrypted root flag.
Earlier, we found a key with itscominghome
in it. We just need to import it and decrypt this root flag. The easiest way to do so is to first transfer the file to another machine. There was no base64
, but there was base32
.
I transferred this to the ubuntu
machine because it (probably) had the keys imported and ready to go.
Then, we can use gpg -d
to decrypt it.
Rooted!
Beyond Root
I wanted to see if it was possible to get a root shell on the Vault. I transferred LinPEAS to the Vault machine. There was a restricted bash shell that could be escaped using sh
.
One possible attack vector:
However, I could not find any other weaknesses within it. I also couldn't run pspy64
to view any exploitable crons running. Oh well.
Last updated