$ nmap -p- --min-rate 3000 -Pn 192.168.201.114
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 12:08 +08
Warning: 192.168.201.114 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.201.114
Host is up (0.17s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
3306/tcp open mysql
8080/tcp open http-proxy
28080/tcp open thor-engine
60022/tcp open unknown
FTP Anonymous Creds
FTP accepts anonymous logins:
$ ftp 192.168.201.114
Connected to 192.168.201.114.
220 (vsFTPd 3.0.3)
Name (192.168.201.114:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||59327|)
150 Here comes the directory listing.
drwxr-xr-x 14 14 11 4096 Nov 06 2020 forum
226 Directory send OK.
ftp> cd forum
l250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||33106|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1965 Nov 06 2020 Gemfile
-rw-r--r-- 1 0 0 5512 Nov 06 2020 Gemfile.lock
-rw-r--r-- 1 0 0 374 Nov 06 2020 README.md
-rw-r--r-- 1 0 0 227 Nov 06 2020 Rakefile
drwxr-xr-x 11 0 0 4096 Nov 06 2020 app
drwxr-xr-x 2 0 0 4096 Nov 06 2020 bin
drwxr-xr-x 5 0 0 4096 Nov 06 2020 config
-rw-r--r-- 1 0 0 130 Nov 06 2020 config.ru
drwxr-xr-x 2 0 0 4096 Nov 06 2020 db
drwxr-xr-x 4 0 0 4096 Nov 06 2020 lib
drwxr-xr-x 2 0 0 4096 Nov 06 2020 log
-rw-r--r-- 1 0 0 217 Nov 06 2020 package.json
drwxr-xr-x 2 0 0 4096 Nov 06 2020 public
drwxr-xr-x 2 0 0 4096 Nov 06 2020 storage
drwxr-xr-x 10 0 0 4096 Nov 06 2020 test
drwxr-xr-x 5 0 0 4096 Nov 06 2020 tmp
drwxr-xr-x 2 0 0 4096 Nov 06 2020 vendor
226 Directory send OK.
There was some config files and what not, but there's nothing in it at all. Moving on!
Web Enumeration -> Password
Port 80 was a ForumOnRails instance:
I registered a user and looked through the posts made by the admin, and found his email.
I decided to look into the page source for the Login, Register and Forgot Password pages. Within the Register page, there's a password within the page source:
We can then login as the admin email and password of it0jNc6L/r090Q==.
More Page Source Reading -> RCE
The administrator had access to the /serverinfo page:
Again, there were some interesting comments in the page source:
We can edit the HTML such that the cmd box appears:
Then, we can send stuff to this to get a request within Burp, which can give us a reverse shell:
Privilege Escalation
Base32Key -> Root
The user's file had a few files:
[kathleen@nappa ~]$ ls -la
total 40
drwx------ 5 kathleen kathleen 4096 Nov 16 2020 .
drwxr-xr-x 3 root root 4096 Nov 4 2020 ..
-rw------- 1 kathleen kathleen 0 Nov 6 2020 .bash_history
-rw-r--r-- 1 kathleen kathleen 21 Aug 9 2020 .bash_logout
-rw-r--r-- 1 kathleen kathleen 57 Aug 9 2020 .bash_profile
-rw-r--r-- 1 kathleen kathleen 4302 Nov 6 2020 .bashrc
drwxr-xr-x 3 kathleen kathleen 4096 Nov 4 2020 .bundle
drwxr-xr-x 4 kathleen kathleen 4096 Nov 4 2020 .gem
drwxr-xr-x 15 kathleen kathleen 4096 Nov 4 2020 forum
-rw------- 1 kathleen kathleen 33 Jul 15 04:08 local.txt
I read the .bashrc file which had a large string within it.
[kathleen@nappa ~]$ cat .bashrc
#
# ~/.bashrc
#
# If not running interactively, don't do anything
[[ $- != *i* ]] && return
alias ls='ls --color=auto'
PS1='[\u@\h \W]\$ '
# alias FUWS2LJNIJCUOSKOEBHV <TRUNCATED>
This string was only alphanumeric characters, so it wasn't base64. Similar to another machine, I checked what binaries starting with base were available:
[kathleen@nappa ~]$ base
base32 base64 basename basenc
When decoded with base32, it revealed a private SSH key:
