- You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag.
- Some machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.
- If you are stuck on one of the machines, don’t overthink and start pentesting another one.
- When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open – apart from the flag, other useful information may be present on the system.
I’m on a
Weird… It is said to be a
Right, the routing handles that for me.
172.16.37.0/24 for live hosts.
Tow hosts are alive.
Confirmed by nmap.
Found two ports opening.
Search exploits for
proftp. All of them are local. Not helping.
The user is
ftpuser. Search if proftpd has default password.
Proftp allows anonymous login. But I need an email address for the password.
ftpuser:ftpuser. I logged in.
There’s the flag.
Check the website.
Default apache page, nothing interesting in the source.
Gobuster it. Found this
Browse to it. I got.
ifconfig result like the one from last target.
It reveals the same network,
Time to get our reverse shell. I should be able to upload php files to
xyz dir and execute.
Got a shell.
ifconfig I can see the same result from the web site.
linpeas.sh to enumerate the system.
NOOO! The owner of file uploaded by ftpuser is root… Have to download using the shell.
Set up python host.
Change dir to
/dev/shm and download
Run it. I’ll take my time and read through the result.
Seems the target’s port
631 is opened. Don’t know what it’s for yet.
Seems like our ftpuser is in fact root. It has uid of
su ftpuser, password is
Move to the next target.
The site is empty.
But the source code contains some
There is another network that this target is connecting to. Have to pivot to
Add a routing entry to that network.
sudo route add 172.16.50.0 10.13.37.1 255.255.255.0
Now, with the first target compromised. I know that the two machines are both in this
The IP address of this machine is
linpeas.sh again as root on the last machine. Discovered that
nmap is present.
Use nmap to scan this target. Port
22 are discovered instantly.
Now, because the target has no ssh server running, I cannot use ssh to proxy traffic to the network. And since the target has no internet connection, I have no option but to use meterpreter route, which also means the rest of the exploit can be done by metasploit.
Generate php reverse shell using
Set up handler.
Got meterpreter shell.
The last part is brute force the ssh login.
And the flag.