Seppuku - Proving Grounds Play
Enumeration
Nmap
Initial Nmap scan revealed SSH, HTTP, FTP and SMB ports were open. Moreover, some non standard ports were open too.
Failed Attempts
I tried anonymous FTP and it was not allowed. Then tried Guest SMB and it was allowed but no share was readable. Then applied directory brute forcing for HTTP and 8088 ports and it did not reveal anything.
Web Enumeration
Later I applied directory brute forcing to the non standard port, which revealed SSH keys and password lists.
At first I checked passwd.bak and shadow.bak but it showed rabbit hole :D so I did not even try to brute force it.
Exploitation
Brute Forcing
Then with the found password list I applied FTP brute forcing and found a valid login.
Then simply logged in and got the user flag.
Privilege Escalation
Checking users
Current user was seppuku user. There were 2 other users.
seppuku user
The seppuku user had NOPASSWD sudo privileges over ln binary, but I could not do anything useful with it.
Moreover, the user was in restricted bash environment. So I forced SSH session to open bash with -t flag.
And, there was .passwd file in the home directory which showed a password like text. I noted it.
tanto user
Then I ran linpeas. And while checking I found out the tanto user had .ssh in his home page but id_rsa was missing. So I thought maybe I can use the SSH private key I found before. And it worked.
The tanto user could not do anything. I could not understand why I pwned that user.
samurai user
Later, I tried the password I found from .passwd file against samurai user and it worked. I ran ‘sudo -l’ and found out I can run /home/tanto/.cgi_bin/bin /tmp/* as sudo NOPASSWD.
So that was why I pwned tanto. To create a malicious binary. In tanto SSH session, I created .cgi_bin directory and malicious binary.
Then using samurai’s privileges and wildcard ‘*’, I applied path traversal to give /bin/bash SUID privileges. And simply got the root.