Enumeration

Nmap

Initial Nmap scan revealed HTTP and SSH ports and a non-common port were open.

00 - nmap

WEB Enumeration

There were 2 web pages. One of them was on default 80 port and other one was on 33017.

01 - web

02 - another web

I did directory brute forcing against both of them. The on in the port 80 revealed filemanager folder, but it could not be accessed directly.

So at first, I registered the website and logged in. However, I still could not do anything because there was a confirmation process.

03 - confirmation

Exploitation

Confirmation Bypass

I opened burp suite and checked the request and response when I try to edit email. There was a parameter named confirmed, which returns false.

04 - confirmed false

So I tried to edit the request by adding user[confirmed]=true parameter and it worked. I bypassed the confirmation.

05 - confirmed true

Path Traversal

Now we were inside the filemanager application. We could upload files with upload function. I uploaded 2 files and while checking I found there was a parameter called cwd.

06- file manager with cwd

So I added that parameter to URL and removed download parameter. I could access to all filesystem with path traversal.

07 - path traversal

Authorized Keys

I tried many methods:

  1. Brute forcing user password on ssh
  2. Reading config files and decrypting credentials.yml.enc with master.key
  3. Downloading ~/.ssh/id_rsa and try to login with them as user remi.

And none of them worked. Later, I found out that I could upload a file to .ssh folder. So I simply added my public key to authorized_keys file and uploaded it.

08 - 0 authorized keys

08 - uploaded authorized keys

Then simply logged in as user remi.

09 - user flag

Privilege Escalation

While checking the home directory I found .bash_alias file which includes a command to become a root (using ssh). However, when I try that command it says too many authentication failures and does not allow me to ssh as root.

10 - auth failure

IdentitiesOnly flag

I searched the internet and found this medium post. Moreover, I did some more research to understand what is the problem.

SSH servers have a security limit (usually 6 attempts) on how many keys you can try before they ban you. When you run a standard SSH command, the client actually ignores your -i my_key.pem flag at first. Instead, it asks your SSH Agent (which stores your loaded keys) for credentials. The Agent happily offers every single key it has, one by one. If you have 7+ keys loaded in your agent the server disconnects you before your client ever gets a chance to offer the specific key you asked for.

IdentitiesOnly=yes flag forces the SSH client to ignore the SSH Agent. It tells the client: “Do not offer any keys except the one I explicitly pointed to with the -i flag (or in my config file).”

So I tried it with running root -o IdentitiesOnly=yes and it worked. I got the root.

11 - root

<
Previous Post
BlackGate - Proving Grounds Practice
>
Next Post
Clue - Proving Grounds Practice