Sea - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed FTP, SSH, HTTP and 55743 ports were open.
FTP Anonymous
FTP Anonymous login was enabled and there were log files.
They included different paths and I think it was pentest logs.
So I tried to visit a path and it redirected me to login page which was SeaCMS site.
Exploitation
SeaCMS 11.1 LFI
SeaCMS was vulnerable to LFI as seen below.
So I checked logs and found database.php file.
Later, I tried to read it via LFI and found SSH credentials.
And I simply logged in and got user shell.
Privilege Escalation
bin_replacer binary and sudo NOPASSWD ps
I executed sudo -l and found NOPASSWD ps was allowed. Moreover, I checked $PATH and found $HOME/bin was also path variable.
Then I executed pspy64 and found bin_replacer binary was running once a minute.
It was a script that replaces ($HOME/bin/.*) hidden files with binaries under /bin.
clean="${name#.}": this part removes preceding.from filenameif [[ -x "$DEST_DIR/$clean" ]]; then: this part checks if filename is really an executable binary name under/binand if it is, it replaces files
So I simply created a file named .ps that just executes /bin/bash as seen in below two images.
And executing sudo /bin/ps aux got me root shell.