My File Server: 3 Walkthrough

I will share with you a new Walkthrough for Infosec Warriors CTF machines. My File Server: 3 Walkthrough for the CTF machine is created by Vishal Biswas AKA Cyberknight. You can download here this CTF. It states the level is Intermediate level and that is true. Either way, you explore a little if this is unfamiliar and that’s how you learn.

My File Server: 3 Walkthrough

Penetration Testing Methodologies

Network Scan

  •  Netdicover
  •  Nmap Enumeration

Enumeration

  •  Nikto
  • Nmap Scripts
  •  Injecting authorized_keys via smb
  •  ProFTPd 1.3.5  File Copy

Privilege Escalation

  • Buffer overflow
  • Capture the Flag.
  • password
  • sudo

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host found is 192.168.2.11

Let’s proceed with a network scan using Nmap aggressive scan as given below.

Enumeration

It was very interesting. I noticed many ports were open and have Anonymous Login enabled. So I decided to enumerate more with Nmap scripts. Along with port number 80.

We know that there might be a “smbuser” on the network.

My File Server: 3 Walkthrough

I choose to run Nikto for HTTP weak config listing, and found an entry for .ssh

When I tested “.ssh” on web browser….. I got ssh folder, containing id_rsa and authorized_keys.

My File Server: 3 Walkthrough

When I opened authorized_keys. Its confirm that “smbuser” is present in host machine or network.

My File Server: 3 Walkthrough

 

I download file authorized_keys in my local Linux

We know that “smbdata” has read and write permission. So if we place the authorized_keys of our Linux and………………

It is successfully done. We know that port 2121 ProFTPD 1.3.5 has “file copy” vulnerability. So I log in in FTP 2121 without username and password. Then I copy authorized_keys from /smbdata to /home/smbuser/.ssh/authorized_keys

Now I tried to take ssh from id_rsa file and yehhhhh we got a smbuser shell…

Here we got two folders at home but I didn’t get anything and we have no find and locate command for searching suid files. So I have manually searched and I got a file “esclate”  which has suid bit of user bla.

so from this file, we can try to take “bla ” user shell. After feeding a lot of numbers and alphabets .. sometimes it gives “why are you here?” and sometimes “Segmentation fault” …

So I understood what’s happening here. I gave a value {number} which comes in between both the errors. and yeah “I got the bla user group”

Then I tried to go access bla directory and yeh I was finally in.

and got FLAG of bla user.

so after cracking the hash, I got bla user password bla:itiseasy. After that, I checked sudo permissions and writes. and I got the two things which can run by Sudo “capsh” and “setcap”.

and I got the root shell…..

Related Posts

Leave a comment

WhatsApp us