1. Reconnaissance
1.1 Obtaining Target Network Information: IP Address
Since the target machine’s IP address is unknown but shares a Class C network with the attacker, ARP scanning can retrieve it.
/>
1.2 Active Scanning: Scanning IP Address Block
Scanning all TCP ports revealed services such as 21/ftp and 22/ssh.
/>
Scanning the 20 most common UDP ports revealed services such as 161/snmp.
1.3 Gathering Victim Host Information: Software
Information gathering was performed using SNMP, revealing information about processes, network interfaces, software, SNMP, system, and network details. On the unknown port 36969, a TFTP service running over UDP was discovered, with the mount directory being /home/patrick.
2. Data Exfiltration
2.1 Exfiltration via Alternate Protocols: Exfiltration via Unencrypted Non-C2 Protocol
The 21/ftp service was examined, revealing numerous files, all of which were downloaded locally.
Upon examination of the file contents, the ‘directory’ file turned out to be the result of an ‘ls -l’ command executed on the /home/patrick directory.
2.2 Exfiltration via Alternate Protocols: Exfiltration via Unencrypted Non-C2 Protocol
The 36969/tftp service was examined; however, an ‘ls’ command was not available. Fortunately, the ‘ls -l’ output of the /home/patrick directory had already been obtained, allowing for the individual download of files of interest.
The ‘version_control’ file revealed that the software providing the 21/ftp service is ProFTPD version 1.3.5, along with the path to the web root directory.
3. Initial Access
3.1 Leveraging Publicly Facing Applications
The mod_copy module in ProFTPD 1.3.5 allows the ‘site cpfr’ and ‘site cpto’ commands to read and write arbitrary files. If ProFTPD is started by the root user, it’s possible to write to /etc/passwd or a webshell to gain server privileges.
A script to write a webshell was found and successfully executed.
A reverse shell was constructed, obtaining ww-data user privileges.
4. Credential Access
4.1 Insecure Credentials: Credentials in Files
Information gathering on the server yielded a password file containing the password for the patrick user.
Successfully switched to the patrick user using ‘su’.
5. Privilege Escalation
5.1 Abusing Privilege Control Mechanisms: Sudo and Sudo Cache
The patrick user can execute the /home/patrick/script/test script with root privileges.
The patrick user cannot view the contents of this script; therefore, it was executed directly with root privileges.
The script’s function is to modify file permissions. Following the prompt, the permissions of /etc/passwd were changed to 777.
Now with the ability to write to the /etc/passwd file, privileged user access was gained, ultimately resulting in root privileges.
The flag was then retrieved using ‘cat’.