Welcome to Pentester Club! In this video, we are thrilled to present to you an opportunity to enhance your penetration testing skills to a mastery level, ultimately making you the king of the field. Join us on this transformative journey as we guide you through the art of penetration testing, equipping you with the tools and techniques required to become the ultimate pentester.
At Pentester Club, we believe in pushing boundaries and exceeding limits. Our comprehensive training program delves deep into the intricacies of penetration testing, covering everything from the fundamentals to advanced methodologies. With our industry-leading instructors and hands-on exercises, you’ll gain invaluable expertise and practical experience.
Mastering the art of penetration testing requires a strong foundation in network security, vulnerability assessment, ethical hacking, and much more. Throughout this course, we leave no stone unturned, exploring the latest attack vectors and defense mechanisms. By the end, you will possess the knowledge and skills needed to excel in this dynamic and ever-evolving field.
Why choose Pentester Club? Not only do we provide top-notch training materials, but we also foster a tight-knit community of likeminded individuals. Interact and collaborate with fellow aspiring and seasoned professionals, sharing insights, tips, and tricks. Together, we can push the boundaries of what’s possible in the world of penetration testing.
Are you ready to take your penetration testing skills to new heights? Join us at Pentester Club and become the ultimate pentester! Don’t miss out on this remarkable opportunity to unlock your true potential in the field.
Identify the target
Firstly, I found out the IP address of the target machine.
fping -aqg 10.0.0.0/24
Scan services on target
Next, I scanned the open ports on the target so that I could get the information about the exposed services.
nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.22
From the nmap scan result, we can see that there is directory browsing enabled. Thus, let’s check the content of /site.
Enumerate the webserver
The page looks as follows and it doesn’t have any important information.
Thus, I did the enumeration of the directories.
gobuster dir -r -u http://10.0.0.22/site/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,php,html -o dir-common.log
The path has another path that has a base64 encoded long text. This gives us an idea that the text might belong to a binary.
Thus, I decoded this to a file as follows.
curl http://10.0.0.22/site/war-is-over/ | base64 -d > output
We can see from the screenshot above that the encoded text is the content of a zip file. When I opened the file, I saw that this has a file named king that is protected by a password.
So, I used zip2john and john the ripper to crack the password.
zip2john output > hash
john hash --wordlist=/home/kali/rockyou.txt
This successfully cracked the password of the zip file. Thus, I can now extract the file that is an image.
Now, I have to extract data from this image. Interestingly, I could do this using binwalk.
binwalk -e king
There is a file ‘user’ inside the extracted directory that gives us the password to a user on the same file.
Next, I logged in as the user floki.
We can see that the user floki belongs to the group lxd and this directly gives us access to the root user. However, I won’t be doing this and if you want to learn more, search my other writeups with the keyword ‘lxd’. Here, I am going to go the intended way.
Escalate to user ragnar
There is another user ragnar on the machine that has the user flag. So, this gives us an idea to pawn the user ragnar. Now, when I checked the directory, we have a file readme.txt that has the following content.
I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
Furthermore, when I checked the same directory, I saw a file “boat” that looks as follows.
From the file boat, we see that we have to find printable characters from collatz conjecture of a number. This is a very interesting conjecture and its domain is positive numbers. Since this hasn’t been proved or disproved (for all positive numbers), it is an unsolvable problem. Anyway, this works till the number 2 to the power 68. According to the conjecture, for a positive odd number n, we have to perform the next calculation as n = 3n + 1. Similarly, for a positive even number, it should be n = n / 2. Doing this iteration, we will reach number 1 and we can stop.
So, here, we have to find the collatz conjecture of the 29th prime number i.e. 109. For this, I wrote a simple python script.
The script that I created will print all the numbers that are less than 256 (ASCII) based on the conjecture. After this, I could send the numbers to Cyber Chef to get the password of the user ragnar.
python3 collatz.py | xclip -sel clip
Now that I have the password, I could log into the SSH server.
Finally, I could log into the shell of the user ragnar. Also, note here that it asks password as a part of sudo access.
Root privilege escalation
Up to this, we got the shell of the user ragnar. The shell type isn’t a bash shell. So, I first spawned a bash shell for the user.
SHELL=/bin/bash script -q /dev/null
Earlier, we saw that the shell prompt for the password. This happens when commands are stored in user profiles, i.e. .profile, .bashrc, .bash_profile, /etc/profile, etc. Hence, I checked the file .profile and found a command.
Although the user doesn’t have any sudo permissions, the author might have put this to let us know that a rpyc server is running on the machine. Hence, I checked the listening TCP connections.
Upon searching the internet, I got that the rpyc_classic is the unsafest option for RPC. Thus, we can execute any commands as the user root using this.
I copied my SSH public key to authorized_keys in the current directory. Next, I copied the authorized_keys to the .ssh directory of the root. Then, I created a simple python script.
os.system("mkdir -p /root/.ssh; chmod 700 /root/.ssh; cp /home/ragnar/authorized_keys /root/.ssh/authorized_keys")
conn = rpyc.classic.connect("localhost")
fn = conn.teleport(getshell)
Next, I ran the script.
Now, I logged into the SSH server as root.