Challenge
Scanning Output
$ rustscan -a <Target IP> — ulimit 5000 — -A
Looking at the scanning results, 3 ports are opened on the target machine.
1. 21 (ftp) also note anonymous ftp login is allowed
2. 22 (ssh)
3. 80 (http)
ftp(21) enumeration
From ftp enumeration, looks nothing much in the file that we downloaded to local machine. Lets try port 80 (http) enumeration
http(80) enumeration
From the source code of the home page, we get some hints about steganography. So, lets change our focus towards steganography.
First, download the image that is displayed in the home page and we can hunt down the flags.
Stegcracker
It is a steganography brute-forcing tool to uncover hidden information in the files/images
Looks like we got credentials of “holt” user. We can try sshing to target machine with the credentials that we got.
Successfully logged into to the target machine with credentials that we got in previous step. Once logged into to machine, look for user.txt to get the user flag.
Privilege Escalation
From “sudo -l” command we can see that “holt” can run nano as root user without password. We can use this flaw and escalate to root user. Best place to look is GTFOBins. Search for nano in GTFOBins
We can either use (a) or (b) to escalate privilege.
Yayy!! We rooted the machine.
In summary, this was a beginner machine which had anonymous ftp login allowed. On enumerating further, we got to know it was related steganography, therefore moved with that flow and using “stegcracker” we got user’s credentials. On performing vertical privilege escalation by taking advantage of “nano” that was allowed to run sudo without password by the normal user. Hence, got the root access to machine and was able to find root.txt.
Bye!
