Very nicely made machine again for OSCP guys! . Kudos to vulnhub for bringing out really top notch machines ever since the collaboration with offsec. Let’s start right away :
As usual, a full nmap port scan:
Normally, I like to check out all the other ports before finally enumerating the port 80. Per my experience, I have observed that we get something useful in other ports which helps us in chaining the info to gain an initial foothold, so let’s investigate the other ports.
We were unable to pull anything useful out of the samba share. But notice we have nfs open. Let’s try to mount it:
Great! We were able to mount a user’s files. We checked out the mounted filesystem but did not find anything useful. But we kept a mental note of the username , who knows it might come useful later.
Now let’s march to port 80. We were greeted with this:
Press enter or click to view image in full size
Nothing special was found, but we observed a domain name .We immediately added it to the /etc/hosts file:
Let’s run a dirbuster against the server :
Press enter or click to view image in full size
Dirbuster revealed a new directory, let’s head over there:
Press enter or click to view image in full size
The screenshot doesn’t seem to be clear . We got a qdpm software . Upon a google search, we found that there were many ways to exploit it. But we needed a username and password. The author had already given us a hint that we needed to use cewl. After some trial and error methods, we finally found the credentials to be :
Get Arnav Tripathy’s stories in your inbox
Join Medium for free to get updates from this writer.
ch33sm4n@cheeseyjack.local:qdpm
Press enter or click to view image in full size
And now we are logged in.We head over to project creation:
Press enter or click to view image in full size
After giving our project name and some formalities, we get an option to upload attachments. We upload a php shell in it:
Press enter or click to view image in full size
After saving it, we googled a little bit and after some research and trial and error, we found out the location of the attachment as shown below:
Press enter or click to view image in full size
Clicked it, already had our netcat listener running in background:
Press enter or click to view image in full size
Normally ,before running an enumeration script, I like to check out the home directory to see if I have access to any user’s files . There might be something useful we never know. We found a user crab and some notes in his directory:
As per the hint, we immediately moved to the /var/backups directory and upon enumeration, we come across a ssh key :
We guess it is of crab’s and try to login on behalf of him.We were correct it seems:
Let’s check for his sudo rights:
Press enter or click to view image in full size
So it seems that he can run a script as root as long as it’s run from /home/crab/.bin . Easy enough, let’s just create a shell and run it from that directory with sudo rights to get root as shown below:
Great! We are root. Let’s just cat out the root flag to complete the challenge formally:
Press enter or click to view image in full size
It was a great machine . I thoroughly thank the author for this challenge. I enjoyed this tremendously.