Vacaciones
Last updated
Last updated
Install docker.io (if you do not already have it installed) -> sudo apt install docker.io
Download machine from DockerLabs website and setup lab:
unzip vacaciones
.zip
sudo bash auto_deploy.sh vacaciones.tar
and we obtained IP machine -> 🎯 Target IP: 172.17.0.2
We can put the IP in the file to associate it with an easier to remember name:
Create a directory for machine on a dedicated folder and subdir containing: nmap,content,exploits,scripts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system, while Windows systems usually have a TTL of 128 secs.
Of course, we start looking for information about our target by scanning the open ports with the nmap tool
There're two open port (22, 80), analyze them searching more info about services version and potential vulns:
command | result |
---|---|
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
Pn | no ping |
oN | output to file with nmap formatting |
As always we begin our exploration from port 80, where we know there is a web server, so we execute the whatweb command to extract more information and then view the content using the browser
The Apache version is older and vulnerable, we can verify it using searchsploit tool:
Let's display the default Apache page, there's a blank page, try analysing the source page with CTRL+U
We discover this information disclosure regarding two hypotetic usernames: Juan and Camilo, we'll use them later to try brute force attack via ssh (22).
Continuing, we try to find potential hidden directory using gobuster:
We only find a web dir (/javascript), but going on it we haven't permission to access.
Remembering that we've two pontetial username and the port 22 (SSH) opened, not knowing the password we could try a brute force attack with hydra.
I save the two usernames into a txt file: echo -e "camilo\njuan" >> users.txt
Fantastic, we discovered the password, we use it to log in via SSH with the following command: ssh camilo@vacaciones
Now that we are inside, since we are not root user we need to elevate our privileges, but we can't retrieve good info using sudo -l
because we're not into sudoers
Remember the information disclosure, we try to find email locally find / -type f -name "*.txt" 2>/dev/null
and we retrieve the mail message that we are searching.
We know that ther're three users, then we can try to log in with each
Very good, password works for juan!
And user sudo -l
we see that juan user has root permissions for /usr/bin/ruby, then we can use gtfobins to find it.
using ruby sudo command, we obtain a root permission sudo ruby -e 'exec "/bin/sh"'