Pylon
  • 👋intro
    • Sobre mí
  • Writeups
    • HackTheBox
      • Chemistry
      • EvilCups
      • Nibbles
      • Cap
      • PermX
    • PortSwigger
      • OS Command Injection
      • Path Traversal
    • Dockerlabs
      • Upload (Video)
      • WalkingCMS (Video)
      • Eclipse (Video)
      • BorazuwarahCTF
      • ChatMe
    • TheHackersLabs
      • Academy
  • 🗄️Blog
    • Preparación del CBBH en 3 meses
    • Los drivers de NVIDIA no compilan correctamente en Arch Linux
  • 🗃️PoC's
    • 🇬🇧CVE-2021-24145 - Remote Code Execution (Authenticated)
    • 🇬🇧CVE-2023-3452 - Remote File Inclusion - Remote Code Execution - Unauthenticated
    • 🇬🇧Procmail Privilege Escalation
Powered by GitBook
On this page
  • Enumeration
  • Foothold
  • Privilege Escalation
  1. Writeups
  2. Dockerlabs

BorazuwarahCTF

PreviousEclipse (Video)NextChatMe

Last updated 26 days ago

Enumeration

We will start with an nmap scan to see what open ports you have:

❯ nmap -p- --open -n -Pn -vvv 172.17.0.2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 13:12 CEST
Initiating ARP Ping Scan at 13:12
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 13:12, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:12
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 13:12, 0.93s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000070s latency).
Scanned at 2024-06-17 13:12:29 CEST for 1s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

We will be able to see that it has port 22 ssh and port 80 http, we will do a second scan to see what version and service are running on the ports:

❯ nmap -p22,80 -sCV 172.17.0.2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 13:14 CEST
Nmap scan report for 172.17.0.2
Host is up (0.000028s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 3d:fd:d7:c8:17:97:f5:12:b1:f5:11:7d:af:88:06:fe (ECDSA)
|_  256 43:b3:ba:a9:32:c9:01:43:ee:62:d0:11:12:1d:5d:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.59 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds

We will be able to see the following:

PORT
SERVICE

22/tcp

SSH version 9.2

80/tcp

HTTP Apache version 2.4.59

If we enter the website we can see that it is a website with an image of a kinder egg:

Foothold

We will download the image and with exiftool we will see the image metadata:

We will see that we got a user named borazuwarah but we don't know the password, so I will do a brute force SSH attack with hydra:

Privilege Escalation

If we look at the sudoers permissions we can see that we can use /bin/bash as a privileged user (root) without the need to set a password: