🐧Pwned1

192.168.234.95

Enumeration

Initial scan.

nmap 192.168.234.95 -p- -sV -A

Port 21

Banner Grab.

Port 22

Banner Grab.

Port 80

Note in source code.

Robots.txt

/hidden_text/secret.dic

Threw secret.dic into a word list and ran through dirbust. /pwne.vuln was found.

Found in source code. User : ftpuser Password : B0ss_Pr!ncesS

Back to Port 21

Was able to connect by user ftp with these credentials, grabbed an id_rsa and note.txt

Possible user name in note.txt

Shell

Using ariana and id_rsa was able to connect to the machine via ssh.

Interesting file

Sudo Perms

Another interesting file.

Had to look at a write up here. None of them worked so I ended up just entering sh sh into the file when it ran and got a shell with selena. I may have already had a shell from something I tried here but did not know due to not getting a bash prompt.

sudo -u selena ./messenger.sh

Stabilized shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

Uploaded Linpeas and read through the output not finding anything that stands out other than a few drives that seem to have been disconnected. After an hour I decided to get a hint.

Had to get a hint here. I had seen that docker was installed but was unaware of any priv. escs. with docker. What I thought were drives that had been disconnected were docker containers. Lesson learned.

Root