ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN --
10.9.9.0/24 -- that has no internet accessNmap Results
# Nmap 7.94SVN scan initiated Mon Nov 25 15:06:49 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.14
Nmap scan report for 10.9.9.14
Host is up (0.00043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.6.6.9
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp filtered ssh
80/tcp filtered http
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 25 15:06:51 2024 -- 1 IP address (1 host up) scanned in 1.82 secondsService Enumeration
TCP/21
.secretnote.txt which looks like it has a port knock sequence🛑
If you're using Proxmox as your hypervisor, as I am, I had to boot into single user mode and correct the interface name from
However,
enp0s3 to ens18 due to the driver change on the NIC when importing the VM.However,
enp0s3 is also hard-coded in /etc/knockd.conf, so you'll need to boot back into single user mode and change it there as well.Port Knocking
for port in {1000,2000,3000}; do sudo hping3 10.9.9.14 -n -c 1 -i 1 -S -p "$port"; doneUse the port knocking sequence described in .secretnote.txt
TCP/80
medusa
Gobuster Enumeration
Directories and Files
gobuster dir -u http://10.9.9.14/ -x txt -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -r -o alzheimer.txt/admin (Status: 403) [Size: 169]
/home (Status: 200) [Size: 34]
/secret (Status: 200) [Size: 44]💡
Combing through both folders,
The only other logical place to check for files would be FTP, in case issuing the port knock sequence did anything special there.
/home is a dead end. /secret has a /secret/home sub-directory, but is also a dead end. We know the password is supposed to be in a .txt file.The only other logical place to check for files would be FTP, in case issuing the port knock sequence did anything special there.
Exploit
Port Knock to SSH
Rechecking FTP
Oct 03 2020 before
Post-Exploit Enumeration
Operating Environment
OS & Kernel
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux alzheimer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
Current User
uid=1000(medusa) gid=1000(medusa) groups=1000(medusa),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Matching Defaults entries for medusa on alzheimer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User medusa may run the following commands on alzheimer:
(ALL) NOPASSWD: /bin/id
Users and Groups
Local Users
medusa:x:1000:1000:medusa,,,:/home/medusa:/bin/bash
Local Groups
cdrom:x:24:medusa
floppy:x:25:medusa
audio:x:29:medusa
dip:x:30:medusa
video:x:44:medusa
plugdev:x:46:medusa
netdev:x:109:medusa
medusa:x:1000:
Network Configurations
Network Interfaces
ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether bc:24:11:12:2a:d1 brd ff:ff:ff:ff:ff:ff
inet 10.9.9.14/24 brd 10.9.9.255 scope global dynamic ens18
valid_lft 5755sec preferred_lft 5755sec
inet6 fe80::be24:11ff:fe12:2ad1/64 scope link
valid_lft forever preferred_lft forever
Interesting Files
/usr/sbin/capsh
-rwsr-sr-x 1 root root 26776 Feb 6 2019 /usr/sbin/capsh
Privilege Escalation
SUID Abuse
capsh | GTFOBins
Flags
User
HMVrespectmemories
Root
HMVlovememories