- With nmap we scan for open hosts in 192.168.1.0, as this is the broadcast channel for our network:
nmap -sn 192.168.1.0/24
For me it reveals that there is an host up - 192.168.1.2
- We scan the host with nmap for open ports
nmap 192.168.1.2
We can see that the host has open ports for FTP, SSH, HTTP - 21, 22, 80 respectively
- We open the host in browser and can confirm that this host is for our exercise, as it contains HTML markup, that says something like "HackMe Please!."
- We connect to host through FTP:
ftp 192.169.1.2
It asks for a user so we try anonymous login -
- username: anonymous
- password is empty We get access.
- We see what files the ftp server contains:
ls
There is life.c and template.html
-
We download both files and see that they contain nothing useful But we now know that the ftp server may be exploited to upload a reverse shell.
-
As we want to connect to the server via reverse shell, then we have to know, where the file is located on a http server. We can use a Web Content Scannner like DIRB to launch a dictionary based attack against the http server.
dirb http://192.168.1.2
We have this line in the output:
---- Entering directory: http://192.168.1.2/files/ ----
When we access this address in our browser, we can see that it contains all of the files, that are also in ftp server.
Before this step, be sure that whatever port we use for our reverse shell (1234 in this instance) is allowed through our firewall.
-
Now it's time for our reverse shell. We upload our reverse shell and shell.py through ftp. Then we connect to 192.168.1.2/files through our browser client. We should see that our uploaded reverse shell is listed there. We click on it and browser should hang.
-
We connect to the port with netcat.
nc -v 192.168.1.2 1234
- We look around for a bit and see that /home folder contains file important.txt
ls -l /home
When we cat important.txt, we can see that it wants us to run a script /.runme.sh
cat /home/important.txt
We don't want to run foreign scripts so we cat /.runme.sh
cat /.runme.sh
We see that this file contains an hash
-
When we decode the hash (you can use any free online MD5 decoder), we get the string youaresmart We assume that this is the password.
-
We try to login to virtual machine with: username: shrek password: youaresmart
It works :)
-
We navigate to /var/www/html/files and run shell.py that we uploaded before:
sudo python3.5 shell.py
That spawns a root shell for us.
14. Now we navigate to /root and cat root.txt
This file contains the flag and the exercise is finished.
-------------------
EXPLOITS
Anonymous login on FTP server should'nt be allowed.
Users shouldn't have access to execute python etc., as it could very easily be used to access root.