Start it off with the go-to nmap scan, enumerate versions, enumerate services, and scan all ports comes up with:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I usually will skip over port 80 initially as the other ports can typically be enumerated a bit faster than all of the details involved in a webserver. In this case, on port 3000 is a json message giving what turns out to be a pretty useless hint:
I couldn’t get anything working with this, so decided to start having a poke around on the web server. This led to finding a ‘helpdeskz’ page, which after a little searchsploitin’ came up with this guy: https://www.exploit-db.com/exploits/40300
Unfortunately it does not work out of the box (or maybe fortunately, as it would have made this box a lot easier), so it does require a little modification. After going through the exploit and trying to understand exactly what the vulnerability is, it turns out it comes from being able to predict the ‘random’ string that the Helpdeskz application appends to an uploaded file. Combine this with the fact that even when the application tells you ‘upload type invalid’ when uploading a php shell, it just becomes a matter of matching up your attacking box with that of the server.
curl -v 10.10.10.125
This will give you the timezone that the server is running on (GMT) , and using that information we can then put in the following command from our attacking machine:
timedatectl set-timezone GMT
I spent a lot of time on this one looking around for ways to escalate privileges with typical enumeration techniques and overlooked the obvious for a while (kernel exploit). I blame too many CTF’s lately…
Anyway, long story short, the kernel version of linux on this box is vulnerable to the exploit here:
I have a love/hate relationship with kernel exploits… On one hand, it was extremely useful on the OSCP and was a very typical path in order to privesc on their lab machines. On the other hand, in most CTF situations I could count on my hand the number of times the creator has actually intended for a kernel exploit to be the method to privesc. It’s also pretty interesting to go into how the creator of the kernel exploit came about finding/exploiting the vuln (assuming there’s enough documentation on it) which can lead to some entertaining rabbit holes of research.