search
Page cover

IDE (Codiad, Service)

Firstly, we need to enumerate using rustscan.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide  
╰─➤  rustscan -a 10.10.149.33 | tee rust.log 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.149.33:21
Open 10.10.149.33:22
Open 10.10.149.33:80
Open 10.10.149.33:62337
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 02:05 +0630
Initiating Ping Scan at 02:05
Scanning 10.10.149.33 [2 ports]
Completed Ping Scan at 02:05, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:05
Completed Parallel DNS resolution of 1 host. at 02:05, 0.68s elapsed
DNS resolution of 1 IPs took 0.68s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:05
Scanning 10.10.149.33 [4 ports]
Discovered open port 80/tcp on 10.10.149.33
Discovered open port 21/tcp on 10.10.149.33
Discovered open port 22/tcp on 10.10.149.33
Discovered open port 62337/tcp on 10.10.149.33
Completed Connect Scan at 02:05, 0.31s elapsed (4 total ports)
Nmap scan report for 10.10.149.33
Host is up, received syn-ack (0.27s latency).
Scanned at 2022-04-24 02:05:13 +0630 for 1s

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack
22/tcp    open  ssh     syn-ack
80/tcp    open  http    syn-ack
62337/tcp open  unknown syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds

hashtag
Port 21

Connect to FTP and Download interesting file.

Change the file name and read the file.

hashtag
Port 80

You will see default apache webpage at http://10.10.149.33/.

Enumerate sub directory using gobuster. (Nothing interesting)

hashtag
Port 62337

In http://10.10.149.33:62337/, you will find a webpage called Codiad 2.8.4.

Here is the public exploit https://www.exploit-db.com/raw/49705. We successfully login using john:password

In netcat session, we got a reverse shell.

hashtag
User

Got Permission denied when we read user.txt

We found mysql credentials in .bash_history.

Connect ssh using this credentials.

hashtag
Root

Check the privileges.

Find vsftpd service file.

Check service file permission. We can modify it.

We can modify it like that.

Restart FTP service with Root Privileges.

Execute the bash.

PreviousHalmet (FTP, Web, Hydra, Container)NextGallery (SQLI, Backup, nano)

Last updated