Dodge
Test your pivoting and network evasion skills.
Last updated
Test your pivoting and network evasion skills.
Last updated
This work by Manav G Krishna is licensed under CC BY-NC 4.0
Machine IP: 10.10.3.234
Nmap Scan:
We have port 22, 80 and 443 open. From the Subject Alternative Name field of the scan we notice that we have the main domain & it's subdomains.
An other way to find this out instead of us waiting for the scan to complete is by accessing the site over HTTPS to view the SSL Certificate:
SSL Certificate:
Main domain: dodge.thm
Subdomains: www.dodge.thm, blog.dodge.thm, dev.dodge.thm, touch-me-not.dodge.thm, netops-dev.dodge.thm, ball.dodge.thm
Out of these we could access only: www.dodge.thm, dev.dodge.thm & netops-dev.dodge.thm. The rest were Forbidden.
The www.dodge.thm did not contain any information in its source code, and there were no specific versions of technologies used on this site that could be vulnerable to something.
The dev.dodge.thm had the PHP Info Page.
The netops-dev.dpdge.thm was blank. But the HTTP title said: Firewall - Upload Logs. Upon checking the source code we find this:
Two javascript files: cf.js & firewall.js are being referenced in this HTML code.
The firewall.js sounds interesting. Checking this out revealed an endpoint named firewall10110.php:
Accessing this endpoint:
In here we have a UFW Firewall configuration info along with an option that lets us run UFW commands.
Explanation of this configuration:
Note: These rules explicitly allow incoming connections on these ports despite the default policy being to deny incoming connections.
Since we can run commands we can modify these existing rules according to our needs.
Finding some blogs on using UFW Firewall commands:
From our nmap scan we knew that we had ports 22, 80 & 443 open (due to the UFW rules) but not port 21 - FTP. We can modify this rule: 21 DENY IN Anywhere to allow incoming connections to the FTP port.
UFW Command: sudo ufw allow ftp
Upon running this command the rules got updated and now the Action is ALLOW IN for FTP :
Confirming that port 21 is open:
Now we can try to connect to the FTP server. The first thing we can try to do is an anonymous login, that is both the Name and the Password being anonymous.
Confirming the same through an Nmap Scan:
Connecting to the server:
Directory listing:
We have the contents of a users home directory. Now we can go ahead and get all the possible files from the server on our local machine using the get command.
The .ssh directory had these files:
Contents that were successfully transferred from the server: authorized_keys, id_rsa_backup
The public key (authorized_keys) belonged to a user named challenger:
We can now SSH in as challenger post changing the permission on the private key file (chmod 400 id_rsa_backup):
Currently we are in the home directory of challenger where we get the user flag.
Checking users that have a console:
There is a user named cobra . We can try to find ways to become this user.
First way: ( This was how I initially got to cobra)
Upon listing out active network connections (ss -tulpen/netstat -tulpn) on the machine we notice that there is something running on a couple of high ports on the localhost.
SSH Local Port Forwarding on port 10000:
Since we have the ssh utility on the box/machine we can also Remote Port Forward . But we'll be going ahead with Local Port Forwarding.
Command for Local Port Forwarding:
Now we can access the service running on the port 10000 on our localhost on port 8989
The site:
Since the site had Apache web server running we could check the VHOST configuration info (apache2ctl -S):
We notice the 10000 port on the localhost. This confirms we port forwarded to the correct port.
The login page:
Checking the source code of this login page revealed the creds:
After successfully logging in we land here:
The Dashboard:
We now have cobra's creds. It says it is for SSH.
Trying to SSH in wasn't working:
Now let's try to get in as cobra from the machine itself by using the su utility:
We got in!!
Second way: ( Easier way to get to cobra):
Navigate to the /var/www/notes/api directory and we find a base64 content in the posts.php file ( We find this file upon cat ing out the .bash_history file in the home directory of challenger. In Bash, your command history is stored in a file ( .bash_history ) in your home directory and in this case the command in the file was - cat posts.php. Running a simple find command on the posts.php will give us the path):
Decoding the same gives us the creds of cobra:
Privilege Escalation:
We can now check for cobra's sudo rights/privs:
The apt binary can be run as any user without us being prompted to enter a password. So we can run it with elevated privs to become root.
Searching in GTFOBins:
Command:
Now we are root and can fetch the root flag from /root directory:
Room solved!!
