# Lessons Learned
- If something looks like an IDOR or file upload vuln, it probably is
- don't sleep on your gut even if the index if a 1 - try 0
- `linpeas` did not show dangerous capabilities on services, but I may have missed itthe `linpeas` output
- maybe we should be downloading the latest version of tools before running for this reason
- i only manually ran a capabilities check because of the name of the box
---
# After-Action Attack Sequence
- BLUF: xxx
- xxx
---
# Discover Ports & Services
- `ping` test ![[images/Pasted image 20260709191920.png]]
- `nmap` scan - light ![[images/Pasted image 20260709191928.png]]
- `nmap` scan - detailed ![[images/Pasted image 20260709193238.png]]
- Google `gunicorn` ![[images/Pasted image 20260709193334.png]]
---
# Service Enum
## Port 21 (ftp): vftpd 3.0.3
- check version
- just a DoS ![[images/Pasted image 20260709192108.png]]
- no anonymous login ![[images/Pasted image 20260709192238.png]]
- try again with creds for Nathan
```bash
wget -m --no-passive ftp://
[email protected]
```
- we are able to grab his home dir ![[images/Pasted image 20260709202310.png]]
- but ftp looks like a dead end, let's proceed to ssh
## Port 80 (http): service_name ver. xxx
# Initial checks
- visit page > we have access to some kind of security dashboard ![[images/Pasted image 20260709192417.png]]
- We have some interesting functionality
- `/ip` shows `ifconfig`
- `/netstat` shows output of `netstat`
- `/capture` does a pcap for 5sec and analyzes on `/data/1`
- seems to iterate
- perform a search > here we have a parameter to play with ![[images/Pasted image 20260709193927.png]]
- nothing at `robots.txt` or `sitemap.xml`
- `index.php` and `index.html` throw 404s
- rando page throws a 404 ![[images/Pasted image 20260709193536.png]]
- `whatweb` check ![[images/Pasted image 20260709193426.png]]
- `nuclei` check ![[images/Pasted image 20260709194212.png]]
- acceptable methods ![[images/Pasted image 20260709200411.png]]
- other pages ![[images/Pasted image 20260709200549.png]]![[images/Pasted image 20260709200611.png]]
## Fuzzing
- directory
```bash
ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.129.25.240/FUZZ -c -ic -mc all -fs 232
```
![[images/Pasted image 20260709195053.png]]
- parameter fuzzing
- not working even though i confirmed this wordlist incldues "search"
```bash
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://10.129.25.240/?FUZZ= -c -ic -mc all
```
![[images/Pasted image 20260709195302.png]]
## SQLi test on `/?search=test`
```bash
sqlmap -r search-param.req --batch --level 3 risk 5
```
![[images/Pasted image 20260709195900.png]]
## LFi test on `/?search=FUZZ`
```bash
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://10.129.24.240/?search=FUZZ -c -ic -mc all
```
![[images/Pasted image 20260709200633.png]]
- very interesting that i can also search from `/ip?search=` or `/netstat?search=`
## IDOR
- check `/data/0` since our first attempt was `/data/0`
- we are able to download someone else's pcap file ![[images/Pasted image 20260709202407.png]]
- when we open in `wireshark` we see creds for nathan directed to the ftp server ![[images/Pasted image 20260709202354.png]]
---
# Foothold > Port 22 (ssh)
- we are on the box as `nathan` ![[images/Pasted image 20260709202524.png]]
- open ports ![[images/Pasted image 20260709202639.png]]
- check processes
- not much > only `nathan` ![[images/Pasted image 20260709202722.png]]
- check `/etc/fstab` for `hidepid=2` ![[images/Pasted image 20260709202738.png]]
- confirmed on `/dev/sda4`
- `nathan` is only home dir ![[images/Pasted image 20260709202850.png]]
- move `linpeas.sh` to target ![[images/Pasted image 20260709203125.png]]
- guessing the privesc is `getcap` related
- run `linpeas`
- vulnerable to polkit? ![[images/Pasted image 20260709203539.png]]
- check capabilities
```bash
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
```
![[images/Pasted image 20260709205005.png]]
- the `cap_setuid` ability for `python3.8` is non-default and very juicy
---
# Privesc
## Abuse `python2.8` capabilities
- Googling indicates we just need to run the below
```bash
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```
- that was fast ![[images/Pasted image 20260709205235.png]]
## Exploit CVE-2021-3560
- Move `traitor-amd64` to target![[images/Pasted image 20260709205355.png]]
- make executable and run ![[images/Pasted image 20260709205606.png]]
- interesting > okay not the path