Potato 1 | vulnhub | walkthrough

November 16, 2020
Read

 Greetings! 

Today I'm going to share my write ups for Potato 1, an easy machine from vulnhub. It's a real life like machine. I have completed this in 3 steps.

1. Enumeration: Nmap helped to get in

2. Exploitation: Burp proxy and php vulnerability

3. Post exploitation: Abusing admin permission

So let's talk in detail.



1. Enumeration:

1) At first, I need to know the target IP, so:

# netdiscover -i eth0 -r 10.0.0.0/16

and I got the IP: 10.0.2.39

2) As always I have started with all port scanning

# nmap -p- -v -Pn 10.0.2.39

and I have got 3 ports open:

Discovered open port 22/tcp on 10.0.2.39
Discovered open port 80/tcp on 10.0.2.39
Discovered open port 2112/tcp on 10.0.2.39

3) Now digging deeper to those ports:

# nmap -sV -O -p80,22,2112 -v -Pn 10.0.2.39

An unusual port running FTP:

PORT     STATE     SERVICE     VERSION
22/tcp     open         ssh      OpenSSH 8.2p1 Ubuntu
80/tcp     open         http     Apache httpd 2.4.41 ((Ubuntu))
2112/tcp   open         ftp       ProFTPD

4) As it has a web page, so i have started dirbuster to scan:



5) Nikto scan also reveals similar info to dirbuster:

# nikto -h http://10.0.2.39/

Scan report is:

+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.

 

6) Found /admin, /admin/index.php. These page are showing one login form.

7) Attempted to brute force or guess the password I have failed

8) Found logs.txt but nothing interesting found except - Admin has changed password.

9) After some failed attempt to brute force, I have focused on FTP. FTP login: 

# ftp -p 10.0.2.39 2112

I have found:
- anonymous login allowed
- found 2 interesting files

-rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg

- downloaded those files: 

# get index.php.bak

 

2) Exploitation:

10) From index.php.bak, I can see the source code:

11) I have tried SQL injection but failed. After some research, I have found this article about - type juggling. It helps!

12) Successfully exploited this vulnerability. I have used - password[]=""


13) Result: 

14) But I am facing access denied message:


15) Other pages don't have any interesting this except the Logs. I have intercepted all the request with Burp. And I have found interesting entry in Logs. This will probably lead to LFI.


16) I have tried file=../../../../../etc/passwd 


17) got = webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6. Here I have used john the ripper and I have got:
    1) user: webadmin
    2) pass: dragon

18) Now login to ssh 

# ssh webadmin@10.0.2.39

and eventually I have found user flag


 

3) Post exploitation:

19) Now I need root access. I have searched for another profile then webadmine's privilege


20) Here, webadmin cat execute /notes and anything after it. That's the key point! I have created a small shell and executed it.

21) Finally I have got root flag in /root/root.txt
bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==


Hope this write up will help you. Any feedback is appreciated

twitter: @0xash_



Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Created By Themexpose