# badwidth There's also a video version available if you prefer [visual walkthroughs](https://www.youtube.com/watch?v=USsowXpk6i4). **Port Scanning** We begin our reconnaissance with a port scan using Rustscan to identify active services: ``` ❯ rustscan -a 10.0.160.83 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ Open 10.0.160.83:1337 ``` After identifying the open port, we use Nmap to gather detailed information about the service: ``` ❯ nmap -p1337 -sCV -n -Pn -v 10.0.160.83 -oN scan Nmap scan report for 10.0.160.83 Host is up (0.15s latency). PORT STATE SERVICE VERSION 1337/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (text/plain; charset=utf-8). | http-methods: |_ Supported Methods: POST GET HEAD OPTIONS ``` Nmap command options explained: * `-p `: scan only a specific port. * `-sCV`: combines the options -sC and -sV. * `-sC`: equivalent to --script=default. * `-sV`: Probe open ports to determine service/version info. * `-n`: Never do DNS resolution. * `-v`: Increase verbosity level. * `-oN `: Output scan in normal format. The scan reveals a web server running on port 1337. Let's investigate the website's content using a web browser:

When accessing the web server on port 1337, we encounter a message indicating the need to send an `ifname` parameter via a POST request. **Gaining Initial Access** To send the POST request, we'll use `curl` as follows:

I didn't specify a method because curl uses POST by default when using the `-d` flag. The response simply says "Used interface" and echoes the content we sent using the ifname parameter, regardless of what we sent. **Command Injection** After trying various techniques, I realized we can inject commands, but we are unable to see the output of those commands. We can use one of two techniques to detect if the command is being executed: * Ping usage: We can use `tcpdump` to "listen" for ICMP packets through the tun0 interface as shown in the following image:

Then we make a ping from the target to our IP.

We then receive the ping coming from the target.

* HTTP server: We can set up a basic HTTP server using Python with the command `python3 -m http.server 80` then use curl on the target to make a request to our server, like this:

And we have received the request:

**Gaining Initial Access** Now that we know we can execute commands, let's get a reverse shell. First, set up a netcat listener on your machine with the command `nc -nlvp 443`. Then send the shell using the command injection:

We have received the connection from the target.

Here, we need to upgrade this to a fully interactive shell, so follow these steps: 1. Execute: `script /dev/null -qc bash` 2. Press `CTRL + Z` 3. Run: `stty raw -echo;fg` 4. Execute: `reset xterm` and press Enter 5. ```

``` 6. Finally execute `export TERM=xterm`. With this we have a fully interactive shell as ETSCTF:

**Privilege escalation** If we execute `sudo -l`: The output of the command indicates that we can execute `/usr/local/bin/n158` as any user without a password.

Searching for vulnerabilities related to this, we found [this vulnerability](https://security.snyk.io/vuln/SNYK-JS-N158-3183746). There's a PoC (Proof of Concept) that demonstrates how to inject commands:

Let's use this to set the SETUID and SETGID permissions on bash, which will allow us to execute it in privileged mode:

The bash binary now has these permissions:

By simply executing `bash -p`, we have now become root:

**Flag Locations** The flags can be found in the following locations: * /root * /etc/passwd * /etc/shadow --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://b13ss3d.gitbook.io/hackmex-prep/readme/badwidth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.