Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
3 views8 pages

Howto

The document outlines a method to capture flags from a machine by scanning for services and identifying vulnerabilities, particularly in ProFTPd version 1.3.5. It details the process of exploiting the ProFTPd vulnerability to gain a remote shell, performing SQL injection to retrieve user credentials, and accessing a writable web directory. Finally, it describes privilege escalation through a buffer overflow attack to gain root access.

Uploaded by

vegito090980
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views8 pages

Howto

The document outlines a method to capture flags from a machine by scanning for services and identifying vulnerabilities, particularly in ProFTPd version 1.3.5. It details the process of exploiting the ProFTPd vulnerability to gain a remote shell, performing SQL injection to retrieve user credentials, and accessing a writable web directory. Finally, it describes privilege escalation through a buffer overflow attack to gain root access.

Uploaded by

vegito090980
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

How to get flags from TD2’s machine ?

Simple scan

Let’s scan services hosted by the machine (use “-p-” if you want to scan all ports)
(you can also scan UDP if you want)

Vulnerabilities

You can use here whatever scanner you want (Nessus, nmap with vulners script, Armitage…).
Please report all vulnerabilities you found, including the ones that are not related to flag
capture.

The is a huge vulnerability on the ProFTPd version used: 1.3.5, with mod_copy activated.
This vulnerability could lead to remote code execution.
Exploit ProFTPd vulnerability to get remote shell

We will inspire from this script found on GitHub: https://github.com/joshua17sc/proftpd-1.3.5-


reverse-shell-exploit

Open a new terminal and use netcat to open a TCP server on a specific port (like 4444)
nc -lvnp 4444

Assuming you listen on port 4444, the machine address is 172.19.0.3 and your IP address on
VPN’s network is 192.168.13.2:

This exploit will put a payload on the web root directory (/var/www/html), because this version
of ProFTPd allows anonymous users to copy file inside the server.
Then it will try to activate the exploit by sending a simple HTTP request.

Unfortunately the root web directory isn’t writable by anonymous users:


Find a writable web directory

The web interface says we have to connect to be able to access writable directory:

It seems obvious that bob is a valid username.

You can try to bruteforce the password, but we will perform an SQL injection attack:

SQL injection

Let’s try to intercept HTTP requests with Wireshark or Burp suite:


Login: bob
Password: [a random password]
As you can see, a message is displayed on /connect.php just before you are redirected to the
index page with an error: “Wrong password for bob”.
This message won’t be displayed if you try a random login.

sqlmap -u "http://172.19.0.3/connect.php" --data "login=bob&password=test" --method POST

(Obviously don’t follow the redirection)

It works.
Add --tables option to display tables in database:

Dump the table users: (-T users --dump)

You can crack the bob’s sha-1 password yourself (using hashcat), but we will use
https://crackstation.net/

Connect using this password:


The image in writable directory is located at http://172.19.0.3/nandemo856420217/duck.png
Meaning /var/www/html/nandemo856420217/ is our hidden writable directory !

ProFTPd exploit with correct web directory

Add the hidden directory into the exploit’s code:

Now it works !

Upgrade your shell as explained at https://haysberg.io/azurwiki/redteam/clean-shell:


(Remember bob worried that we could visit /app directory)

Privilege escalation

LinPEAS (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) didn’t help so


much.
The setuid permission is set on root_shell executable:

Unfortunately the executable is trolling us:


Looking deeper in the source code, we can see that the variable used to store your name is
declared near the one that allows us to access shell:

Let’s try a buffer overflow attack (https://en.wikipedia.org/wiki/Buffer_overflow)

What happens if we put a too large first name for the size of the buffer ?

And we are root !

You might also like