Lets begin with nmap, a popular enumeration tool!
more here: https://www.kali.org/tools/nmap/ Nmap scans a machine to discover live services that are running, these services are sometimes vulnerable
Command: nmap <machine_ip> -sV -sC -p- (We use -sV to determine the service version of the services running on the open ports and we use -p- to scan all ports, because by default nmap only scans 1000 ports, we can change it to scan all 65,000 using -p-)
Anways! Lets look at our results
]
We see there are 5 ports open, port 21, 22, 139, 445 and 1337
To explain the 5 ports;
Port 21: 21 is used for transferring files, FTP stands for file transfer protocol and is a very good way to gather information (as a malicious attacker )if the port has bad security configurations
A really common security misconfiguration on port 21 involves allowing anyone to connect and log on with the username "anonymous" and provide no password. This can allow people to freely access potentially sensitive information.
Port 22: This is an SSH service and is probably the most secure port in this CTF, you can only access the SSH service with the correct username and password. Its very secure because it allows remote access to the machine running the service
Port 139 and 445: This is samba, or SMB for short. It is a common file sharing service and is basically a more secure FTP service and with more features, so knowing how to enumerate these ports is very important
Port 1337: This is running http, this stands for Hyper Text Transfer Protocol and is the website port, if a port is running http, it can be accessed via web browser. I'd also like the mention http is most commonly on port 80 and is super uncommon to find on other ports.
For simplicity I'll start with the lowest port and move up
We can access the FTP port with FTP <machine_ip>. Off the bat it queries us for a username. Revealed in the nmap scan it tells us anonymous login is allowed, using this and providing no username by just hitting the enter key when asked for one. We can see what files are here, we can use ls -lah and there is a directory named "pub"
We change to pub and there is 2 files, an image and a secret directory called ".jokesonyou" We can download these to our machine using mget *
Change to .jokesonyou and there is another file called hellon3rd.txt and download this to our machine.
There is no hidden details in the image we downloaded and the other file doesnt contain much important information. It says "All you need is in the leet" ??? lol
We can check what we can access via SMB by the command smbmap -H <machine_ip>. $Print and $IPC are standard and cant be accessed but "nerdherd_classified" can be by using smbclient //<machine_ip/nerdherd_classified>
Looks like we're outta luck on SMB, lets go to port 1337 http
We get a javascript alert saying the site was hacked, but turns out its a joke by the server admin it seems, we're also told there is something in the webserver we can find, at the bottom of the page there is a link to a youtube video but it doesnt mean much as it is just a link to The Trashmen - Surfin Bird - Bird is the Word, a song
We should now try to use subdirectory enumeration, trying to find other pages that could contain sensitive info
gobuster dir -u http://<machine_ip>:1337 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x txt php
We find a secret subdomain of "/admin"
We check the source code and there is a base64 encoded username and password, we can decode it with https://gchq.github.io/CyberChef/ which is my go to decryption website.
The password contains weird characters when unecrypted though, and trying these on the website doesnt let us in.
Remember the ftp port?, the image we found, if you dont know already data can be hidden inside images, and in kali linux there is many tools to extract this data
exiftool <image_name>
We see that the owner of the image is "fijbxslz", and the youtube link in the apache page earlier says "bird is the word"
This might be pointing to a vigenere cipher, which we can also use on cyberchef,
We now have a password, which im assuming is for SMB, now all we need is a username, which we can find out using "enum4linux"
On the smb shares, there is one file called "secr3t.txt" and it says their is a secret directory, on this directory on the webpage, their is creds for the SSH port, we now have access to the machine
On login, we have our 1st flag, the user.txt flag.
Theres no other way I've found to find a privellege escalation vulnerabilty other than using linpeas, which we can download to the machine using a python webserver and wget.
It says the kernel version is very outdated and there is a CVE that allows us to be root, here is the link https://www.exploit-db.com/exploits/45010
The rest of the flags are in /opt and in the /root directory in the bash history.
Happy hacking!