The Blob Blog
Introduction
Can you root the box?
Enumeration
We always start scanning our IP to find open ports with NMAP.
The ones who grabs attention is the port 80.
Let's inspect the element (First text is in the end and second in the beginning):
First Text
We will use Base58
Second Text
Let's decrypt with Base64
Than we will decrypt with Brainf***
As we can see it is a port knocking so it will open up new ports for us. (I can't show the port numbers though :)).
sudo apt get install knockd
knock IP port1 port2 port3
Than we will scan again and get:
So now we have port 21, 445 and 8080 open as well.
Port 445
Let's go to port 445 and analyze the page and we get an password which we will use on steghide later on.
Port 21
Let's log in into FTP with user bob and password as shown in FIRST TEXT
Go to ftp -> files -> inside there is a picture and we will do get picture to extract the picture (he he) to analyze.
Go to ftp -> files -> inside there is a picture and we will do get picture to extract the picture to analyze.
Now we will do steghide extract -sf picture
And we get (which contain a password and a web directory):
Port 8080
We go to port 8080/directory_name_we_found_on_the_out.txt_file and we get a key (youmayenter) to decrypt the password_we_found_on_the_out.txt_file with Vigener Cypher.
We will do dirb on port 8080 and we get a /login page which we will use bob as username and the password we just got.
Than we get and let's use a command to see what are the results (we need to click the here to see the command output):
Exploitation
USER.TXT
We can now launch a reverse shell!!! I am going with the Netcat Reverse Shell but there are others. I also used the python command to spawn a shell.
Let's find files with permissions:
We get one called blogFeedback which you can download to the machine and check it out with Ghidra, but to make it shorter, here is how we exploit to get a shell as user bobloblaw
We will get our first flag under /home/bloblaw/Desktop folder.
ROOT.TXT
If you notice we got an annoying message every few seconds saying "You haven't rooted me yet? Jeez" so let's find it out where it is hidden:
Nice we found it. If we check permissions it has root permission under group bobloblaw which means we can change to run our command and elevate our privileges.
We will check for a reverse shell written in c save on our kali and upload to the attacker machine and wait for it to run and connect to our netcat. We made it ๐
