This is a vulnerable linux box focused on web application testing along with showing the importance of enumeration. There are three users you needs to compromise to read the root flag.
Difficulty: Easy-Medium.
Let’s go.
Oh I also did Gaara and I’ve got nothing much to say about it. Base58 encoded creds on a page, password doesn’t work but bruteforce SSH with the username no issue. Then rabbit holes in Brainf%%k and a GTFOBins privesc. Anyway; back to Ripper.
Ports
HTTP, SSH and Webmin on port 10000, but not an apparently vulnerable version:
10000/tcp open http syn-ack ttl 64 MiniServ 1.910 (Webmin httpd)
|http-favicon: Unknown favicon MD5: 6594483717A9D1D13CF12F31EBFDB483
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn’t have a title (text/html; Charset=iso-8859-1).
HTTP
Probably the hardest part of this is finding the entry points: http://192.168.1.58/rips/
I typically use seclists for my wordlists; almost always. The word rips only appears in two files:
directory-list-lowercase-2.3-medium.txt, and
directory-list-lowercase-2.3-big.txt
And I basically never use these files (not the ‘lowercase’ versions anyway). So yes this was the hard part. Once you have it via interminable fuzzing, you can use the webpage (a PHP code analyser) to scan files in /var/www and then read one called secret.php, which contains the credentials for our first user. Once we have this, we SSH is as ripper.
Ripper -> Cubes
If we check the bash_history for our user (ripper) we can see they go to /mnt and look at a file called secret.file. What if we do that?
Cubes -> Root
If we look at the bash_history for cubes we can see he was poking around in the webmin directory and making a backup. Let’s check that:
So now we have some webmin creds. It’s back to https://ripper-min:10000/ where we can login and have a root shell.
This one was pretty good, hard to find the entry point though. Not too CTF-ish, which I appreciated.