JOY
- Layout for this exercise:
1 - INTRODUCTION
- Joy can be downloaded from here:
https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
- Once downloaded Joy and extracted with VMware:
2 - ENUMERATION
- netdiscover helps to identify Joy's IP 192.168.1.23:
- Scanning with Nmap:
- Scanning deeper port 21 we discover Anonymous FTP server and two folders, download and upload:
- download seems to be empty, however upload gives a lot of information:
- Connecting to the FTP server:
- Going to upload:
- Getting directory:
- Reading directory there are a lof of files inside:
- However let's focus our attention on the file version_control:
- At this moment the file is not accessible, so we need to copy it to the folder /upload ,what it's doable because it has read and write permissions.
- Copying version_control to /upload has been successful:
- Getting version_control:
3 - EXPLOITATION
- Reading the file we discover some potential vulnerabilities regarding ProFTPd version 1.3.5. Also the new webroot is /var/www/tryingharderisjoy:
- Msfconsole searchs for exploits:
- Setting option SITEPATH as the new webroot /var/www/tryingharderisjoy:
- So finally we have a remote shell.
4 - PRIVILEGE ESCALATION
- Browsing around some content:
- Inside folder ossec we find essential credentials:
- Switching to root does not work:
- However switching to patrick works, and this user has some sudoer privileges on the file test:
- Running test we are asked to change permissions to a file, for instance let's make /bin/bash executable with permission SUID bit set 4777:
https://www.slashroot.in/suid-and-sgid-linux-explained-examples
- Now, user patrick can run /bin/bash and get a root shell:
5 - CAPTURING THE FLAG
- Reading proof.txt:
