AdSense

Saturday, November 13, 2021

Joy

 JOY

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Joy from the VulnHub pentesting platform.

Joy can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

- Once downloaded Joy and extracted with VMware:



2 - ENUMERATION

- netdiscover helps to identify Joy's IP 192.168.1.23:



- Scanning with Nmap:
















- Scanning deeper port 21 we discover Anonymous FTP server and two folders, download and upload:




























- download seems to be empty, however upload gives a lot of information:




























- Connecting to the FTP server:










- Going to upload:



- Getting directory:







- Reading directory there are a lof of files inside:

















- However let's focus our attention on the file version_control:



- At this moment the file is not accessible, so we need to copy it to the folder /upload ,what it's doable because it has read and write permissions.

- Using commands site cpfr and site cpto to copy version_control:

http://www.proftpd.org/docs/contrib/mod_copy.html














- Copying version_control to /upload has been successful:


































- Getting version_control:








3 - EXPLOITATION

- Reading the file we discover some potential vulnerabilities regarding ProFTPd version 1.3.5. Also the new webroot is /var/www/tryingharderisjoy:












- Msfconsole searchs for exploits:













- Setting option SITEPATH as the new webroot /var/www/tryingharderisjoy:













- So finally we have a remote shell.


4 - PRIVILEGE ESCALATION

- Browsing around some content:


- Inside folder ossec we find essential credentials:






- Switching to root does not work:






- However switching to patrick works, and this user has some sudoer privileges on the file test:











- Running test we are asked to change permissions to a file, for instance let's make /bin/bash executable with permission SUID bit set 4777:

https://www.slashroot.in/suid-and-sgid-linux-explained-examples



- Now, user patrick can run /bin/bash and get a root shell:







5 - CAPTURING THE FLAG

- Reading proof.txt: