Created on Wed. 20 may 2020
It's been a longtime I haven't done this. So this room is a cool little challenge I completed today and I wanted to do a write-up about it.
As per usual I started by scanning the IP address with nmap.
#[p4p1@writeups untracked/]$ nmap -F x.x.x.x Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-19 23:46 CEST Nmap scan report for x.x.x.x Host is up (0.023s latency). Not shown: 96 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
This time around I decided to do a really quick nmap to start going somewhere because I really didn't want to wait for a full nmap. A few day's ago I met up with a friend and we where talking about FTP and that he had to login to a box with the "Anonymous" username on FTP. So logically seeing ftp open I had to try it out :), now looking back at this the room of the name is also anonymous so it's kind of obvious what the creator is hinting at.
In the image we can see my login is Anonymous with no password. After logging in I started digging around, I found a folder named scripts/ highlighted in green. That is obviously interesting to us. Inside of scripts their is also a really nice file called clean.sh, highlighted in orange. I decided to copy that file to my machine so that I could look at it.
Looking at the script it's clear that it's a simple log cleaning script, by this the script is probably automatically ran by the server so I embedded a reverse shell inside of the script and uploaded it to the server and amazing I got a reverse shell.
From there I then cleaned my shell with stty and started working on rooting the box!
As usual I got stuck on privilege escalation for a while. After running linpeas.sh and LinEnum.sh going through kernel exploits, sudo etc... I found something peculiar the current user is part of a group called lxd.
Seeing this I researched online lxd and found a website explaining that lxd is a linux container service a bit like docker. A few weeks bag I saw a few exploits using docker and I decided to exploit lxd! After some quick research I found a basic exploit on exploit-db named lxd privilege escalation. Looking in the exploit it's pretty straightforward lxd mounts the entire disc on a mount point and give us a root shell to maintain the container.