Pwned-1: Vulnhub Walkthrough
Pwned-1: Vulnhub Walkthrough
Reconnaissance
Using nmap -sC -sV -p- 192.168.1.140 find what ports are open. We can see ftp21, ssh22 and http80 are all open.
Visting the address on port 80 we see a message. Note here we have a possible username/user Annlynn.
Enumeration
Using gobuster to check for directories we found /hidden_text.
Visiting the /hidden_text directory we found a secret.dic file which contains a list of different directories.
Visting each directory we found that the /pwned.vuln works. Further investigation into this page we found a username (ftpuser) and password(B0ss_B!TcH) for the ftp service.
Using the credentials above we were able to again access. Using ls we found the a directory named share. Navigating inside share we found a ssh private key and a note.txt. We then transferred both files out for further inspection.
Looking at the note.txt we found the user Ariana.
Logging as Ariana we find our first flag and a diary entry.
Privilege escalation
Using the command sudo -l we find that we are able to exucite a script called /home/messenger.sh.
Inspecting the script we find that script executes information in msg 2> /dev/null. With this information we can insert a /bin/bash so that we can generate a shell.
Issuing the commmand sudo -u selena /home/messenger.sh
We are able to get a shell as the new user selena with python3 -c “import pty; pty.spawn(‘/bin/bash’)” we obtain our second flag.
Privilege Escalation (root)
We can see that this user selena blocks to a group named docker.
docker run -v /:/mnt — rm -it privesc chroot /mnt sh