Pwned-1: Vulnhub Walkthrough

Pwned-1: Vulnhub Walkthrough

Reconnaissance

Using nmap -sC -sV -p- 192.168.1.140 find what ports are open. We can see ftp21, ssh22 and http80 are all open.

Visting the address on port 80 we see a message. Note here we have a possible username/user Annlynn.

Enumeration

Using gobuster to check for directories we found /hidden_text.

Visiting the /hidden_text directory we found a secret.dic file which contains a list of different directories.

Visting each directory we found that the /pwned.vuln works. Further investigation into this page we found a username (ftpuser) and password(B0ss_B!TcH) for the ftp service.

Using the credentials above we were able to again access. Using ls we found the a directory named share. Navigating inside share we found a ssh private key and a note.txt. We then transferred both files out for further inspection.

Looking at the note.txt we found the user Ariana.

Logging as Ariana we find our first flag and a diary entry.

Privilege escalation

Using the command sudo -l we find that we are able to exucite a script called /home/messenger.sh.

Inspecting the script we find that script executes information in msg 2> /dev/null. With this information we can insert a /bin/bash so that we can generate a shell.

Issuing the commmand sudo -u selena /home/messenger.sh

We are able to get a shell as the new user selena with python3 -c “import pty; pty.spawn(‘/bin/bash’)” we obtain our second flag.

Privilege Escalation (root)

We can see that this user selena blocks to a group named docker.

docker run -v /:/mnt — rm -it privesc chroot /mnt sh