Box Stats
Box Info | Details |
---|---|
Box Name : | digitalworld.local JOY |
Series : | digitalworld.local |
Difficulty : | Medium/Hard |
Release Date : | 31 Mar 2019 |
OS : | GNU/Linux |
Maker : | Donavan |
Download : | digitalworld.local JOY |
Summary
digitalworld.local JOY was a pretty good & realistic box that i really enjoyed pwning. With 2 words it’s all about exploiting a vulnerable ProFTPd version this gives us shell as www-data. First privesc to use patrick is simple we find his plaintext creds & final privesc is exploiting a bash script. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
TCP Scan:
1 |
|
UDP Scan:
1 |
|
Ton of services, let’s start with FTP since we have anonymous allowed. Once we connect we can see 2 directories download/upload
the upload
directory has lot of stuff in. One file the directory
has the “copy” of Patrick’s directory. Let’s download it & analyze it:
1 |
|
directory
file contents:
1 |
|
One file is interesting here is the version_control
but how can we download it? If we go back to UDP scan we can see that snmp
is opened. Simple Network Management Protocol(SNMP) allows devices to communicate. Let’s enumerate SNMP, i always prefer to use Nmap Scripting Engine(NSE) for it. Let’s search for available NSE scripts:
1 |
|
The snmp-processes.nse
seems good, let’s fire it up! There will be a huge output but one of them reveals a really interesting info. TFTP is running under port 36969
on /home/patrick
so that means we can download the file we want!
1 |
|
Let’s download the file:
1 |
|
1 |
|
Shell as www-data
ProFTPd
version seems vulnerable, let’s fire up searchsploit
to search for possible exploits:
1 |
|
Perfect we can have RCE! Let’s fire up metasploit.
1 |
|
Now for the settings, we need a writable path that’s the /var/www/tryingharderisjoy
we found before.
1 |
|
Now a really important thing is the payload option, most people forget to add it & exploit fail.
1 |
|
Let’s fire it up!
1 |
|
Shell as patrick
Under /var/www/tryingharderisjoy/ossec
there is a file called patricksecretsofjoy
that contains patrick’s password:
1 |
|
We can now switch to user patrick:
1 |
|
Shell as root
Checking the sudo -l
we can run a file as root:
1 |
|
This file allows us to change permission to a file, so let’s make /bin/bash
SUID. We will do a trick we will use ..
to move to a parent directory.
1 |
|
Reading the flag(s)
1 |
|
For readers
I think the box has another privilege escalation way but i wasn’t able to exploit it. :( I hope you guys can help me out with it. I believe its about ossec
there is an exploit I tried to do this as user www-data
but didn’t work:
1 |
|
If you find a way to exploit this, please send me a message! :)
Thank You
Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom
Until next time keep pwning hard!