Post

Find The panda Machine Write up

Posted
By Ahmad Alawneh 1 min read

Find The Panda

Enumeration

We start by scanning the machine with nmap.

Discover all open ports:

Alt text

Check what is exactly running on these ports:

Alt text

Foothold

Port 1337

Port 1337 is running vsftpd 2.3.4, login as anonymous is allowed and apperantely the root direectory of the services is the root dierctory of the machine!!

Either we login thru ftp as anonymous and download user panda ssh private key or we exploit the vulnerbility on this version of vsftpd.

Using search sploit we find a CVE for this version of vsftpd.

Alt text

Get the poc to our working directory.

Alt text

Reading the code to see if we need to do some changes.

Alt text

We should change the port because ftp is not running on the default port.

Alt text

After running the code now we have RCE on the target and run id command.

Alt text

Get user panda ssh key.

Copy it to our attakcing machine.

Alt text

Alt text

Alt text

Set up the needed permissions to the file.

1

chmod 600 id_rsa

Login using the key.

1

ssh -i id_rsa [email protected]

Alt text

Now we can find the user.txt flag in /home/panda.

Alt text

Privilege Escalation

Running sudo -l to check what the user panda can run using sudo.

Alt text

Searching for binaries that have SUID bit set.

1

find / -perm -04000 2>/dev/null

We find base64.

Alt text

We can use it to read files.

1

base64 <file> | base64 -d

https://gtfobins.github.io/gtfobins/base64/#suid

Let us try to read /etc/shadow file.

Alt text

We can directly read the root flag since we know what its name.

Alt text

Write-ups, MachinesCTF
CTF Pentesting
This post is licensed under CC BY 4.0 by the author.