Jetty is an easy machine from Vulnhub. However, the description says that it’s medium up to getting the root flag. Next, we also have to find the pieces of evidence that prove that one of the employees was committing fraud. This part is considered hard by the author – but let’s check that. Also, the machine works on VMWare Workstation Player. “Walkthrough of Jetty from Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/jetty-1,621/
Monitors Walkthrough – Hackthebox – Writeup
Identify the target
In this post, I am using Nmap to detect live hosts. If we use ‘-sn’, we disable Port Scan. Also, in older versions of Nmap, that switch is called ‘-sP’ and produce the same result.
nmap -sn 192.168.19.0/24
Scan open ports
Next, I scanned the open ports on the target machine. This would allow us to know the services that we might interact with.
nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.149
From the screenshot above, we see that we have access to the FTP service anonymously. Likewise, the SSH port is different and we see some paths from robots.txt that don’t exist.
Anonymous FTP access
Let’s download two files from the FTP server.
lftp -u anonymous, 192.168.19.149
In the README.txt file, we have the following text.
Hi Henry, here you have your ssh's password. As you can see the file is encrypted with the default company's password.
Please, once you have read this file, run the following command on your computer to close the FTP server on your side.
IT IS VERY IMPORTANT!! CMD: service ftp stop.
Regards, Michael.
Similarly, the zip file has a password that we can crack using john the ripper.
zip2john sshpass.zip | tee hash
john hash --wordlist=/home/kali/rockyou.txt
Finally, we can unzip the file and check the content of the text file.
Now that we have a password, we need a username. In the description of the machine in Vulnhub, we see the username.
Username from the description
ssh -p 65507 [email protected]
Break out of the limited shell
As we can see above, the shell we get is a limited shell. Therefore, we must look at the allowed commands.
Fortunately, we can execute python commands. Thus, we would be able to bypass the restriction of executing commands. But, we couldn’t execute a command as follows.
python -c 'import pty;pty.spawn("/bin/bash")'
However, we can execute the same commands from inside the python shell that we have access to.
Next, when we check the sudo permissions, we will see that the user can execute the find command. This would give us a root shell.
sudo -l
Reference: https://gtfobins.github.io/gtfobins/find/#sudo
sudo find . -exec /bin/bash \; -quit
This is for getting the root shell. As you can see it’s not that difficult to be marked as a medium machine.
Finding evidences
Inside the root’s Documents directory, we have some password protected excel files. Also, there is a password keeper app that needs to be decompiled. There is a nice post by programmersought on this that I suggest. Basically, those would be the steps that I would perform.
However, finding the evidence part isn’t difficult either. So, this is a medium machine.