NepCodeX

Byte Musings: Where Tech Meets Curiosity


Walkthrough of Jetty from Vulnhub – Writeup

Walkthrough of Jetty from Vulnhub - Writeup

Jetty is an easy machine from Vulnhub. However, the description says that it’s medium up to getting the root flag. Next, we also have to find the pieces of evidence that prove that one of the employees was committing fraud. This part is considered hard by the author – but let’s check that. Also, the machine works on VMWare Workstation Player. “Walkthrough of Jetty from Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/jetty-1,621/

Monitors Walkthrough – Hackthebox – Writeup

Identify the target

In this post, I am using Nmap to detect live hosts. If we use ‘-sn’, we disable Port Scan. Also, in older versions of Nmap, that switch is called ‘-sP’ and produce the same result.

nmap -sn 192.168.19.0/24
image 339
The IP address of the target – 192.168.19.149

Scan open ports

Next, I scanned the open ports on the target machine. This would allow us to know the services that we might interact with.

nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.149
image 340
Open ports on the target

From the screenshot above, we see that we have access to the FTP service anonymously. Likewise, the SSH port is different and we see some paths from robots.txt that don’t exist.

Anonymous FTP access

Let’s download two files from the FTP server.

lftp -u anonymous, 192.168.19.149
image 341
Get files from the FTP server

In the README.txt file, we have the following text.

Hi Henry, here you have your ssh's password. As you can see the file is encrypted with the default company's password. 
Please, once you have read this file, run the following command on your computer to close the FTP server on your side. 
IT IS VERY IMPORTANT!! CMD: service ftp stop. 

Regards, Michael.

Similarly, the zip file has a password that we can crack using john the ripper.

zip2john sshpass.zip | tee hash
john hash --wordlist=/home/kali/rockyou.txt
image 342

Finally, we can unzip the file and check the content of the text file.

image 343
The password of a user

Now that we have a password, we need a username. In the description of the machine in Vulnhub, we see the username.

image 344

Username from the description

ssh -p 65507 [email protected]
image 345
Logged in as the user squiddie

Break out of the limited shell

As we can see above, the shell we get is a limited shell. Therefore, we must look at the allowed commands.

image 346
Allowed commands

Fortunately, we can execute python commands. Thus, we would be able to bypass the restriction of executing commands. But, we couldn’t execute a command as follows.

python -c 'import pty;pty.spawn("/bin/bash")'
image 347
Warning while trying to get a pty shell using python

However, we can execute the same commands from inside the python shell that we have access to.

image 348
Spawned a bash shell from within python shell

Next, when we check the sudo permissions, we will see that the user can execute the find command. This would give us a root shell.

sudo -l
image 349
Sudo permissions of the user

Reference: https://gtfobins.github.io/gtfobins/find/#sudo

sudo find . -exec /bin/bash \; -quit
image 350
User flag
image 351
Root flag

This is for getting the root shell. As you can see it’s not that difficult to be marked as a medium machine.

Finding evidences

Inside the root’s Documents directory, we have some password protected excel files. Also, there is a password keeper app that needs to be decompiled. There is a nice post by programmersought on this that I suggest. Basically, those would be the steps that I would perform.

https://www.programmersought.com/article/91258165636/#4.%E7%B3%BB%E7%BB%9F%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1

However, finding the evidence part isn’t difficult either. So, this is a medium machine.



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments