Walkthrough of Jetty from Vulnhub – Writeup

Walkthrough of Jetty from Vulnhub - Writeup

Jetty is an easy machine from Vulnhub. However, the description says that it’s medium up to getting the root flag. Next, we also have to find the pieces of evidence that prove that one of the employees was committing fraud. This part is considered hard by the author – but let’s check that. Also, the machine works on VMWare Workstation Player. “Walkthrough of Jetty from Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/jetty-1,621/

Monitors Walkthrough – Hackthebox – Writeup

Identify the target

In this post, I am using Nmap to detect live hosts. If we use ‘-sn’, we disable Port Scan. Also, in older versions of Nmap, that switch is called ‘-sP’ and produce the same result.

nmap -sn 192.168.19.0/24
The IP address of the target – 192.168.19.149

Scan open ports

Next, I scanned the open ports on the target machine. This would allow us to know the services that we might interact with.

nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.149
Open ports on the target

From the screenshot above, we see that we have access to the FTP service anonymously. Likewise, the SSH port is different and we see some paths from robots.txt that don’t exist.

Anonymous FTP access

Let’s download two files from the FTP server.

lftp -u anonymous, 192.168.19.149
Get files from the FTP server

In the README.txt file, we have the following text.

Hi Henry, here you have your ssh's password. As you can see the file is encrypted with the default company's password. 
Please, once you have read this file, run the following command on your computer to close the FTP server on your side. 
IT IS VERY IMPORTANT!! CMD: service ftp stop. 

Regards, Michael.

Similarly, the zip file has a password that we can crack using john the ripper.

zip2john sshpass.zip | tee hash
john hash --wordlist=/home/kali/rockyou.txt

Finally, we can unzip the file and check the content of the text file.

The password of a user

Now that we have a password, we need a username. In the description of the machine in Vulnhub, we see the username.

Username from the description

ssh -p 65507 squiddie@192.168.19.149
Logged in as the user squiddie

Break out of the limited shell

As we can see above, the shell we get is a limited shell. Therefore, we must look at the allowed commands.

Allowed commands

Fortunately, we can execute python commands. Thus, we would be able to bypass the restriction of executing commands. But, we couldn’t execute a command as follows.

python -c 'import pty;pty.spawn("/bin/bash")'
Warning while trying to get a pty shell using python

However, we can execute the same commands from inside the python shell that we have access to.

Spawned a bash shell from within python shell

Next, when we check the sudo permissions, we will see that the user can execute the find command. This would give us a root shell.

sudo -l
Sudo permissions of the user

Reference: https://gtfobins.github.io/gtfobins/find/#sudo

sudo find . -exec /bin/bash \; -quit
User flag
Root flag

This is for getting the root shell. As you can see it’s not that difficult to be marked as a medium machine.

Finding evidences

Inside the root’s Documents directory, we have some password protected excel files. Also, there is a password keeper app that needs to be decompiled. There is a nice post by programmersought on this that I suggest. Basically, those would be the steps that I would perform.

https://www.programmersought.com/article/91258165636/#4.%E7%B3%BB%E7%BB%9F%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1

However, finding the evidence part isn’t difficult either. So, this is a medium machine.

Walkthrough of Jetty from Vulnhub – Writeup
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to top

AdBlock Detected


I am sorry for the popup but it costs me money and time to write these posts.
Please disable the adblocker to proceed.
If you are a regular visitor, you can buymeacoffee too. 😉