Vault was a medium difficulty Linux box. Gaining the initial access was pretty straight-forward; however, it had some interesting firewall restrictions and container breakout for the privilege escalation portion. Good learning path for:
- PHP File Upload (File Extension Restriction Bypass)
- Reverse Shell from a OpenVPN Configuration File
- Escaping Source Port Restricted Access
- GPG Decrypt
Initial Recon
Nmap
# nmap -Pn --open -p- -T4 -sV -sC 10.10.10.109Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-09 23:27 EDT
Nmap scan report for 10.10.10.109
Host is up (0.080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
| 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- HTTP (80/TCP) — A welcome page.
When I checked the /slowdaddy and /sparklays as potential directories, I got 403 Forbidden for the /sparklays.
Web Directory Enumeration (Dirsearch)
As usual, I ran a quick dirsearch to see if I could discover more of the interesting files/folders under the /sparklays directory.
# python3 dirsearch.py -u http://10.10.10.109/sparklays -e php,html,txt | grep -v 403This identified the admin.php which was a login page and /design folder.
