Vulnhub aqua: 1 Walkthrough

The description states:  "Difficulty : Intermediate ~ Hard.  There is one intended way to get low privilege user and two intended ways to get root shell.  Getting root using the easier way : Use anything you have.  Getting root the harder way : Only use what's in the /root/"

Admittedly, I got root the first way I could find and I lost interest in the "harder" method.  I think I know what I'm supposed to do but I already have root so...

Anyway, kicking of with Nmap:


Taking a look at the web port first:


Seems like I'm supposed to help....



Using Enum4Linux to see what SMB tells us:



We get a couple of users.

Fuzzing with GoBuster:



Digging into it a bit more:



We find a login page:



When we gain access to the next page, we find LFI:



Using LFI to enumerate:



Checking out rules.v4 under /etc/iptables:



We find this intentional rule for FTP which makes me think we can open this port with port knocking.  I actually had to Google the file because I've never setup port knocking.  We find the configuration file under /etc/knockd.conf:



Simple enough, we need to hit 1234, 5678, and 9012.



We use Nmap to knock and when we rescan with Nmap, FTP is open.  Attempting to FTP:



We get in and the /production directory allows us to write so we upload a reverse shell.  With our handler setup:



We catch our shell, check out or environment, and immediately switch users:



Checking our sudo permissions, we find "backdoor":



When we execute it, we can netcat to the box on port 1337:



As the user aqua, we check our sudo permissions.  We find that we can run gdb.  If you're not familiar with GTFOBins, you can google it and you'll find all of the ways to break out using various binaries such as gdb.



#rootdance

Checking out the root.txt file:



Looks like base64:



Nah.  I'm happy with the one root.