Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    I believe this is the same author as Sumo.  The box states that it's "Beginner to Intermediate", the object is:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)." and I'm glad I went back to read that because you don't need to elevate root to get the flag.  It also states:  "Warning: Be careful with "rabbit hole" -- not really sure exactly about that part.  Anyway, fun box so let's jump into it:

    We kick off with Nmap:


    Lots of open ports and although I go through some of them with screenshots, I did not screenshot everything.  Essentially, every page looks like this:


    Scanning all of them with Nikto, when we get to port 7125, we find this:


    We hit that with the browser:


    And we find this:


    Ok, so we have a user, Geisha.  I decide to dig in a little further with GoBuster on this port:


    Let's see if we can access it:


    That would be too easy.  Moving along, we scan port 8080 with GoBuster and we find:


    The only accessible URI is this one:


    I do a quick search but I can't find any exploits for Litespeed that are applicable to this version. 

    In another Window, I try to brute FTP but it fails after 50 or so attempts.  I switch to brute forcing SSH:


    Eventually:


    We login as geisha:


    We check for setuid binaries and we find that we're able to run /usr/bin/base32 as root.  This is where we could just get the root flag but that's not what the instructions say so we'll go after the SSH private key:


    Honestly, here's where I could have saved a step.  I didn't really need to move this over to my attacking machine.  I could have stayed on the victim machine.  Anyway, no harm. I move the private key over to my machine, I chmod 600, and then I ssh over as root with the private key:


    Snagging the root flag and that's a wrap. 

    So far, I'm liking this author.


    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.