MA
Open to work

Hi, I'mMohammed AlYahya

Download CV

Bluemoon 2021 (Hack The Box)

Posted by Mo June 9, 2021 vulnhub

Name: BlueMoon: 2021

Date release: 7 Apr 2021

Author: Kirthik

Scanning and Enumeration

Nmap scan result

1 Recon

The scan shows three ports open. 21FTP22 SSH80TCP

Browsing through web browser wasn’t helpful.

  • 2021 05 24 18 29 48

    Front
  • 2021 05 24 18 30 14

    Source

So scanning/enumerating the port is the next step

gobuster dir -e -u http://10.0.2.5 -w ~/SecLists/directory-list-2.3-medium.txt -t 20

Gobuster Image

Two links were found.
http//10.0.2.5/server-status
http//10.0.2.5/hidden_text

Gaining Access

So I used the credentials to login via FTP

ftp login

Two files were found accessible to the user userftp

using get command to download the files locally

get information.txt
get p_lists.txt

The files contain this

2021 05 24 18 41 26

One file indicates username robin. While the other file is a wordlist.

Next brute forcing with hydra

Hydra image

Hydra

Hydra brute attack was successful. Using the credentials to log into SSH

6 login ssh flag

1st Flag found

Privilege Escalation

Going through the rest of directories didn’t reveal much.

So checking sudo -l (available commands as other users) gave this

sudo -l command

sudo -u jerry /home/robin/project/feedback.sh

jerry

The file executes input so spawning a shell is possible

tty shell

User is now jerry. Therefore jerry‘s directory is accessible

flag 2 image

2nd Flag found

Checking the user jerry‘s info using id command

Jerry is added to the docker group. Checking to see if there’s a docker image

Mounting alpine image while maintaining SUID privilege.

root image

This would interact with the current SUID and skip the first command and run the program using its original path. Therefor gaining root access. Last flag found!

Root~