Olympus
Olympus - 10.10.10.83
Target Enumeration:
OS: Linux
IP: 10.10.10.83
User: 8aa18519aff3c528c46bf675d6e88719
Root: aba486990e2e849e25c23f6e41e5e303
Ports / Services / Software Versions Running
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
80/tcp open http Apache httpd
2222/tcp open ssh (protocol 2.0)
Vulnerability Exploited:
XDebug running on web server allows remote code execution.
Privilege Escalation:
Vulnerable docker container allows user to execute commands as the root user.
Exploiting the host:
Nmap
Nothing found on the webapp
One interesting header
Searching online leads us to:
https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface
So build the exploit in burp
Modify the python script as follows
Start the exploit script with nc listening on port 8889.
You will get a python shell so execute a python command to send a shell to port 8889
Once you have a shell you will be inside a docker container
Check your IP address:
Looking around the file system we find that we have very few tools available but we found a .cap file
Move the file over to the docker webserver to download it locally.
Now crack with aircrack-ng
This password does not work for ssh with the users zeus etc
Also found this in the cap file:
Generate a userlist with as many things you can think of and try all the passwords it could be .
Turns out that the user is icarus and the password is the SSID
Login and we find a new text file
Add that to your hosts file
Now do dome dns recon
Looks like a port knocking sequence
Send the sequence to the main host which opens port 22 for about 5 seconds
user:prometheus:St34l_th3_F1re!
Seeing how docker is running we will map the root directory of the host system to /tmp and see if we can read the flag.
Now we have the root flag we know we can play around with the file system.
We execute a reverse shell:
And receive our shell in return
Last updated