VALLEY

Enumeration

Let’s start with a quick nmap scan just to know the ports that are open on our target machine.

You can see that there are 3 ports open; 22, 80 and 37370. Now, let’s do another scan to find the services running on these ports.

Now, let’s take a look at the website. Let’s run a gobuster scan to find hidden directories in the website.

The contents of the note suggest that you may be able to find other notes on the website. So now go to /gallery. You only find gallery.html here but you should be able to run another gobuster scan from here to find other hidden files or directories. This does not provide any results. Another directory found on the site was /static. Run a gobuster scan from here to find other directories or files.

This reveals a hidden file: /00. When you go to this location, you find another note.

This note reveals that there is another directory: /dev1243224123123. Also, note that the name of the user is valleyDev. Now go to the aforementioned directory and you’ll find a login page.

Attempts at logging in with default credentials were futile which led me to review the source code.

The previous note implies that the user has reused their credentials to log into this site elsewhere (ftp). Now try to log into ftp with the same credentials. You’ll find that these credentials work. You’ll also find that there are 3 files here that you can donwload to your machine using the commnad mget as shown below.

You need to analyze these files using Wireshark to see if you will find any credentials. I was able to find credentials on the insecure http protocol in siemHTTP2.pcapng. The POST header shows credentials that were provided by the user.

Use these credentials to SSH into the machine. Here, you can find your first flag.

There is a script on the machine, valleyAuthenticator, owned by the user valley which authenticates the user. When you run this script, it asks for a username and password, and you are only authenticated if these credentials are correct. This means that there is a chance you can review the strings on the script to find credentials. Since you can’t run the strings command on the target machine, you should download this script to your machine and analyze it from there. You can either use scp or create a python server.
Once you run strings on the script and open the text, you will see that the first line contains the word UPX suggesting that the binary was packed using UPX.

You can unpack the binary using the command: upx -d valleyAuthenticator. Now, you can run the strings command and put the output in a file. You can then view the file to find credentials. You know that when run, the script asks for username and password so you can search for the word password or username to make things easier. In Nano, you can search using ctrl+w and in Vim, you can type the forward slash and then type the word you’re looking for.
In this case, you will find the following in the file.

From this, you can deduce that the user is valley and his password is liberty123. Let’s switch to this user.

You’ll find that there is a cronjob running every minute owned by root. Now, let’s inspect the script to find anything that can be used to modify it to provide a root shell.

This script uses the base 64 library as seen in the first line. Luckily, as the user valley, you can modify this library. This is because valley is in the group valleyAdmin which can modify this library as shown below.

Now, open base64.py and modify it to get a root shell. You can do this by adding the lines; ``` import os

os.system(“chmod u+s /bin/bash”) ```

This sets the setuid bit on /bin/bash which allows you to run it with sudo permissions even when you do not own it.
Now wait a minute for the script to run. Now search for /bin/bash using the command ls -l /bin/bash.

You’ll see that it now has the suid bit. Now run it using bash -p and you’ll have a root shell. From here, you can get the last flag.