🔥Dodge

Test your pivoting and network evasion skills.

Enumeration

We are working with a Linux machine

The nmap scan uncovers a webserver that leaks alternative DNS domains with it's SSL certificate

We can export the domains with this command

cat nmap/initial | grep DNS | sed 's/DNS://g; s/,//g' | cut -d ':' -f2

When trying to access any of this pages we get a 403, but in https://netops-dev.dodge.thm/ we get a different webpage title, but it does not display anything

If we look at the source we can see that is pointing to two Javascript files, and if we remove display:none using inspect element we can see the webpage

But it's not useful, If we look at firewall.js we can see that it makes a request to a PHP page

If we visit the page we can see that it displays the current UFW configuration

The FTP port did not show up in the Nmap scan because it's blocked by the firewall

First i tried basic command injection but it did not work

After modifying the config and allowing port 21 with sudo ufw allow 21 we can access the FTP server from outside localhost

We can log in with Anonymous creds but we cannot list directories since passive mode is enabled

After disabling it using the passive command we can list the directories and we find a user's home directory

In the .ssh directory we can find a backup of a RSA private key, If we download the authorized_keys file we can see that the username is challenger