Lumberjack Turtle
Enumeration#
Lets do the simple port scan.
# Nmap 7.95 scan initiated Thu Feb 20 14:37:59 2025 as: /usr/lib/nmap/nmap --privileged -sVC -oA nmap 10.10.26.224
Nmap scan report for 10.10.26.224 (10.10.26.224)
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6a:a1:2d:13:6c:8f:3a:2d:e3:ed:84:f4:c7:bf:20:32 (RSA)
| 256 1d:ac:5b:d6:7c:0c:7b:5b:d4:fe:e8:fc:a1:6a:df:7a (ECDSA)
|_ 256 13:ee:51:78:41:7e:3f:54:3b:9a:24:9b:06:e2:d5:14 (ED25519)
80/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 20 14:38:15 2025 -- 1 IP address (1 host up) scanned in 16.48 seconds
Hmmm lets do a directory busting.
And i again searched in metasploit and found this.
I used that and set the all necessary options and ran it.
Hmm but we are directly root.
And i also used this to get a good shell.
[[https://book.hacktricks.wiki/en/generic-hacking/reverse-shells/full-ttys.html]]
Hmm.
So we are in docker container,i guess.
And we can find flag1 here.
Hmm so there is a setuid on mount and umonut and we need to escape docker container.
After knowing this, i searched for a file under /dev to find a file we can use by that setuid.
Doing this, we can find few disk file.
ls -la /dev
There might contain something there. Lets do this.
mkdir /mnt/test
mount /dev/xvda1 /mnt/test
and lets check what is inside.
Its the / directory.
/ directory of main host.
Lets put our ssh public key on .ssh of root directory.
We can also see this.
And we can now successfully login as root by a private key.
... directory.
Lets check it out.
And got it.
Done.
Learned lots of things again.
There are no articles to list here yet.