Pelican

Running nmap we see various open ports. Going through 8080 we see a website running "Exhibitor for ZooKeeper"

/┌──(kali㉿kali)-[~/PGP/Pelican]
└─$ sudo nmap -sC -p- pelican.offsec                                                                                  130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-20 14:51 EST
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.81% done; ETC: 14:52 (0:00:01 remaining)
Nmap scan report for pelican.offsec (192.168.111.98)
Host is up (0.060s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=pelican/organizationName=pelican/stateOrProvinceName=Unknown/countryName=US
| Not valid before: 2021-12-20T19:49:21
|_Not valid after:  2031-12-18T19:49:21
|_http-title: Bad Request - CUPS v2.2.10
2181/tcp  open  eforward
2222/tcp  open  EtherNetIP-1
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
8080/tcp  open  http-proxy
|_http-title: Error 404 Not Found
8081/tcp  open  blackice-icecap
44091/tcp open  unknown

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m13s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2021-12-20T19:51:44
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: pelican
|   NetBIOS computer name: PELICAN\x00
|   Domain name: \x00
|   FQDN: pelican
|_  System time: 2021-12-20T14:51:44-05:00

Nmap done: 1 IP address (1 host up) scanned in 70.03 seconds

Doing a quick Google search we see that this service can be exploited by modifying the java.env script section. https://www.exploit-db.com/exploits/48654

Following the directions from the exploit we get local access through an netcat listerner. After downloading LSE and running it we see a couple of interesting findings.

Seems we can run /usr/bin/gcore without needing a password.

We also see that there's a binary (/usr/bin/password-store) that is being run by root and has the SETUID bit.

We see a lot of various things in the cronjob section that we may revisit later if needed.

Using gcore (/usr/bin/gcore 493) we crash the password store program and reading the crash through strings we can see the root password (ClogKingpinInning731).

We can easily su root with the password into super user and retrieve our root flag.

PreviousPayDayNextPostfish

Last updated