# Proving grounds Play: Seppuku

Proving grounds Play - Seppuku CTF writeup.

### Nmap

```sh
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd55a8e40f28bcb2a67d4176bb9f71f4 (RSA)
|   256 16fa29e4e08a2e7d37d26f42b2dce922 (ECDSA)
|_  256 bb74e897fa308ddaf95c99f0d9248ad5 (ED25519)
80/tcp   open  http          nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-title: 401 Authorization Required
|_http-server-header: nginx/1.14.2
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/empowerid LiteSpeed
7601/tcp open  http          Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Seppuku
8088/tcp open  http          LiteSpeed httpd
```

### Web PORT: 7601

![img](/files/7J7eCOrUgyVlvJiv5PyF)

#### Directory Fuzzing

![img](/files/jeVfAeXbRjs01cVDSXRn)

#### Folder: /Secret/

![img](/files/AYPpoQhZn1bCfoQHChaT)

There is a username in the hostname file and a list of passwords which is a wordlist that allows us to bruteforce the SSH credentials.

![img](/files/7LOM67cTN5GsvpshMTvZ)

Login to the attacking machine using the SSH credentials cracked on the above step.

![img](/files/SGUcmx4EXknVGnyylsOU)

Upon checking the files in the `seppuku` user there is a file named `.passwd` which contains the password for the user `samurai`. Switch to user samurai using the password and check the executable permissions.

![img](/files/QYotjRaMfP6715h3MVMc)

The user samurai can run a program located in the directory `/../../../../../../home/tanto/.cgi_bin/bin` which is located in the user tanto.

In order to obtain the root we will have to put a malicious program as a bin file and execute it as samurai.

### Privilege Escalation

During the directory fuzzing there was directory that was discovered which contains a private key for an ssh user. Upon checking the user tanto's .ssh directory there is an entry for the authorized keys.

<http://192.168.166.90:7601/keys/>

Download the private key to seppuku shell and apply required permissions to login to tanto.

Escape rbash using below vi bypass.

```sh
vi
:set shell=/bin/bash
:shell
```

Create a file named bin with content to just spawn a bash shell and apply `chmod 777` permission. The permission allows any users in the machine to read, write and execute the program.

![img](/files/niRIch7dPR3Fht89r9BC)

Now execute the command the user samurai is allowed to get root shell.

![img](/files/iFwoookmr0peP3Te7dyL)

**Root Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-09-19-proving_grounds_play-seppuku.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.