Ripper
Last updated
Last updated
To begin, let's find the IP of our target machine using arp-scan by executing the following command:
Now that we know its IP (192.168.18.169), let's perform a port scan using NMAP to identify which ports are open, their versions, and more information.
So now that we know it has ports 22 and 80 open, let's access the web page hosted on this machine (via port 80) to see if we can find any useful information.
It tells us that the website is under maintenance, nothing more. So, I decide to use Gobuster to enumerate subdirectories, and I come across a text file named staff_statements.txt:
It talks about old SSH connection files. It refers to id_rsa, but that's the current one. The old one was named id_rsa.bak. So, I decide to search for it, and indeed it exists. We download it.
Now that we have id_rsa.bak, we still need to know the username to log in. We already know the username since it is displayed when the machine starts:
Before anything else, we need to grant permissions to the id_rsa.bak file with the following command:
But when trying to access via SSH, it asks for a password, preventing us from entering.
So, we can use John the Ripper to crack the password.
Now that we know the password, we can access.
I decide, first of all, to check the users on this machine.
And we find 3 users: jack, helder, root. Now it's time for privilege escalation. In this case, we need to perform 2 privilege escalations to become the root user.
Now, let's use LinPEAS, which is a tool used for enumeration and security analysis. It focuses on searching for files with SUID and SGID bits, which can be exploited by attackers to escalate privileges and gain unauthorized access. We download LinPEAS with the following command:
We grant permissions for its execution and run it, saving the results in a file named LinpeasLog.
And after some time of searching, I come across the following:
I try to see if it's the password for helder, and it works. We obtain the user flag.
Upon realizing that LinPEAS didn't reveal anything new, I decide to use pspy64. It is a process monitoring tool for Linux systems, designed to provide real-time visibility into process activities. I download it to my local machine and transfer it to the victim machine by setting up a simple web server using Python.
Now we grant permissions and execute it.
We come across a code that runs every minute and establishes a connection to localhost on port 10000 via netcat, saving the output to a file named out in /root/.local/. Afterwards, it compares the contents of two files, /root/.local/helder.txt and /home/helder/passwd.txt. If the contents match, it sets the SUID bit on the executable specified by the content of the out file in /usr/bin/.
To do that, the first thing we will do is create the passwd.txt file in /home/helder, which will be a symbolic link pointing to the /root/.local/helder.txt file. This way, it will have the same value as helder.txt, and the condition will be fulfilled.
Then, we check with the following command to confirm that it indeed points to /root/.local/helder.txt.
And now, with the following command, we listen on port 10000 and send the text 'bash'. This will serve to, when the previous code executes, grant SUID permissions to whatever we want in /usr/bin/. In this case, we want to give SUID permissions to bash.
Then we see that it has connected for a short time, and now /usr/bin/bash has SUID permissions. Now, simply run the command 'bash -p,' and we obtain root privileges.
Finally, we navigate to the /root directory and obtain the root flag.
