Vulnhub virtual machine; OSCP prep box and a change of pace. This box required to execution of multiple binaries that lead to root. Great information to have worked through.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/linsecurity-1,244/ File: lin.security_v1.0.ova (virtualbox)
Discover VM on network:
1 |
|
Target: 192.168.56.115
Enumeration
Nmap Scan:
1 |
|
SSH (front door) Port 111 (non standard port) Port 2049 (non standard port)
…. Goes back to Vulhub - read description
without fail… its always the last line… we have credentials.
Login via SSH
1 |
|
perform sudo check
1 |
|
bob has access to quite a few binaries lets investigate:
Root Binary Practice
ash
1 |
|
awk
1 |
|
bin/bash
1 |
|
bin/csh
1 |
|
curl
just use curl to download a script
dash
1 |
|
ed
1 |
|
(ctrl+z to stop)
env
1 |
|
expect
1 |
|
find
1 |
|
ftp
1 |
|
less
1 |
|
shell.sh
1 |
|
man
1 |
|
more
1 |
|
(prints shadow file hashes)
socat
Attacking machine:
1 |
|
Victim machine:
1 |
|
reverse connection establishes.
vi
1 |
|
alternative (quicker):
1 |
|
pico
first create a new password
1 |
|
1 |
|
(opens editor to make changes to shadow: replace root password with created password)
rvim
1 |
|
(change password like above pico
)
perl
1 |
|
tclsh
1 |
|
finally inside /home/susan
lives a file called .secret
which contains the flag.
Bring me the root!
-exec
Cont. Learning
Shoutout to Hackso.me that has a great write-up with entire breakdown of get inside the box and working through the users. Well documented and worth checking out.
https://hackso.me/lin.security-1-walkthrough/