poniedziałek, 19 sierpnia 2019

Escalate_Linux:1 CTF

This time I decided to check one the latest VM available at VulnHub called Escalate_Linux:1 (by Manish Gupta). Let's go...
This time we will start here:


In my case netdiscover found 192.168.1.50 as the address for the target. I used enlil.py to scan the box:


After I saw the ports I new that there won't be a lot of possibilities ('by default' & 'already' implemented) in enlil (probably because I didn't update the script since last publication... ;) anyway...) so I moved to gobuster to check port HTTP 'manually' ;)

Checking:


Not much. I added .php extension:


Checking new link:

 Trying with parameter:

So far, so good. :) It looks like we have a basic webshell. After some basic enumeration, next thing I decided to do is reverseshell:

Next step: check if there is a python installed:

Good. Next I found oneliner-python-reverseshell at github and encoded it using Burp Suite:



Listening with netcat and...




Great! Looks like we're in. :)

After our 'small enumeration' at the beginning we know that there are a few users we need to check. Idea of this CTF is to find ways to escalate so we will use a script to enumerate local target box from already achieved user6:
 

Results:


More details/hints:

More:


More:


More:


Looks like some cool hints in .bash_history files... :)

Let's try it now:


Cool. I decided to logout from root and check homedirs of other users:


At this stage I decided to go back to root account and change password for user1:


That's how we can get an access via invalid sudo perms. OK. Next thing from LinEnum.sh script I decided to check was /etc/crontab and perms of autoscript.sh:


As you can see we can overwrite autoscript.sh file (as user4) to get root-shell again. Let's do it:


Checking:

Nope. :| So I tried again with different payloads (...TL;DR - after hour or two it still didn't worked so I moved to other user to not-waste-more-time... ;)

We are now logged in as user5:

Looks like the idea should work for /usr/bin/id>out.file - checking:



Good. Last check:




I think the rest of the cases of 'how to escalate to root' on this VM I will leave for you as an exercise. Have fun! ;)

See you next time.

Cheers


Brak komentarzy:

Prześlij komentarz