This time we will start here:
In my case netdiscover found 192.168.1.50 as the address for the target. I used enlil.py to scan the box:
After I saw the ports I new that there won't be a lot of possibilities ('by default' & 'already' implemented) in enlil (probably because I didn't update the script since last publication... ;) anyway...) so I moved to gobuster to check port HTTP 'manually' ;)
Checking:
Not much. I added .php extension:
Checking new link:
Trying with parameter:
So far, so good. :) It looks like we have a basic webshell. After some basic enumeration, next thing I decided to do is reverseshell:
Next step: check if there is a python installed:
Good. Next I found oneliner-python-reverseshell at github and encoded it using Burp Suite:
Listening with netcat and...
Great! Looks like we're in. :)
After our 'small enumeration' at the beginning we know that there are a few users we need to check. Idea of this CTF is to find ways to escalate so we will use a script to enumerate local target box from already achieved user6:
Results:
More details/hints:
More:
More:
More:
Let's try it now:
Cool. I decided to logout from root and check homedirs of other users:
At this stage I decided to go back to root account and change password for user1:
That's how we can get an access via invalid sudo perms. OK. Next thing from LinEnum.sh script I decided to check was /etc/crontab and perms of autoscript.sh:
As you can see we can overwrite autoscript.sh file (as user4) to get root-shell again. Let's do it:
Checking:
Nope. :| So I tried again with different payloads (...TL;DR - after hour or two it still didn't worked so I moved to other user to not-waste-more-time... ;)
We are now logged in as user5:
Looks like the idea should work for /usr/bin/id>out.file - checking:
Good. Last check:
I think the rest of the cases of 'how to escalate to root' on this VM I will leave for you as an exercise. Have fun! ;)
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz