# Cat Pictures ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7uuBYCzPX_IaDveHD%2F-Md7xwoq1eYtfCMjRHPZ%2Fimage.png?alt=media\&token=c0581090-ed6e-4d1c-8af7-eca4a3c2c9ab) ## Scanning Lets run some nmap scans to see what ports and services are open on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md7y8lG8qcDhTGAeB-N%2Fimage.png?alt=media\&token=ba62907f-e4e7-47ee-b9ca-2f89ee5bbe72) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md7yKQF9pZBBdeBCfst%2Fimage.png?alt=media\&token=769f7b92-42bd-4195-b4c0-ec5a37cd8109) ## Enumeration Lets visit the website on port 8080 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md7yTMmJA_5diZun54l%2Fimage.png?alt=media\&token=de3520e2-da7c-4eb3-869e-ce1f18e72b30) Lets look at the first forum ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md7yr1z4t87p0PxWEC1%2Fimage.png?alt=media\&token=5de0d4c0-5cb6-42f5-87f0-12207654bdf0) Looks like this message is hinting `Port Knocking`. To do this we can use a tool called `knockd`. Lets install it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md7zYebtzQT4tRJmwrO%2Fimage.png?alt=media\&token=714eddcb-2fd9-4951-ad60-69b7fee21425) Now lets use the knock command (a few times) and also run the nmap scan again. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md80FeVUdmkhNADWP2U%2Fimage.png?alt=media\&token=1348593a-0e0e-402e-a893-3e6933ec2bda) We can see that port 21 is now open, and anonymous login is allowed, lets check it out and get any files on the server to our machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md80WtsZw377edl66Gl%2Fimage.png?alt=media\&token=3d2647ad-4f57-43cf-9f30-35e76a599c9d) Ok, so lets connect to port 4420 on the machine using Netcat ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md80qHdYSDdnGDkUi9Q%2Fimage.png?alt=media\&token=f7032f35-4b75-4f9c-83ed-7b09e57767dc) ## Exploitation Lets try to get a reverse shell on the machine, lets first start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md80yuqPOiJgN1e6S0n%2Fimage.png?alt=media\&token=e77972ab-850e-40f4-bba6-68e999916eb1) Now lets run the reverse shell command, you can find it [here](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md81IVeXPv0r7Z9g3Vc%2Fimage.png?alt=media\&token=386e4ebd-da8d-4523-ac68-d531f7a8f254) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md81LDb4HqhknssANs1%2Fimage.png?alt=media\&token=339ea656-2682-4468-8124-37929627fc92) We have a reverse shell on the machine, lets check what files there are on the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md825899hv0f20MxSUo%2Fimage.png?alt=media\&token=09ef027b-ae95-4af5-a2b5-ee1bbbb98567) Lets download this file to our machine using netcat. First we start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md82TOgQ1sSiG-3PI02%2Fimage.png?alt=media\&token=9a5aee36-2fe1-4023-a510-6f21eb704cf0) Then we send the file to our machine using netcat ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md82Y-lWjt-DVdMY2o1%2Fimage.png?alt=media\&token=843c2238-8fd7-4513-8a4e-5a905b984ac9) And now we should have the runme file on our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md82gFXa3MkPHEqW0iU%2Fimage.png?alt=media\&token=013e3e76-8e12-4a8a-9171-745c26ad3f40) Lets check the file type of the `runme` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md82pz_1YWHz0ZlMw16%2Fimage.png?alt=media\&token=2caa8bbe-c90e-4bb1-8c08-ecc122d9d8bc) Its a binary file, lets run the `strings` command to get more information about the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md836Cz_cyPmUUTH22I%2Fimage.png?alt=media\&token=b4e21694-9443-4c55-9803-a8379c14375b) The highlighted lines are interesting , lets run the binary on the machine and supply the password that we see here and check what happens. We also have to run the command from the `/tmp` directory as they moved into the temp directory after entering the password. Lets run the command and then check the content of the `catlover` directory to see what changed ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md83qRz9e1568ka0GN_%2Fimage.png?alt=media\&token=8e1867c3-3e1e-4a65-8e64-484e20cb4c36) Looks like we have a `id_rsa` file, lets copy the content of this file to a file on our machine and then login through ssh. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md85ZYdY8eVwSsB7IGM%2Fimage.png?alt=media\&token=8f73740f-e005-4ad4-891d-3790ffbc66c3) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md85iQ3iy58oPgw9DoU%2Fimage.png?alt=media\&token=79eb6fa3-0958-47eb-82a2-16c365dac13d) Now lets login, we first have to give permissions and the username that we are going to be logging in as was found when we used to strings command on the binary file , the username: `catlover` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md863C-fG_MD0doX2jR%2Fimage.png?alt=media\&token=bf5380f6-ed4b-4755-b0d4-ca6493197ffa) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md86FhDfU_vGN9vijwG%2Fimage.png?alt=media\&token=c451da66-5648-4fdf-9731-2ead53f1b9fe) We are now a user called root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md86K0PkH4qKbl6w61F%2Fimage.png?alt=media\&token=f06959fd-e933-4ee1-aefd-4f32f5cff102) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md7xy9NUfFxZhxpvD5A%2F-Md86lhu7NVnCiS5nma1%2Fimage.png?alt=media\&token=c9bfe38d-831e-4fd1-a5c8-1be2c42a9acf) We have the first flag, but we do not have the root flag, so lets explore the machine a bit more. ## Privilege Escalation Looking through the system, there is an interesting file, lets read it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md86nu-h_sew2hwECn_%2F-Md8A7nIwVg070zq3fHe%2Fimage.png?alt=media\&token=a87745f5-5a72-42c7-93ae-384b75e33222) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md86nu-h_sew2hwECn_%2F-Md8AiospNtL8MNQJ-fT%2Fimage.png?alt=media\&token=a2da7132-bf65-416c-ad6f-116919f4c910) Looks like they are adding a reverse shell to the file, lets do the same so that we can get a reverse shell as a higher privileged user which is root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md86nu-h_sew2hwECn_%2F-Md8CNK69Hmvo6qzSvEj%2Fimage.png?alt=media\&token=e2605f2b-b038-480d-b361-4dbb266c25d3) Once we change the content of the file, lets save it and start a netcat listener on our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md86nu-h_sew2hwECn_%2F-Md8Ch2PvfXd6l7MDLiE%2Fimage.png?alt=media\&token=9b693711-70ab-437d-a531-2b22cd5e46fd) After a while, you should get a reverse shell on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md8CkoMT-SPM9G9-ceZ%2F-Md8EJcQ0KJV8yS3yzsA%2Fimage.png?alt=media\&token=01ad8e61-65bc-4ef4-844d-ce72755a378e) You can read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md8CkoMT-SPM9G9-ceZ%2F-Md8ERXnvwi4zfHNcsFj%2Fimage.png?alt=media\&token=50044a48-2988-4704-802d-33c29157f279)