# Poster ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McW4vVTYN0UfM-sA2ev%2F-McWPpEdFrjT3HOP3ayk%2Fimage.png?alt=media\&token=b6ed39e0-3dc3-4fca-80d3-d41df2a5adc4) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McW4vVTYN0UfM-sA2ev%2F-McWPlv1X6SOiPqdaI2Q%2Fimage.png?alt=media\&token=c4f38221-0517-4c47-addc-de10fc1e1b79) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.65.15 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWPwkrQrpy1az4JnPJ%2F-McWQKpylUvP49f1levY%2Fimage.png?alt=media\&token=0fd74076-1d85-4c78-b36a-2ef7f6276e8b) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,5432 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80,5432 -oN nmap 10.10.65.15 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWPwkrQrpy1az4JnPJ%2F-McWQxuFt0YTOPXOI7Ny%2Fimage.png?alt=media\&token=b30662d4-a2a3-4e21-b25a-fb3696b5f7c2) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWR4aafXlwP7ELQMkb%2Fimage.png?alt=media\&token=6cfedeab-c2a7-4f47-a636-aacebbd34f69) ## Enumeration We are told to go to Metasploit and look for a auxiliary module that allows us to enumerate user credentials, so lets do that. Lets start `Metasploit` ``` msfconsole ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWRRG2egZ9ELa82ftQ%2Fimage.png?alt=media\&token=a11f7456-53c5-4422-aa75-e40c7b61609c) Now lets look for the module ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWSXT5nfvKtxZsP5RD%2Fimage.png?alt=media\&token=4da7f919-32d5-4293-8ee5-d557f165a293) Its the 4th one, so lets select it and set the options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWSmRRTUzCtPdfSyuQ%2Fimage.png?alt=media\&token=82e83d46-2069-4418-8a4d-f6077ad93cf3) Lets now run the enumeration tool ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWSuSeCaSb1e72p6bw%2Fimage.png?alt=media\&token=a70d135f-b4fc-4df0-ba52-30e8bfc0fad0) We have the username and password. Lets answer the next 2 questions as we have the answers ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWTMh54j9yV0bOlUB6%2Fimage.png?alt=media\&token=f87b162e-5fca-48a0-b791-f530ace44221) Now we have to find the module that will allow us to execute command with the credentials we just found. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWUIt_TdcUXZyaE0K7%2Fimage.png?alt=media\&token=e5910a1a-db6f-4b00-a322-cea410a37352) It is number 6, lets select it and set the options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWVeB0y_LQnlfGqCj0%2Fimage.png?alt=media\&token=25a80593-748c-4745-afaa-624a388cb912) Lets run it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWVk1FF5IyjWzLl6k6%2Fimage.png?alt=media\&token=2570ed26-d902-491a-bac5-62c587798fb7) We have the Version, we can answer the next two questions ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWW-ZfI0oJ-GEpxTE5%2Fimage.png?alt=media\&token=bcf0a10d-bc28-4029-a02c-2d9956cb2d19) Next we have to find the module that will dump user hashes ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWWBL8kQdyXHaxwoo0%2Fimage.png?alt=media\&token=abbe6d69-2691-4082-bb41-27e8646091c5) This time it is number 8, so lets select it and set the options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWUYo95NKvX4l_LjWK%2Fimage.png?alt=media\&token=5eb104ef-d3bf-47a0-985c-23637289f966) Lets run it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWUdpUt2Y6JhQcI_GD%2Fimage.png?alt=media\&token=0ebf879f-cbe9-44e9-8ba9-283dd6281835) We have 6 usernames and their passwords which have been hashed. We can answer the next two questions ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWWXASTEA8dVPeeURL%2Fimage.png?alt=media\&token=83c216db-0a84-48e4-84ec-caf898e97495) Next we have to find the module that will allow an authenticated user to view files of their choosing. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWWcUmLAlsadEeu9uS%2Fimage.png?alt=media\&token=b56be2e9-7ea1-46c3-8139-09c6e89c310f) This time it is number 5, lets select it, set the options and run it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWXG2bdPlda_v9sRE4%2Fimage.png?alt=media\&token=70035403-8725-4741-a54e-58fd78dd70ef) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWXKibqhxz18_bk4hV%2Fimage.png?alt=media\&token=300bfde1-b209-4465-82a8-b4df89d95e8c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWXOHEGeprAB6UeIMc%2Fimage.png?alt=media\&token=89f0e8b8-1921-42d3-aa97-d0b9c76ba429) Now , we have to look for the module that allows arbitrary command execution. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWR0riTdWYwIu5z8GZ%2F-McWXo2BeeUQa10YEZTu%2Fimage.png?alt=media\&token=e9f21bdd-72b1-4e4c-bd0d-2eb58b061207) It is number 2, lets select it and set the options, we can also answer the next two questions ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWZjkwkEdzufYz8YS9%2Fimage.png?alt=media\&token=46f4e7b3-7967-4da8-ad7b-52a753cd270a) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWY9WRexZdVfhYgjMn%2Fimage.png?alt=media\&token=0eb67444-f0a2-46f9-8f4b-ab9842deaa56) Lets run it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWYHezIpCEW2o7C4Sy%2Fimage.png?alt=media\&token=6c941b01-0dcb-44d9-9fe5-915fb3dff1c5) Looking back at the usernames and credentials we found, we can try to cd into one of the users directory and list the files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McW_7R2SAYRHUYi4qb4%2Fimage.png?alt=media\&token=07618271-f066-4964-9e2a-e00fa9782bf3) This file looks interesting, lets read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McW_ElRUM4KZGF-v8jf%2Fimage.png?alt=media\&token=1953ddba-8e7c-4d17-ba17-cd3e67b8350a) We have the password, lets ssh into the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McW_Un7ngTpL2RUu1fD%2Fimage.png?alt=media\&token=85568b9a-e789-4685-824d-a11f188d4b0e) ## Privilege Escalation We cannot read the user flag and did not have sudo permissions, so lets run `LinEnum.sh` on the machine to look for interesting files. First we have to start a http server and download the file on the victim machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWcN-W2ysqQhrHMhOI%2Fimage.png?alt=media\&token=ec17f841-e310-4c7d-b28a-46e9cde9ea67) You can stabilize the shell with this command ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ``` Now lets download the file, make sure you are in the tmp folder as other folders do not give permissions to download files. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWctLySLCkAScSEdgR%2Fimage.png?alt=media\&token=fe968b07-f176-42e6-b932-92c6dbfa4598) Lets make the script an executable ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWd-aeakfBgoDN80-J%2Fimage.png?alt=media\&token=e30a4b21-6cde-4076-a678-5fb0c3c2a883) Now lets run it. ``` ./LinEnum.sh ``` Long story short, I found nothing and I even tried Linpeas but found nothing interesting, maybe I am not looking at the right thing lol, anyways so I remembered there was a web server running on the machine, so I went to `/var/www/html` to look for clues and found this interesting file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWecf9MicydqheKQzm%2Fimage.png?alt=media\&token=79e933cf-e260-4409-aa9e-86a25307a082) Lets read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWejDLcKKJBK8hBWnY%2Fimage.png?alt=media\&token=28868bdd-4bfe-45b9-b82d-958143e63973) We have the password for the user `Alison`, lets switch users. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWetIh-l137XoDglFB%2Fimage.png?alt=media\&token=84db3dc6-8efd-40f9-99ad-4fa31a213985) We have `sudo` permission on this user, so lets see what we can run ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWf2ViXofA8wMkD_sY%2Fimage.png?alt=media\&token=61cbbee1-9fc2-42ae-b47f-b90723bd3524) Looks like we can run all commands, so lets switch users to root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWfFV-u_1vV4l8QpBq%2Fimage.png?alt=media\&token=443ab502-c1f1-4000-a7a6-e29350efb613) We can now read the user flag and the root flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McWXxBHzEDYhVNkw5IY%2F-McWfPng8INIK1k4VoAD%2Fimage.png?alt=media\&token=68ef97f2-7f6d-4b8f-a171-867e758002e6)