When I got nothing, I thought of bruteforcing some usernames on finger using pentest-monkeys’ amazing script — — finger-user-enum-1.0.
This was a guesswork, trying box name as password worked.
USER — SUNNY ENUMERATION
enumerating user sudo rights I found we can run script, as root.
Watching what happens on running /root/troll, I see it prints user id, nothing much. So I went for more enumeration and found a folder named backup containing backup for /etc/shadow.
Copy both the files to your machine and crack the password using john
Now that we have got user password for sammy let’s SSH into his session
USER — SAMMY ENUMERATION
Checking sudo rights of user sammy.
There are more than one ways of exploitation and escalating privileges using wget. I have discussed only two. Let’s see them one by one.
- using — input-file flag
Why not call an internal file named root.txt from internal link /root/
2) exploit any user binary file,
What if I say calling /usr/bin/passwd, won’t change the password, instead it is meant to give you shell. We are here using trivial way of exploitation, i.e. changing definition of what file do by modifying it’s contents. We will create a malicious payload i.e. a reverse shell python code and wget it such that we save it’s output to output file /usr/bin/passwd.
Call command passwd and see magic on netcat on your machine