As we approach any penetration testing engagement we start with information gathering, information gathering in Cyber Security is a crucial step that should not be avoided, same goes for enumeration.
There are many tools that can be used for enumeration or information gathering.
Lets start with an nmap scan:
Press enter or click to view image in full size
As shown in the output above, the scan finished and we got some interesting results!
by examining the open port we can see that anonymous login is allowed, which means we can authenticate using FTP with Anonymous credentials.
Lets go to the next step:
As shown above we can mess around with FTP, and there we go! found a private key for SSH!
I found a hidden directory called hannah, also in that directory there was a private SSH key!
Lets use that SSH private key to connect to the box using hannah as the username.
Press enter or click to view image in full size
Press enter or click to view image in full size
Afterwards, for privilege escalation we use a handy tool for hunting for privesc, the tool is called linpeas!
Press enter or click to view image in full size
As shown above, I’m transferred linpeas.sh to the tmp directory to work from there on automating linpeas scan!
Get Cyb0rgBytes’s stories in your inbox
Join Medium for free to get updates from this writer.
next we find these possible privesc vectors, lets check out CPUlimit to see if it goes as planned!
I got this results from using this command:
Press enter or click to view image in full size
find / -perm -u=s -type f 2>/dev/null
This binary needs its UID and GID bits set. We may accomplish this by using chmod +s.
To get root we enter the following commands :
cpulimit -l 100 -f chmod +s bash
/bin/bash -p
whoami
BINGO!
we got root!
Press enter or click to view image in full size
Thanks a lot for reading, if you love my content and want to see more clap and share my stories! you can also check the other stories which are definitely worth checking out, cheers!