Hello friends!! Today we
are going to solve latest CTF challenge presented by vulnhub for penetration
practice and design by Mr. Hadi Mene. This lab is proposal for beginners and
mode of difficulty level is easy. You can download it from this Link: https://www.vulnhub.com/entry/toppo-1,245/
Penetration Methodologies
§ Network scaning
§ Directory brute-force attack
§
Abusing HTTP web directories
§
Compromise confidential
§
Spawn tty shell (ssh login)
§
SUID privilege escalation
§
Get root access and capture the flag
Let’s Begin!!
You will get target VM machine IP at the time of boot-up so
let’s start with nmap port enumeration and execute following command in our
terminal.
nmap -A 192.168.1.104
Since port 80 was opened; so I explored target IP in the web
browser and welcomed by following web page as shown below.
Unfortunately, I didn’t compute any remarkable hint from its
web home page, therefore, I decided to launch directory brute-force attack
through ‘dirb’ and run following command.
dirb http://192.168.1.104
The minute you will execute above command you will found so
many web directories. Here /admin
looks more interesting, lets figure out it.
So when I explored the following URL, it put-up a notes.txt
file which might be holding something important.
http://192.168.1.104/admin
So I looked into notes.txt and notice towards “12345ted123”
which is a password.
Since port 22 was open so I can try ssh login and as we already
have the password 12345ted123 but
don’t know the username therefore, I decided to use hit-try method and use
following credential for ssh login.
Username: ted
(predict from password)
Password: 12345ted123
Wonderful!! We got login successfully, now move for post
exploitation and try to get root access. Then by using the following command
you can enumerate all binaries having SUID permission.
find / -perm -u=s
-type f 2>/dev/null
And it dumped all system binaries which have SUID
permissions but /usr/bin.mawk and /usr/bin/python2.7 are at my target
point for escalating root privilege through them. So I had exploit this VM
twice to root access.
Run following command and get the root access directly.
sudo awk 'BEGIN
{system("/bin/bash")}'
id
cd /root
ls
cat flag.txt
This was 1st technique for escalating root privilege
through awk one-liner.
Similarly you can perform same task by using python
one-liner and can spawn root shell.
python2.7 -c
'import pty;pty.spawn("/bin/sh")'
whoami
cat /root/flag.txt
B000MM!!! We have captured the flag and challenges is
completed.
0 comments:
Post a Comment