Hi all, let’s pwn this box.
You can find the machine there > Seppuku
Let’s start as always with a nmap scan.
1 |
|
Let’s not waste more time, i did lot of enumeration on every port and i found a wordlist under port 7601
, let’s run gobuster
.
1 |
|
Directory /w
has a wordlist in http://$ip:7601/w/password.lst
, let’s download it.
After some tries, i tried to ssh
brute force with user seppuku
& i got in!
1 |
|
Bingo! Let’s login.
1 |
|
Oh we’re into rbash
!
1 |
|
We can easily bypass this using vi
1 |
|
Perfect, now we can see into seppuku
directory a password. We can try it for samurai
user.
1 |
|
We’re in, if we run now sudo -l
we can see this.
1 |
|
But this file doesn’t exist, only tanto
can create this file, after some enumeration i found tanto's
ssh private key.
Note : Everytime u login as another user u have to do the vi
trick to bypass rbash
.
1 |
|
Perfect, let’s create now this file & add our payload in.
1 |
|
Let’s go back to samurai
user & execute it.
1 |
|
Let’s read the flag now.
1 |
|
See you!