Hi all, let’s pwn it! :)
You can find the machine there > Panabee
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
port 445 (SMB) seems interesting, let’s enumerate it.
SMB(server message block) is a protocol for sharing files.
First of all we have to list the shares, i always like to use the smbclient
utility a client to access SMB shares.
1 |
|
note
share seems interesting, let’s connect to it using null session (without a password or sending a blank password):
note.txt
provide us some useful info:
1 |
|
1 |
|
Shell as goper
Let’s do FTP brute force using username goper
:
1 |
|
Perfect. Let’s connect to FTP & we can create a backup.sh
file with a reverse shell in.
1 |
|
Let’s upload it.
1 |
|
We have shell:
1 |
|
goper -> jenny
Now privesc to user jenny
is really easy, let’s check sudo -l
:
1 |
|
We can run as jenny
this python file. We can simple rename the status.py
to status2.py
and create our own status.py
with our payload in.
1 |
|
jenny -> root
Great! Now privesc to root is easy too. If we check the command history we can see lot of tmux
stuff:
1 |
|
Really weird, this seems like session sharing. We have to simply run this command but first we have find the default
:
1 |
|
1 |
|
We have root shell:
1 |
|
Let’s read the flag:
1 |
|
Interesting box!