Machine Creator: ch4p
Tools Used: NMAP Finger Perl script Metasploit Patator Hashcat Python
First, we start with full port nmap scan and discover port 79 TCP Finger.
2 discovered users have logged in the past Sammy and Sunny they have login timestamps of April 24 from IP 10.10.14.4
Alternatively, we can run finger enumeration through Metasploit.
After conducting a more in-depth Nmap scan, we can see that ssh is running on port 22022.
SSH Brute force Now that we have possible usernames we need to discover their passwords. Generally for SSH brute forcing hydra can be used however due to the age of this machine a different tool is required Patator. Patator was able to brute force ssh and discovered sunny’s password as “sunday.”
While attempting to log in through SSH, there was an error for “no matching key exchange method found” the key exchange method had to be specified.
After looking around, I was able to locate the user.txt file in Sammy’s desktop however sunny does not have permission to access the file.
After running both Linux password hashes through Hashcat, we are given the passwords as “sunday” and “cooldude!”
Windows version of Hashcat used for graphics card acceleration.
Logged in as user Sammy using password “cooldude!”.
After logging in as Sammy, we can read the user.txt file and get the key.
PRIVILEGE ESCALATION If we try to elevate to root as Sunny, we can run a file /root/troll.
If we try to elevate to root as Sammy, we can run wget.
Since we know, we can download using wget as root, and we can execute /root/troll as root we can execute an elevated reverse shell.
We can serve the custom troll file from our local computer using python SimpleHTTPServer and then download troll as Sammy.
In the troll file, I’ve included a python reverse shell script.
And now after running “sudo /root/troll” as Sunny, we now have a reverse shell as root.
With root access, we can now view the contents of the root.txt