Today is a beautiful Saturday and I have a very good news to share with you that I have raised enough money to fund myself to pursue OSCP course for 90 days, however, I think I will raise little more so that I could apply a better internet connection also.
Oh yeah, today I rooted a machine which I rooted actually quite sometime back and can’t recall how I did it, so I think it is a good mild challenge to resume my preparation.
This machine reveals its IP address right away when I switch it on therefore, I don’t need to scan it. Here is the screenshot.
Target Machine IP: 192.168.56.102
Let’s resume our usual step.
Step 1:
nmap -sC -sV -p- -T4 > nmap.txt
Step 2:
You can easily see that it is running http protocol, therefore, there is a web server. So I browse the IP (192.168.56.102) address and it is loaded with a bootstrap site. I did follow my usual procedure to find any low hanging fruits by visit the source code, and check suspicious links and robots.txt etc.. Nevertheless, didn’t get anything interesting.
Therefore, I had to fired-up nikto (if nikto doesn’t give me good information, I go after gobuster, however, in this case, it gave me adequate information). By the way, the reason I put 80 after the nikto naming is because sometimes, we had to scan couple of web server ports, that’s why.
Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .
Password:
12345ted123
By looking at this password, it gave me a lunch that username is either ted or the person is related in away to ted.
Step 4:
I tried ssh on Target Machine (or victim machine)
ssh ted@192.168.56.102
password: 12345ted123
Boom!!
Step 5:
By the way, I must confess that, sometimes when you read the walk through of other people, you might get the impression that either the guy might be guru or he is just lucky. I must tell you that I went through many rabbit holes and done many research. Nevertheless, at the time of writing, I just didn’t write those mistakes to keep it short and concise 🙂
Now, it is time to enumerate more to escalate the privilege.
First, let’s find SUID Executables (it is much easier for me)
Narration: Since this python script is a reverse tcp connection, therefore, I need to place my Kali Machine IP address (192.168.56.101) at there to receive the connection through nc on port 4000.
I am not sure whether anybody is reading my blog nevertheless, I wish you will enjoy as much as I jot down here 🙂