Information
Name | Author | Series | Difficulty |
---|---|---|---|
Toppo | Hadi Mene | Toppto | Easy |
Let’s Start
We start with checking our IP address with:
ifconfig
Our IP is:
192.168.1.39
Now open Zenmap (nmap GUI verison), and do a “Quick Scan” for the IP “192.168.1.*” ( * symbolize for every number) So the target IP is
192.168.1.40
And we have a http port and ssh port open. So at first let’s check the web server through FireFox.
But there is nothing in those pages or in the pages source.
Let’s try to check what we have on the web server with Nikto
nikto -h 192.168.1.40
We can see some folders so we need to check them. admin folder. We can see a txt file so open it.
There is a password there
12345ted123
Let’s keep searching in the other folders. mail folder. Open the php file. img folder. All the images look normal, so what we have? we know that the password is
12345ted123
and that there is a open port for ssh. So let’s try to connect to the ssh, but we need a username… Maybe, it’s ted from the password.
ssh ted@192.168.1.40
yes
12345ted123
Now we are in, go to out from the folders
cd ..
lets search for files that has root permission
find / -type f -user root -perm /u+s -ls 2> /dev/null Let's break it down
- find - command for search something
- / - to search in all the files system
- -type f - search for files
- -user root - the owner of the file (here is root)
- -perm /u+s - files that have the permission of their owner
- -ls - list the files in ls format
- 2> /dev/null - to avoid “permission denied “messages
We can see that python is one of those files that as u+s permission therefore, if we use python we have a root permission (python owner is root). We can use this to get our root privilege. We can do this by python that import pty, this package can start process ,one of them is a shell.
python -c 'import pty; pty.spawn("/bin/sh");' Let's break it
- python - we want to use python.
- -c - (flag) that this is a python in this command.
- import pty - import that package.
- pty.spawn(“/bin/sh”)- create process of TTY shell.
Now that we have root privilege, we can go to root folder.
cd root
And there look for the files in it.
ls
We can see file with the name flag.txt, read it
cat flag.txt
And we done.
The flag is:
0wnedlab{p4ssi0n_c0me_with_pract1ce}