Lazy
Lazy - 10.10.10.18
Target Enumeration:
OS: Linux
IP: 10.10.10.18
User: d558e7924bdfe31266ec96b007dc63fc
Root: 990b142c3cefd46a5e7d61f678d45515
Ports / Services / Software Versions Running
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Vulnerability Exploited:
Authentication bypass to gain access to web application
Privilege Escalation:
Executable file with weak permissions
Exploiting the host:
Nmap
Visiting the web application
Cant create an admin user as already exists
Create a new user with the name admin= and we discover an ssh key.
Download key with wget and change permissions then login with the ssh key
Unusual file called backup in home dir which reads the /etc/shadow file
Strings shows us it uses cat
Create a file called cat in the home dir with the contents:
Export the path to the users home dir so it picks up the malicious file cat first.
Execute the file to get root.
Last updated