Links

Lazy

Lazy - 10.10.10.18

Target Enumeration:

OS: Linux
IP: 10.10.10.18
User: d558e7924bdfe31266ec96b007dc63fc
Root: 990b142c3cefd46a5e7d61f678d45515

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

Vulnerability Exploited:

Authentication bypass to gain access to web application

Privilege Escalation:

Executable file with weak permissions

Exploiting the host:

Nmap
Visiting the web application
Cant create an admin user as already exists
Create a new user with the name admin= and we discover an ssh key.
Download key with wget and change permissions then login with the ssh key
Unusual file called backup in home dir which reads the /etc/shadow file
Strings shows us it uses cat
Create a file called cat in the home dir with the contents:
#!/bin/bash
/bin/sh
Make it executable with
chmod 777 cat
Export the path to the users home dir so it picks up the malicious file cat first.
Execute the file to get root.