Lazy

Lazy - 10.10.10.18

Target Enumeration:

OS: Linux

IP: 10.10.10.18

User: d558e7924bdfe31266ec96b007dc63fc

Root: 990b142c3cefd46a5e7d61f678d45515

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

Vulnerability Exploited:

Authentication bypass to gain access to web application

Privilege Escalation:

Executable file with weak permissions

Exploiting the host:

Nmap

Visiting the web application

Cant create an admin user as already exists

Create a new user with the name admin= and we discover an ssh key.

Download key with wget and change permissions then login with the ssh key

Unusual file called backup in home dir which reads the /etc/shadow file

Strings shows us it uses cat

Create a file called cat in the home dir with the contents:

#!/bin/bash
/bin/sh
Make it executable with
chmod 777 cat

Export the path to the users home dir so it picks up the malicious file cat first.

Execute the file to get root.