Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Lazy

Lazy - 10.10.10.18

Target Enumeration:

OS: Linux
IP: 10.10.10.18
User: d558e7924bdfe31266ec96b007dc63fc
Root: 990b142c3cefd46a5e7d61f678d45515

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

Vulnerability Exploited:

Authentication bypass to gain access to web application

Privilege Escalation:

Executable file with weak permissions

Exploiting the host:

Nmap
Visiting the web application
Cant create an admin user as already exists
Create a new user with the name admin= and we discover an ssh key.
Download key with wget and change permissions then login with the ssh key
Unusual file called backup in home dir which reads the /etc/shadow file
Strings shows us it uses cat
Create a file called cat in the home dir with the contents:
1
#!/bin/bash
2
/bin/sh
3
Make it executable with
4
chmod 777 cat
Copied!
Export the path to the users home dir so it picks up the malicious file cat first.
Execute the file to get root.
Hack The Box last updated - 2019 - Previous
October
Next - Hack The Box last updated - 2019
Sneaky
Last modified 3yr ago
Copy link
Contents
Lazy - 10.10.10.18
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: