Lazy -

Target Enumeration:

OS: Linux


User: d558e7924bdfe31266ec96b007dc63fc

Root: 990b142c3cefd46a5e7d61f678d45515

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

Vulnerability Exploited:

Authentication bypass to gain access to web application

Privilege Escalation:

Executable file with weak permissions

Exploiting the host:


Visiting the web application

Cant create an admin user as already exists

Create a new user with the name admin= and we discover an ssh key.

Download key with wget and change permissions then login with the ssh key

Unusual file called backup in home dir which reads the /etc/shadow file

Strings shows us it uses cat

Create a file called cat in the home dir with the contents:

Make it executable with
chmod 777 cat

Export the path to the users home dir so it picks up the malicious file cat first.

Execute the file to get root.

Last updated