Tenten - 10.10.10.10

Target Enumeration:

OS: Linux

IP: 10.10.10.10

User: e5c7ed3b89e73049c04c432fc8686f31

Root: f9f7291e39a9a2a011b1425c3e08f603

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

Username enumeration via wordpress

Id_rsa file hidden within .jpg file

Weak password on ID_rsa file

Privilege Escalation:

User allowed to run /bin/fuckin as sudo user to execute /bin/sh

Exploiting the host:

Nmap

WPScan

Brought back the user takis

Bruteforce while enumerating the webapp

Found a jobs listing on the webapp

File upload present but not yet able to upload any files

Path is http://10.10.10.10/index.php/jobs/apply/8/ so iterate through all to see if we can find anything else with burp intruder

Found an access granted page

After searching further with the intruder we found the hackeraccessgranted.jpg file:

Steghide on the image revealed an id_rsa key

We chmod the file with 400 permissions and try to login via ssh as the user takis with the key file.

This did not work so we extracted the hash from the id_rsa file and cracked it with john

We now had the password “superpassword”

We use that to login via ssh and collect our user file

Checking local permissions we found we were allowed to run /bin/fuckin as the sudo user, we inspected the file anda found the first second and third arguments would allow us to run other shells, we then ran it with sudo /bin/fuckin /bin/sh to get a root shell.