CyberSploit 1
What’s good ya’ll, your favorite neighborhood Padawon Pentester back at it again with a fairly easy box for beginners! No, ya’ll this one was super easy. Perfect for understanding decoding and privilege escalation.
Name: CyberSploit: 1
Release Date: 09/July/2020
Author: @CyberSploit
Series: CyberSploit
Methodology
Reconnaissance
- Netdiscover
- Nmap
Enumeration
- Dirb
Exploitation
- Base64decode
Privilege Escalation
- overlayfs local root privilege escalation
- Root flag
Reconnaissance
As always let’s start things off with a Netdiscover scan. Afterwards we’ll analyze the output from the nmap and dirb scans.
Nmap shows two ports open: 80 and 22.
Enumeration
Dirb shows status code of 200 for index, robots and hacker web pages
Exploitation
Navigating to the robots page we find a base64 string. Let’s go ahead decode the string and record for later use.
Using base64 decode we are able to reveal the first flag!
There is a more sophisticated way of decoding this text. Using curl, take the entire URL and pipe it to base64
Let’s check out the index page, initially nothing seems out of ordinary…
Inspecting the page, we see that the username is displayed: itsskv. Record this and remember that from our Nmap scan SSH/port 22 is open.
Now SSH into itsskv using the decrypted first flag and execute ls -la to reveal any hidden directories.
We see flag2.txt. Cat the flag and the output is in binary. Using Bash, we are able to convert it into ASCII.
Flag2: cybersploit{https:t.me/cybersploit1}
Privilege Escalation
We are able to determine the kernel release and with a quick google search found the exploit script.
On your machine download the script via wget
Now we’re going to have to host the script in order to send it over to the target. Start apache2 and verify that it is running.
Where are web pages hosted in Linux? In /var/www/html! Move and/or copy the exploit to that directory.
On the victim move into /tmp. Download the exploit on your machine like so..
Change the permissions on the file. Use chmod 777 to give it all the keys to the kingdom and compile the exploit.
And of course, you’re in a shell, so break out of it using python.
Move into the root folder. List the contents of the directory, see the final flag, cat dat bih…Annnnnnnd Houston we have root!!!