Open in app

Sign in

Write

Sign in

CyberSploit 1

Daniel Edwards
4 min readJul 28, 2020

--

What’s good ya’ll, your favorite neighborhood Padawon Pentester back at it again with a fairly easy box for beginners! No, ya’ll this one was super easy. Perfect for understanding decoding and privilege escalation.

Name: CyberSploit: 1
Release Date: 09/July/2020
Author: @CyberSploit
Series: CyberSploit

Methodology

Reconnaissance
- Netdiscover
- Nmap

Enumeration
- Dirb

Exploitation
- Base64decode

Privilege Escalation
- overlayfs local root privilege escalation
- Root flag

Reconnaissance

As always let’s start things off with a Netdiscover scan. Afterwards we’ll analyze the output from the nmap and dirb scans.

Target IP = 192.168.19.158

Nmap shows two ports open: 80 and 22.

Enumeration

Dirb shows status code of 200 for index, robots and hacker web pages

Exploitation

Navigating to the robots page we find a base64 string. Let’s go ahead decode the string and record for later use.

29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

Using base64 decode we are able to reveal the first flag!

Flag1: cybersploit{youtube.com/c/cybersploit}

There is a more sophisticated way of decoding this text. Using curl, take the entire URL and pipe it to base64

Let’s check out the index page, initially nothing seems out of ordinary…

Inspecting the page, we see that the username is displayed: itsskv. Record this and remember that from our Nmap scan SSH/port 22 is open.

Now SSH into itsskv using the decrypted first flag and execute ls -la to reveal any hidden directories.

We see flag2.txt. Cat the flag and the output is in binary. Using Bash, we are able to convert it into ASCII.

Using a bash script, we are able to decode flag2.txt:
Flag2: cybersploit{https:t.me/cybersploit1}

Privilege Escalation

We are able to determine the kernel release and with a quick google search found the exploit script.

On your machine download the script via wget

wget https://www.exploit-db.com/exploits/37292

Now we’re going to have to host the script in order to send it over to the target. Start apache2 and verify that it is running.

Where are web pages hosted in Linux? In /var/www/html! Move and/or copy the exploit to that directory.

On the victim move into /tmp. Download the exploit on your machine like so..

Change the permissions on the file. Use chmod 777 to give it all the keys to the kingdom and compile the exploit.

And of course, you’re in a shell, so break out of it using python.

Move into the root folder. List the contents of the directory, see the final flag, cat dat bih…Annnnnnnd Houston we have root!!!

Penetration Testing
Cybersecurity
Information Security
Vulnhub
Web Security

--

--

Daniel Edwards

Written by Daniel Edwards

65 Followers

Padawon Pentester and dabbler in many things infoSec related

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams