- Use fcrackzip to get password for the zipfile
- Unshadow files to get password hash
- Crack the hash
- Bypass restrictive shell
- Observe the AV
- Find exploit for chrootkit to gain root access
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
Let’s download the save.zip file form the webserver. However it is password protected. Use fcrackzip to get the password.
The zip file contains a /etc/ folders that has the following.
Let’s crack the shadow file.
Since there is both the passwd and shadow file we can unshadow and run john on it.
However this user looks suspicious and from accessing it it seems to be a honeypot with very little privileges.
The user is limited with a restricted shell. We need to bypass it.
Use the following ssh command to bypass the shell.
ssh email@example.com -t "bash --noprofile"
Let’s run the honeypot file.
After exploring the rest of the directories we are able to find a log file.
The chkrootkit is executed during the AV scan.
Search exploit db for an exploit of this version.
Instructions are given.
Create an update file and insert a nc reverse shell to your attacking machine.
Start a nc listner an root access is gain.
Leave a Reply