Persecure : my learning archive

, ,

ICMP: 1

https://www.vulnhub.com/entry/icmp-1,633/

Review

  • Use the Monitorr exploit
  • Search for a crypt.php file to find a user password
  • Check for sudo permissions
  • User can use Hping3 as root
  • Transfer the private rsa key locally with hping3 to gain root access

Enumeration

Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

The version number can be found as Monitorr 1.7.6

Found an exploit of searchsploit.

Run the exploit and start a netcat listener

Foothold

User access gained.

After some exploring, I head to the home directory and found a fox user.

Found a reminder text that indicates about a file called crypt.php. Since we cant enter devel folder , I tried to cat the file from outside. Found a key. Let’s see if this the ssh password for the fox user.

Fox user accessed

Check sudo permissions

Privilege escalation

Found out the files can be transferred out by hping3 in Google.

Let’s test this out.

Set up the listener hping3 on the receiving machine.

Now transfer the /etc/passwd file to the receiving machine.

It went through

Now let’s see if we can transfer the SSH RSA key for the root user.

However it sends multiple results.

Now i’ll use hping3 inside the machine instead. Open up another fox user. In one of the shell start a listener.

And in the other send the file over.

We can see the full key now.

Copy the key to your attacking machine. Change the permissions and SSH into the root user.

Found the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: