I feel wonderful after solving this box with some hints from a good friend (MinhTrietPT) because my method is difference than in the official write-up from Hack The Box. I have to say that I was stuck with this box for 2 weeks. Yeah, now you you know how I'm feeling. As someone say: "enjoy the journey, not the destination." This is very true for me.
So. let's get started! First, we use nmap to scan the target:
I felt that I need to dig deeper into the port 3632, keep using nmap:
Hmm, we have CVE-2004-2687. After googling, we should know which exploit we can use:
Wow, we have the shell, but...but... with the daemon user, we cannot read the flag files. We have to learn about Linux Privilege Escalation here. Using this command for enumeration: "find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null", what we can find:
Do you see nmap? Do you see what permission of nmap? Let use this command to run nmap: "nmap --interactive" and then "!sh"
We are root now! We're done!
Preference:
1. https://pentestlab.blog/category/privilege-escalation/
P/S: on the official write-up, they use a samba exploit ;)
P/S: on the official write-up, they use a samba exploit ;)
Comments
Post a Comment