Escalate My Privileges: 1 Walkthrough Vulnhub

Escalate My Privileges 1 Walkthrough Vulnhub CTF | Escalate My Privileges: 1 Vulnhub Writeup

In these Articles, we are solving another vulnhub CTF Escalate MY Privileges 1 is made by Akanksha Sachin Verma this box is specially made for learning and sharpening Linux Privilege Escalation skills. You can download here

Description

This VM is made for playing with privileges. As its name, this box is specially made for learning and sharpening Linux Privilege Escalation skills. There are a number of ways of playing with the privileges.

Network Scanning

First, we Scanning our local network and find our target IP using the nmap ping scan.

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

Our next step is Scanning ports and services using Nmap.

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

Enumeration

I open the target IP address our browser and we see an image file

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

I open the next page phpbash.php we see the file in Nmap output robots.txt file disallow entry here we see a bash terminal I run the id command and we see an output apache group name

without wasting our time I create a oneliner bash reverse shell and start our netcat payload listener port 4545

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

and I get a reverse connection target machine I move on target /home directory and we see a user armour

armour user home directory we found a credentials.txt file cat command to open the file and we see a message my password is md5 (rootroot1)

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

I open a new terminal and using echo md5sum command create an md5 password for user armour

Privilege Escalation

I try to change our user to armour using su ( Switch user ) command and we successfully changed our user

After changing a user we see the blank shell I break the shell using python TTY shell.

I ran the sudo -l command to enumerate all sudoers file entry and we see many files sudoer file entries

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup

this VM many ways to privilege escalate I ran the sudo /bin/bash and I get root shell I move the root home directory and I found our last flag proof.txt

Escalate My Privileges 1 Walkthrough Vulnhub | Escalate My Privileges: 1  Vulnhub Writeup
Recon: 1 Walkthrough Vulnhub CTF link