MatrixSeptember 20, 2024 Created by Page Difficulty OS Ajay Verma Vulnhub Medium Linux I start with a scan of the open ports, nmap -p- --open -vvv -sS --min-rate 5000 -Pn -oG scan 192.168.56.105 -oG scan Scanning open ports. nmap -p22,80,31337 -sCV 192.168.56.105 -oN ports I look at what technologies they are using on the two websites. whatweb http://192.168.56.105/ whatweb http://192.168.56.105:31337/ I access to the website and follow the displayed message. From the name of the image I interpret that I have to go to the other site since it uses that port. I enter the page and search in the source code until I find a string in base 64 I see the hidden message and try to search for that file on the web, find it and download it. Looking at the contents of the file I see that it has an encryption called brainfuck I decrypt it to see its content Online Brainfuck Decoder I create a python script to generate all possible password combinations for the user guest I use hydra to see what this user’s password is and once I find it, I log in via ssh. On entering I see that I have a very limited shell. After trying several things I enter vi to spawn a bash to which I export a generic path for convenience. :!/bin/bash To escalate privileges I look for files that have permission to execute the file as another user and we found 3 potential paths. /usr/bin/pkexec sudo pkexec /bin/sh pkexec GTFOBins /usr/bin/crontab sudo crontab -e crontab GTFOBins /usr/bin/sudo sudo sudo /bin/sh sudo GTFOBins