Cybersploit1

Date: 13.06.2021

Information Gathering

Nmap scan: sudo nmap -p- -sV -sC -v 192.168.112.92

Two open ports:

• Port 22: OpenSSH 5.9p1 Debian 5ubuntu1.10
• Port 80: Apache httpd 2.2.22

Web enumerating

Gobuster scan: gobuster dir -u http://192.168.112.92 -x txt,php -w ~/Lists/gobuster/Gobuster-Dir-Small.txt -t 50

Found directories/files:

0/index                (Status: 200) [Size: 2333]
1/robots.txt           (Status: 200) [Size: 53]  
2/robots               (Status: 200) [Size: 53]  
3/hacker               (Status: 200) [Size: 3757743]

Source of index page displays a username in the comments: <!-------------username:itsskv--------------------->

Robots.txt contains a base64 encoded string: Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=

Decoded string: cybersploit{youtube.com/c/cybersploit}

Gaining access

You can gain SSH access using the username and the deocded b64 string.

local.txt contains the first flag.

Privilege escalation through a Linux kernel exploit

uname -a => 3.13.0-32-generic

Google: 3.13.0-32-generic exploit => https://www.exploit-db.com/exploits/37292

Start a local webserver and transfer the c file to the machine.

gcc privesc.c -o privesc => ./privesc

=> root