1. Enumeration
Begin by scanning the target for open ports using nmap.
This initial scan is really time-consuming, so optimize it with the following flags:
-T5: Sets the highest timing template for faster execution.
-sS: Initiates a s stealthy SYN scan.
--max-retries 1: Limits the number of retries per host to one.
--min-rate 1000: Ensures a minimum rate of 1000 packets per second.
First, scan all ports. There are 5 open ports on the target.
Then, rescan the identified ports to determine the services running on them.
The scan reveals five open ports, including a Finger service on port 79.
2. User Enumeration via Finger service
Utilize the Finger service to discover valid usernames.
Clone the finger-user-name tool from git hub page.
Execute the tool to identify users.
This process uncovers 2 users: sammy and sunny
3. Password Guessing for 'sunny' Account
Attempt common default passwords, such as the username or hostname.
In this case, sunny's password is 'sunday'
There is the user.txt file in sammy's account. Therefore, we need to access sammy's account.
4. Accessing 'sammy' Account
Explore the filesystem for useful files.
In the /backup directory, locate 2 backup files.
They contain sammy's hashed password, indicated by $5$, denoting SHA-256 algorithm.
5. Cracking 'sammy's Password
Save the hashed password to a text file.
Use john to crack the hash.
john reveals sammy's password as 'cooldude!'
Log in as sammy using this password, and we can retrieve the first flag!
6. Privilege Escalation to Root
Identify potential vectors for privilege escalation.
Check sudo permissions
Discover that wget can be executed with sudo.
Leverage wget to exfiltrate the /etc/shadow file. /etc/shdow file in Linx securely stores users' encrypted passwords.
Set up a listener on your server.
On the target machine, execute:
On your server, you'll receive the shadow file containing hashed passwords.
We could just crack the Root's hashed password with john but it is really time-consuming.
Therefore, we'll modify the root's password.
First, create a PHP script to upload target's shadow file to your server.
Host the script using a PHP server
Upload the shadow file to your server.
Modify the shadow file. Change the Root's password to sammy's.
Replace the original shadow file with the modified one using sudo wget
Now, log in as root using sammy's password.
We have now root access!
