.: SHORT BRIEF :.
The machine is focusing on the Privilege escalation techniques through Restricted shell “rbash” after making a ssh session as a guest .. The web application is your way to get the “guest” username & password .
.: Full Scenario :.
1 : Reconnaissance
a. After downloading the machine and running it it is time to perform the recon step we open our terminal and do the “netdiscover” thing ..
$ sudo netdiscover -i wlan0
Simply the prev. command is to discover all Network Hosts
after doing this step i captured that ip 192.168.1.6
b. Time to use zenmap to discover what services running on this machine and here is the output:
c. Port 80 tells us that there is a web server running on this machine and 22 is the ssh port besides that interesting port “31337” , after opening the site it gives us this UI
d. after reviewing the source code we found the pic’s name is named after our interested port .
Well that is weird .. it is the time to test that port
e. after changing the port from 80 to 31337 the UI has been changed
after reviewing the Source code we get a Base 64 encoded text this time ..
2 : Processing
a. after decoding the text we get that text
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
b. it is clear that Cypher.matrix is a file located in the web server after downloading the file i opened it with a text editor then got this:
I remember these symbols .. it is Brain Fuck for sure . I decoded the brain fuck and got :
You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password
well that means we have the username of the ssh and it is : “guest” , and kinda have the password too we should now make a wordlist of all possible password I used crunch ” You can use whatever you want”
$ crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 -t k1ll0r@@ -o wordlist.txt
this will generate a wordlist of “k1ll0rXX” as a pattern .
c. Time to use Hydra for SHH brute forcing :
$ hydra -l guest -P m.txt 192.168.1.6 ssh
and here is the tool output:
BINGOO ! Now we have the ssh username and password .. let’s get in .
3 : Privilege Escalation
a. after logging into the ssh we encountered the restricted shell “rbash”
hence , we have to find a way to promote from user to root through rbash .. what about nmap interactive mode ? Nah , nmap isn’t installed
after clicking “Tab” button twice we got this menu:
at the right you can see vi command which is a text editor , opened the text editor and try to escape from the restricted shell and wrote :!/bin/sh Bingoo we are out .
let’s do the magic export PATH=/usr/bin:/bin/ let’s see if this will work
This Works ! 🙂
Now let us see what permission do we have $ sudo -l
This means that we can do the root commands at our level ..
and Ta da! here is our flag.
.: Conclusion :.
The machine is good if you want to practice on Linux privilege escalation and I think it will help if you preparing for the OSCP too . This machine I would say it is a medium level with a rate of 5/10 .
.: Useful Links :.
Restricted Linux Shell Escaping Techniques by Felipe Martins :
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
Making a Perfect Custom Wordlist Using Crunch by Noor Qureshi:
https://thehacktoday.com/making-perfect-custom-wordlist-using-crunch/
SSH Password Testing With Hydra on Kali Linux by Nick Congleton :
https://linuxconfig.org/ssh-password-testing-with-hydra-on-kali-linux
Null0xp 