Silver

MACHINE IP: 10.1.1.204

DATE: 14/10/2019

START TIME: 7:50

NMAP

There are quite a few port open. Let start our enumeration from HTTP.

HTTP

So I started to look around the website. There was nothing in the source of the website but in the top right we can see an option for menu. There were 4 options out of which one stood out, that was the language.php. It stood out because it had .php extension and all the other had .html.

So I decided to check it out.

When we open that page we get option to select language and once you do that the URL changes to something like IP/language.php?language=english, since now we have a parameter I decided to check it out for LFI.

I tried

http://10.1.1.204/language.php\?language\=../../../../../../../../../../../../../../../../etc/passwd

and to my surprise there was LFI. But there was one more interesting thing in the output of /etc/passwd, we were given password for silver SSH.

I used that to login via SSH as silver.

Then I got the user hash.

Privilege Escalation

Since I was in the system I downloaded the enumeration script and ran it to see if I can find anything. There were no SUIDs but I did found out that the kernel used was very old.

And I actually know the exploit that will work on it, cause I’ve done quite a few machines with that exploit being used in them(grimreaper and goldeneye). The exploit we need here is the overlayfs.

I copied the exploit to the system and then just compiled it with

gcc exploit.c -o ofs

And then ran the exploit to get the root-shell.

---

This was really easy machine I rooted the maachine in under 20 minutes. But I guess I enjoyed the speed run.

---