We covered a boot to root machine where we started with an Nmap scan to discover several open ports and services running such as FTP server, Apache web server and NFS file share. By mounting the NFS file share to our local machine we discovered plain text credentials which got us access to the FTP server.

Next we downloaded text files from FTP server, one included a note from the admin and the other included tenths of passwords. Because rate limiting is implemented on the server, we didn’t run brute force on the login form found on the web page rather we found that the PHPsession ID is computed using a combination of base64 and md5 hash that included the username and password of the logged on user.

We created a python script that iterates through the password list we found earlier, calculates the md5sum of the password, encodes it with base64 to find the session ID and tries it against the administration page.

This enabled us to find the correct password of the admin user along with the session ID. Next we achieved a reverse shell by chaining commands on the server status page and later on achieved privilege escalation by exploiting a misconfigured library path through sudo with the Apache process.

Get OSCP Notes

Flags

What is the user flag?

What is the root flag?

Video Transcript
What’s going on guys? Welcome back you this video? They were doing hijack from Troy Aikman, which is a recent machine released in the platform. Now in this machine, we’re going to go over replication penetration testing at the same time. We’re going to do Linux privilege escalation in order to retrieve two flags is a flag and it would flag so we start off with nmap scan as we do all the time and we discover that there are 123 around 42.
Fife open ports FTP is H we have a web server running. It is only we have an office file share running on the machine, which means this is a this could be a highly the next machine and we have yeah, this isn’t a face as well. So the estimation that this machine is running a Linux operating system.
So the next steps will rely on what we found during the inbox can so we can go ahead and discover the web server. We see welcome guests this sides under development. This is the landing page. We see couple functions here. We have Administration, which we don’t have access to login and sign up. So this one up for a test user test test 123. There’s one two three.
And now we can login.
Okay still we don’t have access to the administration page. All right, so that’s it for the web page for now. If you go back to the terminal and we start a go Buster, so go Buster. Let’s first find out where are the word lists in this machine. So tools let’s go tools.

And then we go to word lists.

Director of Esther. Okay, so we have these Waters here. So go Buster dir and then the shoe so we’re gonna go back.
Have the order over here. Did I remove the index?
And then we’re going to say we’re going to use let’s see what wordlist we should use here. So Dash W. We’re going to use big text.
All right, so we’re going to leave this running for a while. And yeah, it’s finished. So we have one director discovered server Dash status. Let’s go ahead and find what this is. So since we are already locked locked in hopefully this page will open.
And we don’t have permission to access this page.
Okay, so that’s it for the web server now nothing to do for now, but one thing to note is if we click on inspect and we check out the cookies or the storage and from here. We’re going to copy this.
As you can see guys, this is a base64. Okay now once we decode this into plain text, we see it’s composed of a username. This is there’s any that we registered with and this is an md5 hash now if we go and go to a gas station and calculate And indeed guys, this is the hash this house corresponds to a plain text password that we already used. Now. This means that the formula to create the cookie is composed of the username and the password hashed separated by a colon and include base64. We’re going to keep this in mind.
Now, let’s go back and go over the interface file Sheriff. We found earlier. So CD Bugsy deepest club and show Mount Dash e
grab the IP address
so we have one share. Of course. We’re going to need to mount us. Let’s see here in my notes search for Mount.
So we have this.
Vashti and Fs. And this isn’t acts. So let’s go ahead and type it or first. Let’s make a directory directory mounted. And then we’re going to say Mount St. And the first 2399 share

there is specified directory to which we gonna receive the mounts, which is mounted. So LS so we have mount. Mounted here and go to mount it.

And permission denied. Let’s see why so mounted the user permissions. Match to of correspond to a user with ID is 1003 and group is one group ID is 1003 now the root user which we are locked in with. Doesn’t have these ideas. So the solution to this issue is to create a user with the ID 1003 and GID 1003. Let’s go ahead user. There’s a dash. I want to do three and then say it is hi Dirk.
Looks like you have a tax problem. So we want to specify the uid. Is that shoe? I have a tax problem. So we want to specify the uid. Is that shoe?

Okay, that’s what we did. Oh, we used a shy very reserved and shoe 1300. Okay, password Isaac. We create a password for the user. So let the password be the same as the username. And now we have created the user. So sue are Jack and then LS c d mounted and we successfully navigated to the directory. Let’s start relay. So we have a notes Here for employees get for employees text and you can taste the username and password for the FTP server. So we’re gonna Go ahead and log in with this so exit. and then FTP SFTP user at Name or servers not known?

Let’s try this. FTP user the password doesn’t work. Let’s copy that again.
forward
okay, we locked in at least a chalet and we have these files passwords list and from admin. Let’s download these files get from admin the text.
and get passwords
underscore list text
Okay. Now we have these Five Guys. I think they’re under wanted.
Okay. Yeah, these are the files that we have just downloaded. Let’s go ahead and take a look at the note. Okay from admin.
So all employees, this is admin speaking. I came up with a safe list of passwords that you all can use on the site these passwords do not appear on any word list I tested so far. So I encourage you to use them. Even me. I’m using one of those note to Rick. This is a user that we have discovered guys good job or limiting login attempts. It works like a charm this will prevent any future brute-forcing. So this node means we can’t use brute force to get access to the admin user.
The web server we have just uncovered and there is other note.
That there is either name username named Rick.
Alright, let’s take a look at the passwords.
Okay, so if we create a python script to go over all of these.
Perform the necessary decoding and hashing and maybe then we will be able to find the admin password or the admin cookie remember that the cookie here.
The original cookie was encoded in base64.
Okay.
So we’re going to assume that if we create a python script that goes over all of these. Okay, perform the encoding and the hashing will be able to uncover the admin username. The admin has the cookie and the admin password after we of course perform and E5 hash on the password.
So Ellis name of session?
so in the script here, the first thing we Define is the oil they wanted we want to test is the URL that points to the administration page and the script mainly the first thing it does it will go over the password list. So the list we have just downloaded from the FTP server, right? So this list contains the passwords, but we don’t know which one is the correct one. So what to do we need to

I trade through every single one of these passwords. That’s the first thing here and that’s why we use the data variable to store these passwords and then we either it through every single one of them and we store it in the variable line. The first thing we do is to perform md5 checksum on the password.
Because that’s the formula remember and then we can calculate the mt5 checksum with the username. Admin.
Okay, after we have the password and username admin, we perform base64 and then we test we put the base 64 here as the session ID cookie in the headers. I will send it if we get access of a wicked a positive results. We will conclude that. This is the correct cookie in base64. I will be able to find out the corresponding passwords line and basics for us. Let’s go ahead and run this.
Okay, so what are all of this?
So these are the session IDs. Okay. Now the correct session ID was this one because it resulted in a positive result for a positive hit on the administration page. We were able to access it and this is the corresponding password from the list. This password was not computed was not found in a complex computation operation especially was just in the list, but we were able to find it because we perform the necessary.
Reputations on the md5 checksum and we tested on the administration page and it was a positive hit on this cookie. So we’re going to take this password and login.
So go back.
Log out.
Okay, as you can see we were able to login go to Administration and we see we are able to access the administration panel and administration panel. We have a service service status Checker assumingly. It does it executes a system command, but we don’t know yet. What is this weird? We can just maybe do some estimation maybe on what on the kind of command? So for example systemctl could be the command used.
status
SSH d
system city of observers not found active. It’s inactive.
So it is this is some kind that executes. So what we can do here we can perform command injection. So to retrieve retrieve I should back to the machine or to the attacker machine. So let’s go ahead and nclb be 44 45.
Okay, so this one sounds good.
Let’s go ahead and take this.
so
Alright first let’s see the IP address of this machine..
And here you’re going to face this temporarily and we’re going to copy the IP address.
10 10 12 42 43
Let’s make sure this is the correct IP. We don’t want to struggle with this later. 194 243. Okay. So now
We’re going to go ahead and take this.
So going back.
Yeah, I forgot. I’m an attacker machine. I thought I owned my virtual machine so bash. So here we went to type we want not only to execute this code will not work because it doesn’t correspond to the command the system expects. So here we’re not going to execute this alone because it’s not going to work. Obviously. We need to use the service or the command the system expects.
So here let’s use bash see.
and here double quotes
Of course the poor will 45 45.
sshd check on the service and
execute the next command execute.
little work
score work
Dear listener not running or going to execute those now 45 45 then going back here.
And this gave us the shell as dub dub data next thing you want to stabilize the shell so you’re gonna have to type TTY.
Okay, hello is fine. So we have a file here named config if we get config?
See their information about these are named. We just saw in the notes and administrator notes Rick and this is the parser so sue break.
And we grab the password and we’re able to escalate to the next user.
Okay. So today she’ll check on the Privileges of that user again paste the password as you can see guys Rick can run this command as as root without the need to provide the password and there is one thing to note here. We have environment reset enabled and we have environment keep is set to the load Library path. It means we can specify.

The locker defied to execute or to use when we run Apache. So usually the looks when you run an executable.
With sudo the next we’ll search for the corresponding Library path or Library file in the default Library path. Okay, if you are able to specify a custom Library path

Okay, Linux will be able or Linux will take the path we specify but for that to happen environment reset needs to be enabled and this is the case environment reset is enabled and we can specify the library path which means if we can specify the library path for this process. Okay, we can create a malicious Library file.

So here I have this in my notes. Let’s go back and use LD underscore. Yeah, LD preload and LD Library path

So basically we’re going to use this.

So let’s take this code.
Copy it.
And on my local machine or on the local machine here.
I’m going to create a file named.
Brave the sea
Beat the space this code save and next we’re going to compile this into a library file.
so here
I think this is gonna be better if we combine this on the machine itself. So to be able to transfer this fart to the machine, we’re going to use net cut so and see.
That’s lvp. 4546.
riveted see
permission denied
Bosch
Pretty good. See permission denied. Okay and see let me go back and find how to do that because sometimes
one mistake and the command won’t work. So we go to maybe Linux and check transfer.
Yep. So destination Port you can run this on the machine, but it is not working up. So 45 46 is upward that we are already using know and see LED 4547. We’ve let’s see.
Permission denied why?
And see the IP address is this.
447
Queen of the sea
Yeah, exactly. It’s not going to work with it listening running first.
But Rick cannot run and see for some reason.
if C permission denied
CD temp change directory
Maybe this will make things work.
Oh, okay. What now we send the file.
And we received the connection.
Okay, LS and prove the sea is here. Now. We’re going to compile it on the machine. So going back to Linux privileged escalation and in the underscore.
reload
So that’s the command.
He was a brutal C.
Come on, no.
So g c Dash, oh, it’s going to be temp.
That’s shared if Pi C. Okay, and then let’s see.
After we compiled can I output file is a directory?
All right.
Going to be S 0 to 1 with the peso.
one and then the rest of the command follows
so we have this file here the next thing we want to use a party to run this file. So pseudo as you can see we specify the library path from which we’re going to choose the library file.
This goes here.
first to do
L okay
now the library file here guys.
It’s going to be defiled that we have created.
at the end
so it is private so that one.
so one
Or I think we don’t need to specify this because it’s going to pick it up on its own.
Yeah, always specify the directory at the next thing we want to do is to run the command.
Okay, so that’s the command.
Okay, let’s remove this file.
I think we’re going to have to keep the name as the name is Library Crypt. Okay, it’s going to take this command one more time.
We will see.
We will see.
And then we’re going to run the same column or time try it again.
Wait on this one.
And as you can see the prompt changed from Rick to root and now we have successfully escalated privileges so CD to root.
And you conquered the machine. That’s it.
So guys that was it. I hope you do the video and definitely guys I will see you later.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles