[Linux] Brute it

Reconnaissance

sudo nmap 10.10.122.220
sudo nmap -A -p 22,80 10.10.48.79

Enumeration

HTTP

We run a directory brute-force scan to find potential hidden pages:

gobuster dir -u http://10.10.48.79/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

A page is discovered that we can explore further. In the source code of the /admin page, we find an indication that the username is admin.

ext, we perform a dictionary attack on the password using Hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.48.79 http-post-form "/admin/index.php:user=admin&pass=^PASS^:Username or password invalid"

We discover the credentials: admin:xavier. Using these, we access the /admin/panel page where we find:

A flag
A developer’s name
A link to download a private key

We download the private key but discover it is protected with a passphrase, preventing direct SSH access.

To crack the passphrase, we attempt another dictionary attack using John.

Exploitation

With the recovered passphrase, we gain initial access to the target machine.

Privilege Escalation

We observe that we can execute cat with root privileges. Following instructions from GTFOBINS, we leverage this to obtain a root shell and can now read the contents of /etc/shadow.

sudo -l

We extract the password hashes and proceed to crack them. The root password is revealed as football, allowing us to retrieve the root flag.

Remediation

Enforce strong passwords and passphrases.
Avoid exposing sensitive information, such as usernames or private keys, publicly.
Regularly review and control sudo access. Avoid granting sudo rights on potentially dangerous commands like cat.

Previous[Linux] Break Out The Cage Next[Linux] Bounty Hacker

Last updated 8 months ago