privilege escalation

Linpeas.sh

Result:

There is no exploit I found from linpeas.sh. So, I logged in using username and password made during initial access. Started to exploit the website data.

At this page, I found that there is SSH key stored.

Clicking on id_rsa Revealed SSH key.

I will copy this SSH key and store it in file named as id_rsa by clicking on copy button on the top.

Since this SSH key is located in the Freelancer's directory, I assume it belongs to the freelancer user. This user is present in the system, which I have verified. The SSH key in the Freelancer's directory likely belongs to the freelancer user, who is present in the system as verified.

I will crack this.

SSH Private key cracking | Tools | Tips To Securehacking.tipstosecure.com

Follow the steps mentioned in the above link.

Got the password for SSH key.

cheer

There is no user like freelancers.

Below are list of valid user extracted from paswd file.

cat /etc/passwd > passwd_list.txt
awk -F: '($3 == 0 || $3 >= 1000) {print $1}' passwd_list.txt > user_list.txt
cat user_list.txt

In the git commit, I can see that there is a valid user marcot who made the commit.

I will try to log in with this user.

So, I will log in to the Marcot user with a credential, cracked recently.

ssh -i id_rsa marcot@$scrutiny

Now, We need to elevate privilege from here. Let me check low hanging fruits first.

Checking for SUID and GUID

Found no insecure SUID and GUID.

Checking for sudo permissions.

Don't have sudo permissions.

Checking for misconfiguration in important files.

Don't have any insecure permission.

Linpeas.sh for marcot user

results:

I will check the mail.

grep -nri -C 2 -E 'password|user' * 2>/dev/null

I will check using this command to search for password or any user work mentioned in the file and also. I will suppress the error.

I got the password for a user. Let me check who has send this email and then switch to that user with the password.

grep -nri -A 10 -E 'password|The password is' * 2>/dev/null

We can see that user is Matthew . I will switch to that user and login with the password.

su matthewa # Password: IdealismEngineAshen476

This worked and we got login as mathhewa user.

Again I searched in user home directort for password and i Found for user named dach.

grep -nri -C 2 -E 'password' .*   2>/dev/null

RefriedScabbedWasting502

matthewa@onlyrands:~$ cat /etc/passwd | grep -i dach
briand:x:1003:1001:Brian Dach,,,:/home/administration/briand:/bin/bash

I can see the username of the user.

I will switch to this user.

su briand # password: RefriedScabbedWasting502

Got access to briand user who is member of administration group.

I searched for binary that current user is allowed to run and found that he can run systemctl without password.

systemctl | GTFOBinsgtfobins.github.io

In gtfoBin, I found the way to exploit this.

I will run the command with sudo user.

sudo /usr/bin/systemctl status teamcity-server.service                                    
!sh

Got access as root user.

Previoushttp Nextflags

Last updated 11 months ago

Was this helpful?

hashtagLinpeas.sh

hashtagResult:

hashtagChecking for SUID and GUID

hashtagChecking for sudo permissions.

hashtagChecking for misconfiguration in important files.

hashtagLinpeas.sh for marcot user

hashtagresults: