Escalate My Privileges Vulnhub Walkthrough

Here’s another article on Escalate My Privileges Vulnhub Walkthrough designed by Akanksha Sachin Verma for learning Linux Privilege Escalation skills. The box is specially designed for learning and sharpening Linux Privilege Escalation skills. There are several ways of playing with privileges. The goal is to First get the User of the Target then Start Playing with Privileges. Again this blog “Escalate My Privileges Vulnhub Walkthrough” is written by Ritik Kumar Jain. So let us get starting.

Methodology :

Network Scanning
  • Netdiscover
  • Nmap
Enumeration
  • Nikto
  • Netcat payload
Privilege Escalation
  • sudo-l
  • crontab
  • setuid
  • password cracking
  • normal guessing

NETWORK SCANNING:

We start with obtaining the IP address of the machine. So I used netdiscover for the scanning. And my IP is: 192.168.2.10

We are scanning our local network. And for that, we are using the Nmap ping scan.

So far so good. We gat a port 80. So let get enumerating it more.

Enumeration

And I open the target IP address our browser. As we see an image file

Escalate My Privileges Vulnhub Walkthrough

So I open the next page /phpbash.php because we see the file in Nmap output robots.txt file. As disallow entry here we see a bash terminal.

So I run the id command and we see an output apache group name.

And now without wasting our time. I create an oneliner bash reverse shell and start our Netcat payload listener port 1505. So that I can get the shell.

We get a shell.

Privilege Escalation

On the further enumerating the user home directory and we can see a user armour. And on armour user home directory we find a credentials.txt file. So I am using the cat command to open the file and we see a message my password is md5 (rootroot1).

So I am changing our user to armour using SU ( Switch User ) command and we successfully changed our user.

Now there are many ways to get escalated

METHOD 1: SUDO-L

So sudo -l prints the commands which we are allowed to run as SUDO. And if the attacker can’t directly get root access via any other technique. So he might try to compromise any of the users who have SUDO access.

METHOD 2: CRONTAB

Corn jobs generally run with root privileges. And if we can successfully tamper any script or binary which are defined in the corn jobs. So then we can easily execute arbitrary code with root privilege.

METHOD 3:Exploiting SUID Executables

SUID which stands for set user ID is a Linux feature that allows users to execute a file with the permissions of a specified user. UID is a feature that, when used properly, actually enhances Linux security. The problem is that administrators may unknowingly introduce dangerous SUID configurations when they install third-party applications or make logical configuration changes.

We can now see the shadow file of the box.

METHOD 4: Password cracking

We are going to crack the password to the root user form shadow file. For that, we must be needing shadow file and passwd file in text form.

METHOD 5: Guessing

And so the last but not the least password guessing is the one more way to go

 

 

Leave a comment

WhatsApp us