Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Using my trusty Nmap scanner, I performed a scan for service version detection, OS detection, script scanning, and traceroute.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Target Root Web Site

Web Enumeration:

Reviewing the findings from Nmap, I knew that robots.txt and the /writeup/ directory were present.

Image for post
Image for post
Robots.txt
Image for post
Image for post
/writeup/ Directory
Image for post
Image for post
writeup Web Page: Source
Image for post
Image for post
Admin Login Page

CMS Made Simple Exploit:

Launching searchsploit, I searched to determine if a vulnerability and/or exploit would be listed for CMS. It turned out that there were many entries returned within searchsploit.

Image for post
Image for post
searchsploit Results
Image for post
Image for post
Truncated Python Script
Image for post
Image for post
Exploited Credentials
Image for post
Image for post
Formatted Hash
Image for post
Image for post
HashCat Syntax
Image for post
Image for post
HashCat Success
Image for post
Image for post
Pot File Results

Foothold:

With the newly obtained credentials, I launched SSH to see if I could connect to the target.

Image for post
Image for post
SSH Connectivity
Image for post
Image for post
User Account
Image for post
Image for post
User.txt

Privilege Escalation:

I started performing typical enumeration, but seemed to not be coming up with anything. I ran LinEnum.sh and lse.sh and found a couple of interesting items.

Image for post
Image for post
pspy64s: Initial
Image for post
Image for post
pspy64s: SSH Login
Image for post
Image for post
Command Details
Image for post
Image for post
Directory Permissions
Image for post
Image for post
Privilege Escalation Script
Image for post
Image for post
Root.txt
Image for post
Image for post
Python Reverse Shell Script
Image for post
Image for post
Privilege Escalation Steps
Image for post
Image for post
Shell and Root.txt

Cleanup:

To cleanup my tracks, so other were not able to read the contents of the testing.out file, I used the following process and then logged out and back into the target.

Image for post
Image for post
Cleanup Script
Image for post
Image for post
Empty File

Resources:

https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store