I started off with port 80 and was unable to identify any directories or files. The default page for the port goes to installation for nginix.
When attempting to browse to port 31337 we are given a 404 not found error. I then ran
dirsearch.py against the port using the command below which discovered what appeared to be a users home directory contents.
Checking out the /.ssh directory appears to list sub folder contents.
I first downloaded the id_rsa and then authorized_keys.
Viewing the contents of authorized_keys shows the user simon having a key in the file. First use
chmod on the id_rsa to set the correct permissions.
When attempting to use the key to connect by SSH we are prompted to provide a passphrase.
Using ssh2john we can convert the key to a hash which can be sent to John for cracking.
Now that we have the password
starwars for for the key we can try signing in again.
I then transferred over
linpeas and executed. Linpeas then identified the binary
/usr/local/bin/read_message as having the SUID bit set.
Running the binary and entering the name ‘Simon’ produces the following output:
As per the message we can read the source code. Listing the contents of the root directory shows the source code file.
It looks like as per the script it will read the first 5 characters to validate if correct but, has a total buffer for 20. We can try to overflow the buffer to execute a command.
Running the following when prompted to do so by the binary will give us a root shell.