OSCP PREPROTİONS – HTB Traverxec

Traverxec machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.


We are doing a classic scan

Full port scan

As a result of port scanning, we saw that ports “22/tcp ssh OpenSSH” and “80/tcp http nostromo 1.9.6” were open
Since http service is open, let’s perform enumeration via browser.

It’s a dynamic web address with a simple interface, but looking at the source code, developer mods and web analyzer, we couldn’t find any significant information. We will run a directory scan with gobuster and dirbuster

As a result of the directory scan, /css, /icons, /img, /index.html, /lib directories were detected, but no useful information was obtained.
Explit research was done about the version of the web server

We have detected exploits in our server version.
Let’s download this exploit to our machine

We run it immediately according to the given pattern

We were able to get a shell.
Since the www-data user has restricted privileges, we provide enumeration. We obtained a password hash with linenum.

Let’s break this hashi with Hashcat

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ hash to get the hash “Nowonly4me”
only with this password we could not ssh or change the user in any way, we continue with the enumeration part
We detect the file backup-ssh-identity-files.tgz which, as the name suggests, is a ssh key

We move it to our machine with the nc command

We extract our file with tar.

Under the Home directory

We access the id_rsa file.
We will try to connect to ssh using this file

When connecting, it asked us for a password, let’s crack it with john

We have detected the password as hunter, let’s try to connect again
as seen we were able to get ssh connection and get our user flag

We get permission denied error when going to root, here we provide enumeration to provide privilege escalation again

Here server-stats.sh draws our attention, we go to that directory immediately

We investigated whether we can get gtobin sudo authorization on the /usr/bin/journalctl side.

Here we type the command given in the section that appears and we can obtain root privileges

Comments

  1. Suivre le téléphone

    urveillez votre téléphone de n’importe où et voyez ce qui se passe sur le téléphone cible. Vous serez en mesure de surveiller et de stocker des journaux d’appels, des messages, des activités sociales, des images, des vidéos, WhatsApp et plus. Surveillance en temps réel des téléphones, aucune connaissance technique n’est requise, aucune racine n’est requise.

  2. Suivre Téléphone

    Afin de dissiper complètement vos doutes, vous pouvez savoir si votre mari vous trompe dans la vraie vie de plusieurs manières et évaluer les preuves spécifiques dont vous disposez avant de soupçonner que l’autre personne vous trompe.

  3. tlovertonet

    The other day, while I was at work, my cousin stole my iphone and tested to see if it can survive a twenty five foot drop, just so she can be a youtube sensation. My iPad is now destroyed and she has 83 views. I know this is completely off topic but I had to share it with someone!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir