This is one interesting box as it really prove to us once again that information gathering stage is soooo IMPORTANT! You will see why later in the post...
First, let's change our ip address to the same network as the Live CD...
Again, network range scanning....
Notice some interesting stuff here? Our target machine is having TWO ip address...
This is very suspicious enough already while we only reach this early stage here... Let's keep that in mind!
Nmap reconnaissance done on both ip address...
Now, again with the aggressive mode...
Next, grab some available usernames from the webpage...
This time let's verify the username account using the SMTP server...
OK! Now we got three available username here... havisham, magwitch and pirrip...
Let's see if we can get the directory of the available username...
Great! All of the available usernames are can be access through the website...
Further
Here we found some interesting directory: /~/pirrip/.ssh/
Let's heads over to the directory using our browser...
Download the id_rsa file into our local machine...
And, chmod the id_rsa to lower permission...
Now we can ssh into our target machine using pirrip's public key... and we got our shell!
Take a peek at their email conversations, and hopefully we might gain some 'juicy' information...
Nice! The email conversations contained the login credentials for pirrip...
Now we can see what pirrip can do with sudo command...
Interesting! Since we can use the vi command and we got the password for pirrip, we might just as well modify the shadow file and change the root password to the same password as pirrip's...
Next, we can finally escalate our privilege using the newly changed password for the root account...
Let's fix the FTP server for them :p
Also, grab the 'flag' (although it is not mentioned in this challenge)...
Squeeeeeze the 'blood' out from the 'body'!
OK! It is now done...
p/s: Nice raises for Havisham there :p
No comments:
Post a Comment