11 April 2021

Pentesting Fun Stuff

following the cyber security path…



This challenge can be found on VulnHub.com.
It is rated “Beginner to Intermediate” and the goal is to get a root shell and then obtain the flag under /root.
There is also a warning about looking out for a rabbit hole (let’s keep this in mind).
Let’s get started!

To find out what services are running, I start with a Nmap port-scan.

That’s a colorful bunch of services.
An FTP server (port 21), an SSH server (port 22), several web-servers (ports 80, 7080, 7125, 8088) and even a Python scripts that runs the HTTP server module (port 9198).
And everything is running on a Linux Debian machine.

Because I need credentials for FTP and SSH, I skip those and go for the web-servers.
Starting from the top.
All web-servers have the same picture in the main page.
So I start with some Nikto scans and find a passwd file on the nginx server at /passwd.

The amount of web-servers are nice, but after a while I’m feeling like I’m on a goose chase.
Because of the passwd file, I think an attack vector is brute-forcing either FTP or SSH.
I’m going for SSH.

There are a lot of tools which you can use to brute-force a SSH server:

  • Metasploit
  • Medusa
  • Hydra
  • Nmap
  • Ncrack

All tools have their “pros and cons” and this time I’m going for Nmap (coz why not?)

Not really special powers here.
Let’s transfer a Linux enumeration script to the remote system.

After running the script, there are some things that caught my eye.

1. a cron job that executes a bash script:

2. a SUID file:

The cron job is not default, but it’s not really something usefull for EoP.
The SUID file base32 is.

According to GTFObins: It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor.

Another guess…

And there we have it.
If it wasn’t a flag we were after, you also could obtain something like SSH keys and log in as root.
But for now, this will do.


This challenge was much better than the previous one.
The use of the SUID flag should be used with caution.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.