Machine can be download here.
Nmap scan ports, 80,139 and 445 are open.
Port 80 is a static index.html, with nothing interesting. Gobuster scan port 80, we get robots.txt and note.txt, but nothing useful too.
Move to smb. Smbclient with no username and password, shows an interesting flolder named "smbshare".
But we can not access it now. We need username and password.
Use enum4linux to get a username "albert".
With medusa, we can bruteforce the password. ( I don't know why hydra failed.)
medusa -h 192.168.56.71 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt
Then we can access smbshare folder, and list files.
Download smb.conf, check the content, find an interesting setting.
Google tells us that "magic script" will run if we login.
Create a script file named "smbscript.sh", with reverse shell code in it.
Listen on the port 1234 in one term, and upload the script to smb in another term. We will get reverse shell immediately.
Use python3 to get interactive term, and export TERM variable.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256colorIn home folder of albert, get a file named "beroot". It's a SUID file, so it must be the key to root.
Just run beroot, it clear the screen, tells us to input password, which is wrong of course.
With ghrida, we can disassemble the ELF file. It only has two commands, first setuid(0), second "/bin/bash /root/beroot.sh"
We can not bruteforce the password of root. All we need to do is get root through /root/beroot.sh.
Since it's a bash script, we can replace some bash command with PATH cheating. But how do we know what command did beroot.sh use?
Let's first clear the PATH variable, and run beroot again.
OK, we know beroot.sh calls "clear" at line 3.
So we may try to creat a fake "clear" command at home folder, and export the path to the first place in $PATH. Don't forget to chmod +x clear.
Run beroot again. BOOM! We get root.
